A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.
The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.
Talos’ goal is to protect our customer’s networks. Reverse engineering Rombertik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult. Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams. This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers.
Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims. Like previous spam and phishing campaigns Talos has discussed, attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user’s compromise.
While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik. Once the user double clicks to open the file, Rombertik will begin the process of compromising the system.
Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.
That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.
Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox.
In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim's machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware's core spying functionality.
After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer.
Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.
MBR is the first sector of a computer’s hard drive that the system looks for before loading the operating system. However, deleting or destroying MBR involves re-installing of operating system, which means valuable data is lost.
In cases where the malware is under the microscope of security experts or any rival malware author, Rombertik will self-destruct itself, taking the contents of a victim's hard drive along with it.
Security researchers reverse-engineered the malware and found that Rombertik contains volumes of "garbage code" that have to be analyzed. The researchers were able to capture a small sample and found that…
...the unpacked Rombertik sample was 28KB in size while the packed version is 1264KB, including 75 images and 8,000 functions that are never used.
Rombertik other Tricks involve:
Moreover, Rombertik keeps itself in sandboxes by writing a random byte of data to memory 960 million times in an effort to overwhelm analysis tools that try to detect malware by logging system activity.
"If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes," researchers explained in a blog post.
"Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates the analysis."
Wiper malware was used against South Korean banks and TV broadcasters in 2013 as well as against Sony Pictures Entertainment last year, which marked history in a massive data breach.
Also last year, the German Aerospace Centre was targeted by a self-destructive malware in an espionage attack, believed to be conducted by China.
The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.
Talos’ goal is to protect our customer’s networks. Reverse engineering Rombertik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult. Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams. This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers.
Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims. Like previous spam and phishing campaigns Talos has discussed, attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user’s compromise.
While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik. Once the user double clicks to open the file, Rombertik will begin the process of compromising the system.
Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.
That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.
Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox.
In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim's machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware's core spying functionality.
After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer.
Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.
MBR is the first sector of a computer’s hard drive that the system looks for before loading the operating system. However, deleting or destroying MBR involves re-installing of operating system, which means valuable data is lost.
In cases where the malware is under the microscope of security experts or any rival malware author, Rombertik will self-destruct itself, taking the contents of a victim's hard drive along with it.
Security researchers reverse-engineered the malware and found that Rombertik contains volumes of "garbage code" that have to be analyzed. The researchers were able to capture a small sample and found that…
...the unpacked Rombertik sample was 28KB in size while the packed version is 1264KB, including 75 images and 8,000 functions that are never used.
Rombertik other Tricks involve:
Moreover, Rombertik keeps itself in sandboxes by writing a random byte of data to memory 960 million times in an effort to overwhelm analysis tools that try to detect malware by logging system activity.
"If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes," researchers explained in a blog post.
"Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates the analysis."
Data wiping and Self-destructing malware:
Data wiping and self-destructing malware are not new. In last three years, we have seen a hike in malware evasion capabilities.Wiper malware was used against South Korean banks and TV broadcasters in 2013 as well as against Sony Pictures Entertainment last year, which marked history in a massive data breach.
Also last year, the German Aerospace Centre was targeted by a self-destructive malware in an espionage attack, believed to be conducted by China.
Post a Comment