New 'Rombertik' malware destroys computer if detected

By on
New 'Rombertik' malware destroys computer if detected
One of the phishing emails that propagates the Rombertik virus [source: Cisco]

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.

Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post

This malware spreads through spam and phishing messages sent to possible victims.

In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.

One of the phishing emails that propagates the Rombertik virus [source: Cisco]

At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality.

Then, again, it will check to make sure it isn't being analysed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.

To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.

Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.

All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.

Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

What's your reaction to Microsoft shifting Azure prices into $US?
Upset that we'll pay more
We'll manage it, but wish prices were consistent
Not a problem - we already purchase in $US
We'll move to other clouds
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?