Status
Not open for further replies.

Jack

Administrator
Verified
Staff member
The game of cat-and-mouse between malware authors and security white hats may have entered a new phase this week, thanks to an aggressive new malware system that doesn’t just attempt to obfuscate its own operation — it aggressively scans for clues that others are monitoring its actions. If it detects that it’s operating within a Virtual Machine, the malware, dubbed Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.

Cisco’s threat response team has detailed the operation of Rombertik, and the malware’s obfuscation and attack vectors are unique. Once installed, it’s a fairly standard data sniffer that grabs indiscriminately from the information available on an infected PC. What sets Rombertik apart is the way it checks to see if it’s running in a VM-provided sandbox, and the actions it takes if it finds itself in such a mode.




The infograph above breaks down how the malware works and what it does. Rombertik contains a great deal of information designed to make it look genuine; Cisco estimates that 97% of the packed file is devoted to images and functions that are never used by the actual malware. Once it starts running, the executable kicks off by writing 960 million random bytes to memory. This serves no useful function, but it does ensure that any application attempting to trace the malware’s activity would be flooded by 100GB+ log files.

Having completed this task, Rombertik makes some specific invalid function calls to check for particular errors (it’s looking for an error that a VM might typically suppress). Once it decides that it isn’t running within a sandbox, the malware starts unpacking itself. The code is deliberately obfuscated with dozens of functions, jumps, and unnecessary (but obfuscating) bloat.



This complexity map shows the anti-analysis code on the right, the executable on the left. While the anti-analysis code might look more daunting, it’s actually a relatively simple flowchart with a huge number of iterations. The left hand graph, in contrast, is a mess of function blocks, checks, and hundreds of nodes — all meant to prevent analysts from reading what’s been written.

At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.

Read more: http://www.extremetech.com/computin...are-attacks-hard-drives-wipes-mbr-if-detected
 

Tony Cole

Level 27
How on earth would one protect against such dangerous malware, we will probably get info from work, as a nurse nearly opened a ransomware email last year, I believe she received additional IT training.
 

Tony Cole

Level 27
The problem is, as described by Mikko Hypponen: malware writers are making millions, and now have the ability to hire programmers that can sit all-day with antivirus software and test their code, trying to find ways to curcumvent it. The internet was once a place of beauty, now a place of immense danger.
 
H

hjlbx

How on earth would one protect against such dangerous malware, we will probably get info from work, as a nurse nearly opened a ransomware email last year, I believe she received additional IT training.
Installer is a packed executable.

Kaspersky anti-executable configuration will block it from installing.

If installed, Kaspersky Application Control will assign it to either Untrusted (blocked from running) or High Restricted (most functions\system resource accesses blocked).

You're protected...
 

Tony Cole

Level 27
This is not a small download, it's payload is just under 1GB? I didn't know Kaspersky had anti-executable technology.
 
H

hjlbx

This is not a small download, it's payload is just under 1GB? I didn't know Kaspersky had anti-executable technology.
You configure Kaspersky's anti-executable by disabling "Trust files that are digitally signed" and "Load application rules from KSN" and "Send Unknown files to Untrusted zone." With these settings it should treat any and all files as Unknown and block them...
 

Tony Cole

Level 27
From my reading(s) of several articles no virtual software will stop it, so this one's deadly. I don't understand how on earth someone would click a email link, then think why is it taking 30 minutes to download. Surly 1GB you would notice!
 

Tony Cole

Level 27
I found this:

While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik. Once the user double clicks to open the file, Rombertik will begin the process of compromising the system.

The process by which Rombertik compromises the target system is a fairly complex with anti-analysis checks in place to prevent static and dynamic analysis. Upon execution, Rombertik will stall and then run through a first set of anti-analysis checks to see if it is running within a sandbox. Once these checks are complete, Rombertik will proceed to decrypt and install itself on the victims computer to maintain persistence. After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality. Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable. The graphic below illustrates the process.
 
Status
Not open for further replies.
Top