New Rombertik malware attacks hard drives, wipes MBR if detected

Study finds many Android apps connect to a frightening number of shady tracking sites
May 6, 2015
Criminal attacks new top cause of health sector breaches, study shows
May 8, 2015

The game of cat-and-mouse between malware authors and security white hats may have entered a new phase this week, thanks to an aggressive new malware system that doesn’t just attempt to obfuscate its own operation — it aggressively scans for clues that others are monitoring its actions. If it detects that it’s operating within a Virtual Machine, the malware, dubbed Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.

Cisco’s threat response team has detailed the operation of Rombertik, and the malware’s obfuscation and attack vectors are unique. Once installed, it’s a fairly standard data sniffer that grabs indiscriminately from the information available on an infected PC. What sets Rombertik apart is the way it checks to see if it’s running in a VM-provided sandbox, and the actions it takes if it finds itself in such a mode.

Compromise flow

The infograph above breaks down how the malware works and what it does. Rombertik contains a great deal of information designed to make it look genuine; Cisco estimates that 97% of the packed file is devoted to images and functions that are never used by the actual malware. Once it starts running, the executable kicks off by writing 960 million random bytes to memory. This serves no useful function, but it does ensure that any application attempting to trace the malware’s activity would be flooded by 100GB+ log files.

Having completed this task, Rombertik makes some specific invalid function calls to check for particular errors (it’s looking for an error that a VM might typically suppress). Once it decides that it isn’t running within a sandbox, the malware starts unpacking itself. The code is deliberately obfuscated with dozens of functions, jumps, and unnecessary (but obfuscating) bloat.

Control flows

This complexity map shows the anti-analysis code on the right, the executable on the left. While the anti-analysis code might look more daunting, it’s actually a relatively simple flowchart with a huge number of iterations. The left hand graph, in contrast, is a mess of function blocks, checks, and hundreds of nodes — all meant to prevent analysts from reading what’s been written.

At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.

So who wrote Rombertik?

What’s odd about Rombertik is that it combines elements of classic malware — a poorly written initial phishing attempt and bog-standard data capture from browser sessions — with some absolutely first-rate anti-detection methods and a hell of a right hook if caught. The authors of Rombertik have gone to enormous length to ensure the virus arrives on-target and can perform its actions. But this is the kind of obfuscation technique we’d expect to see in products from state actors — if not our own government, then someone else’s.

No one is talking about any sort of government initiative attached to Rombertik. In a way, that’s actually more worrying — a trojan this complex that was designed by state actors is worrying to begin with, but these techniques becoming mainstream is almost worse. Cisco’s blog post has more details on the malware and its functions — give it a read if you want to peek inside one of the most impressive malware projects to date.

Source –