Small bash script designed to be run on livecd environments. It mounts potentially infected system disks and then removes ld.so.preload, preserving the preloaded library in a temporary directory in the livecd environment for analysis.

preload_kill.sh

#!/bin/bash

usage ()
{
    echo "preload_kill - simple bash script designed for 'livecd' environments."
    echo "Removes the ld.so.preload file on infected systems."
    echo "Usage: $0 <device name of infected system root disk>"
    echo "The partition should have /etc/ present on it."
    echo "Example: $0 sda1"
    exit
}

unmount_tmp_dir ()
{
    umount -rf $MOUNT_DIR
    rm -rf $MOUNT_DIR
}

[ -z $1 ] && { usage; }

DEVICE_NAME="/dev/$1"
[ ! -b $DEVICE_NAME ] && { echo "Disk $1 does not exist."; usage; }
echo "Disk exists. Mounting."

MOUNT_DIR="$(mktemp -d)"
mount $DEVICE_NAME $MOUNT_DIR
MOUNT_ETC="$MOUNT_DIR/etc"
[ ! -f "$MOUNT_ETC/ld.so.preload" ] && { echo "Couldn't find ld.so.preload on the target disk. Exiting."; unmount_tmp_dir; exit; }
echo "Found ld.so.preload. Checking file contents."
CONTENTS="$(cat $MOUNT_ETC/ld.so.preload)"
if [ -f "$MOUNT_DIR/$CONTENTS" ]; then
    LIBRARY_STORAGE="$(mktemp -d)"
    echo "/ NOTIFICATION \\"
    echo "Potentially malicious preloaded library found. Copying to $LIBRARY_STORAGE."
    cp $MOUNT_DIR/$CONTENTS $LIBRARY_STORAGE/
    echo "Potentially malicious library copied to $LIBRARY_STORAGE for future analysis."
    echo "\\ NOTIFICATION /"
fi

echo "Removing ld.so.preload from target disk."
chattr -ia $MOUNT_ETC/ld.so.preload &>/dev/null
rm -f $MOUNT_ETC/ld.so.preload
echo "ld.so.preload removed."

unmount_tmp_dir

echo "Any potentially malicious preloaded malware should now be gone. If you're seeing these messages and you now know you were infected,"
echo "you should patch any entry points the attacker exploited to gain access to your box."
echo "The malware may be gone, but that doesn't stop them from coming back the same way they did before."
echo "Goodbye!"