Vulnerability Focus: Rombertik Malware
Resolution
This week's Vulnerability Focus is on the new Rombertik Malware.
This week many IT security websites were talking about a new malware that has been discovered that can re-write the boot record on your hard drive to avoid being detected. This is pretty extreme when it comes to what malware is capable of doing to evade detection and analysis.
The malware is designed to collect data on everything a victim does online, doing so in an indiscriminate manner rather than focusing on areas such as internet banking or social media accounts.This can occur after being loaded into a system through a phishing campaign and/or malicious email attachments.
Rombertik contains many layers of "junk" in the code that hides its true purpose. It also includes anti-analysis functionality. The malware tries to look legitimate with 75 images and over 8,000 functions. With so many functions, it attempts to "hide in the noise" of the other functions trying to appear inconspicuous. Another step the malware attempts, is to write random information to memory over 960 million times in order to stall out any detection methods. It then looks to see if any of its own code has been modified and proceeds to call a function 335,000 times as an anti-debugging mechanism.
Once complete, Rombertik will then decrypt and install itself on a victim's computer. Following installation, a second copy of itself is launched and overwritten with the malware's core spying functionality.
The venom that this malware contains is that if any of the checks for detection fail, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (For example: C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted. The MBR starts with code that is executed before the operating system. The overwritten MBR contains code to print out “Carbon crack attempt, failed”, then enters an infinite loop preventing the system from continuing to boot.
To date, listed below are some of the the data that has been identified:
File names:
===========
%AppData%\rsr\yfoye.exe
%AppData%\rsr\yfoye.bat
Externally reported (SHA256) hash:
==================================
0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf
Palo Alto Networks Coverage:
============================
0b0f5fec222f83eb27ce5c8aba0d097cf514f261bef44643c7c4949b4dd81b7a
Malware
Virus/Win32.Suspicious
2852ff5b9239af9a231dafb7c907ae1f6ff9ae381c485f6429398c2236dbca09
Malware
Virus/Win32.Suspicious
32fa83e325603213a86c310d4fe46ef2288a3a47fabe5ea460b4090184da0bcd
Malware
Trojan-Spy/Win32.carbgrab.t
1542
5257d7d9eec5df287a8adc6f3ba2ce22c73c78c19046e1a0bddd2eb4b1b3ede2
Malware
Virus/Win32.Suspicious
55558031617f7e920b8a5083a1736480e6a4015a4051c92391342c15949b214f
Malware
VirTool/Win32.ceeinject
75531efbfefba9508bf57c600906b84136b2ea08cbaaebfd7ef76c870be6bad9
Unknown
Virus/Win32.Suspicious
c49110aac997896ee881ac057d9153ad20cdcf53672c65c591a68617c57af546
Malware
Malware/Win32.emogen
Command-and-Control Servers:
============================
www.centozos.org.in
Other sites reporting this:
Rombertik malware wipes hard drives to prevent detection | ZDNet:
http://blogs.cisco.com/security/talos/rombertik#conclusion
Check back for updates as more information becomes available on this particular malware.
Thanks for reading and stay secure,
Joe Delio