I came across an interesting piece of malware today that completely confused me, The behavior of the script was similar to your standard malware, it dropped executables all over the hard drive in an effort to make itself persistent, but the dropper itself had a cleanup function that deleted itself and overwrote itself so it couldn’t be forensically recovered.
I re-ran it in a virtual environment while watching its actions and it was definitely a hard coded behavior, and worked on both Windows and Linux! Even a dynamic analysis of the malware deleted itself during analysis so I knew that the call had to be the very last thing the file did. Unfortunately, the attacker that wrote the code did too well with that particular section so I wasn’t able to figure out how it was implemented, but I came up with some theories using Python.
The Python code for deleting a file or directory are given in this StackOverflow answer.
Basically you get the file path using
__file__ and you can delete it using a number of techniques.
os.remove() will remove the file.
os.rmdir() will remove an empty directory.
shutil.rmtree() will delete a directory and its contents.
The windows command
cipher will overwrite the deleted data in a volume/directory. The only potential downside here is that the
cipher command tends to take a long time to overwrite the data for large directories.
This whole process is trivial on Linux, even if the script only has user access.
Again, you get the file path using
__file__ and you can delete it using
shred. The options for
-f forces a permission change,
-u removes the file after writing, and
-z backfills the empty memory space with zeroes.
While I’m sure the script I came across today used far more advanced methods to hide its tracks, the options I showed above seem like easy ways to cover your tracks.