Cisco researchers recently came across new malware called Rombertik, which uses multiple layers of obfuscation to avoid detection and, notably, destroys the master boot record if analyzed or debugged.
The malware, which spreads via spam and phishing emails, is designed to steal login credentials and other sensitive information from the victim’s browser.
Upon execution, Rombertik first runs through a set of anti-analysis checks to see if it’s running within a sandbox. It then decrypts and installs itself on the victim’s computer, launches a second copy of itself, and overwrites that copy with the malware’s core functionality.
“Before Rombertik begins the process of spying on users, Rombertik will perform one last check to ensure it is not being analyzed in memory,” Cisco researchers Ben Baker and Alex Chiu write in a blog post describing the threat. “If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable.”
Baker and Chiu note that one common method of obfuscating the functionality of a malware sample is to include a large volume of garbage code. “In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB,” they write. “Over 97 percent of the packed file is dedicated to making the file look legitimate by including 75 images and over 8,000 functions that are never used. This packer attempts to overwhelm analysts by making it impossible to look at every function.”
Along with several other layers of obfuscation, Rombertik runs an anti-analysis function to ensure that it’s not being debugged. If it determines that it is, the malware wipes the infected computer.
“It first attempts to overwrite the Master Boot Record of PhysicalDisk0, which renders the computer inoperable,” Baker and Chiu write. “If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:Documents and SettingsAdministrator) by encrypting each file with a randomly generated RC4 key.”
While many other types of malware include anti-analysis and anti-debugging functionality, Baker and Chiu note, Rombertik is unique in attempting to destroy the infected computer if it detects activity associated with malware analysis.
Spikes Security CMO Franklyn Jones told eSecurity Planet by email that Rombertik is the second example in the past week to demonstrate that sandboxes aren’t as effective as they’re often thought to be. “We recently learned that the Dyre browser-hooking malware has the ability to escape eight different security sandboxes,” he said.
“What all of this suggests is that sandbox security solutions are not necessarily reliable,” Jones added.
“It’s a scenario that we’ve seen time and time again — none of the existing security solutions have been able to protect enterprise users from malware infection,” Menlo Security CTO Kowsik Guruswamy said by email. “We’ve thrown signatures, sandboxes, big data, analytics and numerous other seemingly innovative security technologies at it yet nothing works.”
“We really need to be thinking about ways of eliminating malware that doesn’t involve keeping up with the latest trends — something more definitive that just takes the problem off the table,” Guruswamy added.