- Jan 24, 2011
- 9,377
The game of cat-and-mouse between malware authors and security white hats may have entered a new phase this week, thanks to an aggressive new malware system that doesn’t just attempt to obfuscate its own operation — it aggressively scans for clues that others are monitoring its actions. If it detects that it’s operating within a Virtual Machine, the malware, dubbed Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.
Cisco’s threat response team has detailed the operation of Rombertik, and the malware’s obfuscation and attack vectors are unique. Once installed, it’s a fairly standard data sniffer that grabs indiscriminately from the information available on an infected PC. What sets Rombertik apart is the way it checks to see if it’s running in a VM-provided sandbox, and the actions it takes if it finds itself in such a mode.
The infograph above breaks down how the malware works and what it does. Rombertik contains a great deal of information designed to make it look genuine; Cisco estimates that 97% of the packed file is devoted to images and functions that are never used by the actual malware. Once it starts running, the executable kicks off by writing 960 million random bytes to memory. This serves no useful function, but it does ensure that any application attempting to trace the malware’s activity would be flooded by 100GB+ log files.
Having completed this task, Rombertik makes some specific invalid function calls to check for particular errors (it’s looking for an error that a VM might typically suppress). Once it decides that it isn’t running within a sandbox, the malware starts unpacking itself. The code is deliberately obfuscated with dozens of functions, jumps, and unnecessary (but obfuscating) bloat.
This complexity map shows the anti-analysis code on the right, the executable on the left. While the anti-analysis code might look more daunting, it’s actually a relatively simple flowchart with a huge number of iterations. The left hand graph, in contrast, is a mess of function blocks, checks, and hundreds of nodes — all meant to prevent analysts from reading what’s been written.
At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.
Read more: http://www.extremetech.com/computin...are-attacks-hard-drives-wipes-mbr-if-detected
Cisco’s threat response team has detailed the operation of Rombertik, and the malware’s obfuscation and attack vectors are unique. Once installed, it’s a fairly standard data sniffer that grabs indiscriminately from the information available on an infected PC. What sets Rombertik apart is the way it checks to see if it’s running in a VM-provided sandbox, and the actions it takes if it finds itself in such a mode.
The infograph above breaks down how the malware works and what it does. Rombertik contains a great deal of information designed to make it look genuine; Cisco estimates that 97% of the packed file is devoted to images and functions that are never used by the actual malware. Once it starts running, the executable kicks off by writing 960 million random bytes to memory. This serves no useful function, but it does ensure that any application attempting to trace the malware’s activity would be flooded by 100GB+ log files.
Having completed this task, Rombertik makes some specific invalid function calls to check for particular errors (it’s looking for an error that a VM might typically suppress). Once it decides that it isn’t running within a sandbox, the malware starts unpacking itself. The code is deliberately obfuscated with dozens of functions, jumps, and unnecessary (but obfuscating) bloat.
This complexity map shows the anti-analysis code on the right, the executable on the left. While the anti-analysis code might look more daunting, it’s actually a relatively simple flowchart with a huge number of iterations. The left hand graph, in contrast, is a mess of function blocks, checks, and hundreds of nodes — all meant to prevent analysts from reading what’s been written.
At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.
Read more: http://www.extremetech.com/computin...are-attacks-hard-drives-wipes-mbr-if-detected