Rombertik malware takes down PC if detected or analysed

News by Rene Millman

A new strain of malware has been found to wipe an infected hard drive if it is detected or analysed.

Dubbed Rombertik, the virus launches itself from a phishing or spam email and is designed to log keystrokes and steal data in what researchers describe as an “indiscriminate manner”, according to Cisco's Talos Group blog.

However, it also scans the host system looking for any attempts to analyse or detect it, such as checking to see if it is running in a sandboxed virtual machine. Once checks are complete, the malware decrypts and installs itself on a victim's PC. Then a second copy is launched and overwrites the initial code with its core functionality. The final check the malware does is to compute a 32-bit hash of a resource in memory, if that resource or the compile time has changed, the malware then starts its destruction of the PC.

Rombertik will then attempt to overwrite the Master Boot Record (MBR) which then puts the host machine into an endless reboot. The display reads “Carbon crack attempt, failed.”

If the malware can't access the MBR, it will then encrypt the user's home folder with a random RC4 key, effectively destroying them.

According to security researchers Ben Baker and Alex Chiu of the Talos Group within Cisco, the malware is “unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis”.

About 97 percent of the unpacked file is designed to make the malware appear like some other application with 75 images and 8,000 decoy functions that don't get used by the malware.

“This packer attempts to overwhelm analysts by making it impossible to look at every function,” the researchers said.

It is also designed to confuse sandboxes by writing a random byte of data to memory 960 million times, swelling tracing tool logs to almost 100GB. It also calls a Windows API debug string 335,000 times.

"Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis,” the researchers said.

Tim Keanini, CTO at Lancope told via email that the trend in evidence here is that attackers are innovating on how to evade and avoid analysis.

“Getting on the machine used to be the difficult part, now evasion is the game as, each day they go undetected, is another day of profit,” he said.

“Malware is software and most software on a machine has the capability to destroy its host - this is not a new trend and I expect to see it grow as once the malware is detected, it is best to destroy any and all evidence having nothing to lose and a chance that it's technique and tactics are harder to discover,” Keanini added.

Guillermo Lafuente, security consultant of MWR InfoSecurity told SC that if this kind of malware infects a corporate environment it could be extremely damaging.

"Fortunately, the malware seems to only spread via unsophisticated phishing emails, thus limiting the impact it can have in a corporate environment. It is unlikely that a large number of employees in the same company will open the email and execute the attachment,” he said.

Lafuente added that the best protection against Rombertik for organisations is to ensure that employees understand the threat posed by phishing emails and to have a team to whom employees can report security incidents without consequences if they think they have executed a malicious attachment by mistake. “Having mail filters that block spam and phishing emails and having up-to-date anti-viruses will also help in preventing infection,” he said.

Sagie Dulce, security researcher at Imperva told that the malware's truly a nasty trick, which probably made the job of a research team much harder.

“I would expect malware writers to start using this feature, as it makes the job of reversing a malware much more tedious,” said Dulce.

Tyler Moffitt, senior threat research analyst at Webroot, told SC in an email that organisations would need multiple layers of protection to stop the virus infecting a system and spreading.

“First is through the zip file - we actually detect this exact malware as a zip as soon as it writes to the disk. If that doesn't trigger, then the next level of protection is once it has been extracted. The malware should be blocked in real-time right as the .scr executable inside the zip file attempts to write to the disk. If that fails, then the next layer of protection is through heuristic security, attempting to pick up any malicious action by the file.”

He added that as this particular malware launches a second copy of itself after installation and overwrites the second copy with the malware's core functionality that this was “very suspicious behaviour and a common tactic used by encryption ransomware”.

“As a result, we are confident that a heuristic approach can pick up on and prevent this kind of action,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews