- Jan 24, 2011
- 9,378
Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computer's Master Boot Record, is actually a newer version of an underground crimeware kit known as Carbon FormGrabber (or Carbon Grabber), Symantec researchers have found.
They also believe that the destructive action performed by the Trojan is not aimed against researchers, but "naive cheapskates who may be trying to use this software for free."
"Legitimate software vendors often add protection mechanisms that prevent the software from being used without a license, but that’s usually the extent of the 'damage' caused to digital pirates. In the cybercrime world, things are a bit more cut throat," researcher Dumitru Stama explained.
The destructive functionality is not something that regular customers of Carbon Grabber have access to. Instead, this code is set up to only spring its trap if the Trojan detects that a user is trying to tamper with its code to make it do something it wasn’t licensed to do."
Carbon Grabber is a general info-stealer Trojan with backdoor capabilities, and criminals who bought it and licensed it receive a custom-built version that has a single C&C server address (provided by them) embedded in the code.
Other criminals who somehow managed to get their hands on a random copy of the malware had to change this address in order to collect the information exfiltrated by the malware, and this is what the aforementioned destructive mechanism aims to prevent.
This would definitely explain the message shown on the thrashed computer after the wiping process is executed:
Read more: http://www.net-security.org/malware_news.php?id=3040
They also believe that the destructive action performed by the Trojan is not aimed against researchers, but "naive cheapskates who may be trying to use this software for free."
"Legitimate software vendors often add protection mechanisms that prevent the software from being used without a license, but that’s usually the extent of the 'damage' caused to digital pirates. In the cybercrime world, things are a bit more cut throat," researcher Dumitru Stama explained.
The destructive functionality is not something that regular customers of Carbon Grabber have access to. Instead, this code is set up to only spring its trap if the Trojan detects that a user is trying to tamper with its code to make it do something it wasn’t licensed to do."
Carbon Grabber is a general info-stealer Trojan with backdoor capabilities, and criminals who bought it and licensed it receive a custom-built version that has a single C&C server address (provided by them) embedded in the code.
Other criminals who somehow managed to get their hands on a random copy of the malware had to change this address in order to collect the information exfiltrated by the malware, and this is what the aforementioned destructive mechanism aims to prevent.
This would definitely explain the message shown on the thrashed computer after the wiping process is executed:
Read more: http://www.net-security.org/malware_news.php?id=3040
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
