Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Complex Rombertik Malware Corrupts Drives to Prevent Code Analysis

    By
    Robert Lemos
    -
    May 6, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Malware Attack 2

      Attackers are adopting increasingly malicious tactics to evade security researchers’ analysis efforts, with a recently discovered data-stealing program erasing the master boot record of a system’s hard drive if it detects signs of an analysis environment, according to report published by Cisco on May 4.

      The malware, dubbed Rombertik, compromises systems and attempts to steal information, such as log-in credentials and personal information, from the victim’s browser sessions, researchers with Cisco’s Talos security intelligence group stated in the report.

      When the malware installs itself, the software runs several anti-analysis checks, attempting to determine if the system on which it is running is an analysis environment. If the last check fails, the malware deletes the master boot record, or MBR, which is required to correctly start up the computer system.

      “The interesting bit with Rombertik is that we are seeing malware authors attempting to be incredibility evasive,” Alexander Chiu, a threat researcher with Cisco, said in an email interview with eWEEK. “If Rombertik detects it’s being analyzed running in memory, it actively tries to trash the MBR of the computer it’s running on. This is not common behavior.”

      Attackers are increasingly attempting to prevent defenders from analyzing the tools and programs they use to conduct criminal and espionage operations. In a recent analysis, researchers with security firm Seculert found a variant of the Dyre banking Trojan that used a simple check—counting the number of processing cores—to detect if it was in a virtual environment.

      “At a high level, Rombertik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre,” Cisco’s researchers stated in the report. “However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner.”

      Rombertik is distributed through various spam campaigns, often camouflaged as a PDF file. In reality, the attachment is a screensaver executable that, if the user opens the binary, attempts to run on the system. The prevalence of the malware is currently not known.

      During an installation attempt, Rombertik attempts multiple times to determine if it might be in an analysis environment. The program has a lot of unused code, including uncalled functions and images that the malware authors included to try to camouflage the malware’s functionality, Cisco’s researchers stated.

      The program also attempts to outlast automated analysis by writing a byte to memory nearly a billion times. Automated systems are often designed to run for a limited length of time, so as to efficiently process as many files as possible. The technique of writing data so many times could potentially crash some environments, Cisco stated.

      “If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” the researchers said. “Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”

      When it reaches its final check, Rombertik deletes the MBR or—if it’s unable to— it deletes all files in the user’s account, according to Cisco.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×