The [not so] Invisible Recycled Malware

In this modern age of GUIs, one-click-shopping, dragging-n-dropping and all things eye-candy, I still hang onto my trusty console window for sanity — and with good reason.

Microsoft Windows Explorer might make things look nice and easy to do, yet its trickery is often well utilised by malware authors. Take for example your typical SillyFDC worm. During installation one of the places it will copy itself to is the Recycle bin; now most anti-virus products will happily detect it there, however if you’re hunting for an active infection you may be surprised to find the Recycle bin devoid of malware (despite it being there)!

Explorer Trickery at Work

Command prompt to the rescue – as can be seen above, navigating to the Recycle bin using the command prompt allows us to see all the files (in this case, a copy of Notepad.exe) which Explorer flatly denies the existence of.

Some of the tools we use to analyse malware are GUIs and some are still old-school CLIs for exactly this reason. Some things are much clearer and faster done by using the console and stand less chance of trickery for the masses.