Researchers at Cisco Systems’ Talos Group have identified a new variety of malware that, if detected, attempts to take its host computer with it. Known as Rombertik, it is unique in terms of the lengths it will go to avoid both detection and removal, but it utterly mundane in terms of its designed function.

Malware Overview

Rombertik falls under the spyware classification of malware, designed to steal user data—specifically website logins and passwords—off machines it has infected. Rombertik isn’t picky about what kind of data it tries to grab, instead capturing anything it can via hooks in Internet Explorer, Firefox, and Google Chrome.

Anything transmitted or typed in plaintext is vulnerable to capture on an infected system, and the capture occurs before any communication actually happens. As a result, secure transmission methods such as HTTPS do not protect against data theft. The information is then transmitted to a C2 server offsite, where it is presumably read by the malware author.

What Makes It Unique?

Rombertik’s purpose is entirely common. What makes it special is the wide range of tactics it uses to make sure it goes undetected. Reported anti-detection measures include:

  • Massive amounts of images and dummy code used to inflate the size of the malware from 28KB to 1264KB
    • Researchers must check all of these items to make sure they actually don’t affect the operation of the malware.
  • Random writes of 1 byte of data to memory 960 million times
    • Tracing tools rapidly fill logs as they try to keep up with this I/O load.
    • Sandbox tools do not trigger because the malware is not lying idle or being actively malicious.
  • Calling specific Windows API features with deliberately incorrect switches to make sure it is not being analyzed
    • This includes 335,000 calls of a specific debug function meant to overload the mechanism in question.
  • Hash compilation

This last measure is functionally a dead-man’s switch. If the software’s hash-check algorithms detect that it has been modified, the malware activates its fail-safes, which occur in several steps.

First, the software attempts to overwrite the system’s Master Boot Record (MBR). If the MBR is not accessible due to permissions or other preventative measures, the malware attempts to encrypt the user’s home folder (e.g. C:\Users\<user> or C:\Documents and Settings\<user>) with a randomly generated RC4 key.

In either event, a reboot is forced after the actions are performed. An overwrite of the user’s home folder operates similarly to our old friends CryptoLocker, CryptoWall, and their compatriots. If the software can reach the MBR, however, it will entirely destroy the system because it overwrites not only important boot information but also the hard drive partition table, making it difficult at best to recover any data. Returning the system to a functional state requires a full operating system rebuild at that point.

How Can I Protect Myself?

Standard threat mitigation practices should help. As always, make sure your anti-malware protection options are up-to-date and active on your network and on all your employees’ or clients’ workstations. Educate users on what possible threat emails look like and what to do if they suspect an infection has happened. Double- and triple-check your backups, and make sure they are occurring regularly. (Don’t forget to test those restores!) We’ll update this space with additional information should more come up, so stay tuned.

Photo Credit: Alexandre Dulaunoy via Flickr.com. Used under CC 2.0 license

Paul Hanley

Posted by Paul Hanley

Paul Hanley is a senior partner support engineer at Intronis MSP Solutions by Barracuda.

Leave a reply

Your email address will not be published. Required fields are marked *