Why Malware Installers Use TMP files and The Temp folder when infecting Windows

Ever wonder why there are too many TMP files detected on an infected system? Even if they have different names, the file are exact copies of one another, why?

The first thing a malware installer (first stage of infection) does when executed on a target system – be it a dropper or downloader – is to install a copy of the malware and its components into their corresponding location in the system. Some popular locations include:

  • C:Windows
  • C:Program Files
  • C:UsersAppDataRoamingMicrosoft

However, there are instances wherein the installation of the malware becomes corrupted or incomplete due to the target system’s current state at the time of infection. The target system may have a slow connection, causing a malware downloader to incompletely download the malware and its components. In the case of a malware dropper, a busy system may corrupt the files, causing the malware to function improperly. Another instance that may cause corruption is when the target system is shut down, or rebooted by the user before the malware has installed completely. Most users, when they believe their system has a malware infection, react by shutting down. “Unplug it, now!!!”, if it’s a server or desktop, or “Remove the battery, now!!!”, if it’s a laptop and you have the capability to remove the battery (most modern laptops no longer allow battery removal). The idea is that the immediate shut down the system in the middle of an infection process will thwart the attack.

Attackers are smart. They know this and have made it one of their use cases when creating new malware installer technologies that avoid any kind of corruption during installation. Their solution? Utilize TMP files and the Microsoft Windows Temp folder.

Utilizing TMP Files
The attacker’s main goal is to either fully install uncorrupted malware and its components or do not install at all.

This is done with atomic writes. In the context of programming, atomic writes (or atomic) denotes something that cannot be split apart (of course, in physics, atoms can be split).

To better understand this, an example is in order. Below is a simple code that writes something to a file.

echo_image1

This write operation is not atomic, because it is possible the file being created, Malware.EXE, can be located in more than one sector of the disk and these sectors are part of different NT File System (NTFS) clusters. Think disk fragmentation. Corruption occurs when one sector is written with the intended data while the other sector, or sectors, were not, possibly because of an interruption or machine shutdown. When the machine reboots, the failed write operation will not be recovered. This is true with most file systems especially NTFS and Windows 95 File Allocation Table (FAT), regardless of the operating systems.

The solution is to apply an atomic write operation. Remember, the malware author’s goal is to install or write the malware in the intended location completely with no corruption, or no installation at all. In a file, metadata changes such as rename are atomic. So, instead of doing the file write on the intended location, the write is performed to a temporary file. After the write is done and verified as complete on disk the old file (temp file) is interchanged with the new file (the installed malware in the intended location).

To better understand this, let’s look at the sequence below based on Microsoft’s MSDN blog, (but rewritten to fit our malware example.

Write Process (on Malware.EXE)

writeprocess1_image2

Take note that in these steps, the location of each file was not added. It should be clear that the TMP and Alternate file are in the Temp folder with the new Malware.EXE ultimately in the intended location.

The steps above are the malware writer’s first attempt to solve corruption during installation. This is not perfect as corruption can still happen during process crash, machine shutdown, or reboot. This results in a bunch of malware TMP files in the Temp folder and corrupted malware installed. In a perfect scenario, the malware is installed and all the TMP files are deleted, together with the malware installer.

To solve for this, recovery-from-crash precautions may be added. Again, the sequence below is from Microsoft’s MSDN blog, rewritten to fit our malware example.

If the malware installer has the capability to run by making itself persistent, even after a failed installation, it can do the following steps as a recovery-from-crash precaution.

Recovery from a crash during write (on Malware.EXE)

recovery_image3

Even with crash recovery capability, the above steps are still not perfect, especially if an endpoint solution happens to be running a scheduled scan on the system during write operation. Endpoint solutions can access and open the files being used, even for a short period of time, causing failure in step 7 of the Write operation or steps 1 and 3 of the recovery operation – even if the malware is new or undetected. These operations fail because the endpoint solution has an open handle to the file. Much like the times you want to eject an external drive, but cannot because a program is using a file located on that drive.

The fix for this is to use unique temporary file names.

Write Process (on Malware.EXE)

writeprocess2_image4

Recovery from a crash during write (on Malware.EXE)

recovery2_image5

These are the steps most malware installers use when installing malware. The result is fully installed malware with no corruption.

As with all software, there are always things that can go wrong, and you will know it because the target system ends up with a bunch of randomly named malicious TMP files that are exact copies of each other. Remember, most malware installers delete itself and these TMP files after successful installation.

The use of TMP files for atomicity is an advantage attackers currently enjoy. They could have done this operation in any folder of the system, but they choose to use the standard Windows Temp folder. Let’s explore why.

Utilizing the Windows Temp Folder
There are several advantages to using the Temp folder. In some systems, the Temp folder is located on a RAMDISK. This makes write operations and file manipulations significantly faster compared to the usual disk file system.

Another advantage is that Temp folders have Read-Write access for the current logged-in user, solving any file system permission errors when the malware installer attempts to install the malware in a target location without proper permission. The Temp folder is typically used as a staging point once the malware installer or the malware itself has escalated privileges.

The OS also offers an advantage of cleaning up incomplete writes of temporary files in the Temp folder so, in the case of malware installation failure, the OS takes care of removing any traces of the files, preventing any part of the malware or a corrupted version of its main executable from being collected by analysts and researchers.

There you have it, the reason malware installers utilize TMP files and the Windows Temp folder during malware infection.