Monthly Archives: February 2014

Easy BASH for making data difficult to recover without damaging your filesystem.

There are a many programs designed specifically to recover lost data, even when a file has been “deleted” from a users hard-drive. This is not difficult to do because when a file is “deleted,” all that is happening is the pointer to a specific block of data is removed. The removal of this pointer is instantaneous, the removal of the data-block is not. However, once the pointer is removed the filesystem allows overwriting of the data-block. This means that files you meant to delete are still sometimes recoverable even months after they are removed from your computer. Most modern recovery programs are able to reverse this process by looking at the headers of data-blocks, and determining what type of file it resides there.

If you are paranoid about your security like I am you may ask yourself how do I prevent this from happening. One way is to utilize software that overwrites this data-block, with random patterns of data several times. Obviously the more passes the harder it is for the original data to ever be recovered. Another method, that works on a much larger scale, is to create so much write activity on the disk, that the original data will almost always be corrupted.

This script does just that, by generating a specified number of temporary files and then deleting them, overwriting the equivalent amount of data stored at that location.

[code language=”bash”]

#! /bin/bash

read -p "How much space do you want to overwrite? [MB]" space
read -p "Enter a valid directory path [example: /home/user/]: " directory
i=0
overwrites=$(($space/2))
while [ $i -lt 8500 ]; do
template+=$RANDOM
(( i = i+1 ))
done
i=0
while [ $i -lt $overwrites ]; do
clear
echo $(($i + 1))/$overwrites overwrites ~$(( 2*$i )) MB
(( i = i+1 ))
j=0
while [ $j -lt 50 ]; do
(( j = j+1 ))
echo $template >> $directory/$i-temp
done
done

i=0

while [ $i -lt $overwrites ]; do
(( i = i+1 ))
rm $directory/$i-temp
done
[/code]

Still if you want to guarantee the permanent deletion of your data, Thermite is the way to go.

~Jamin Becker

Tagged , , , , , , , , ,

Quick & Easy Malware Discovery/Submission

In this quick project I decided that the goal would be to automate the downloading of malware and submitting samples to VirusTotal that aren’t currently in VirusTotal. I decided that to gather the malware I would use Maltrieve.

From the github, “Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including Malc0de, Malware Black ListMalware Domain ListMalware PatrolSacour.cnVX VaultURLqery, and CleanMX” I would like to thank  for taking the time to build this out.

To upload samples to VirusTotal, I utilized a script written by @it4sec. It can be found at http://ondailybasis.com/blog/wp-content/uploads/2012/12/yaps.py_.txt. All I had to do was add my API key to the script and tell it what directory my samples were in. At that point, it handles checking if the sample is already in the VirustTotal data set and if it isn’t, it will upload it. It even keeps track of everything in a log file for future reference.

I added a cron job that runs Maltrieve at the top of every hour and another cron job that runs yaps.py 30 minutes after. This essentially allows me to pull down new samples every hour and do my part in uploading new samples to VirusTotal.

Analysis:
So far I’ve pulled down 7,424 malware samples by using Maltrieve over the last few days. Out of that 7,424 samples, ~1400 samples have never been seen by Virus Total. I’ve found different variants of malware such as Zeus, Asprox, and lot’s of malicious iframe injections on web pages. I’m actually surprised in the amount of unique samples being uploaded, I was expecting someone to be doing this exact same process and uploading samples sooner than I can.

The next step of the project is to get malware uploaded automatically to Malwr.com to generate sandboxing of the samples. I look forward to expanding this out and hopefully receiving some input on what direction this should/could go.

– Max Rogers

Tagged