Malware Wipes System To Avoid Analysis

Security researchers at Cisco said they have uncovered a piece of malware that goes to extraordinary lengths to avoid being analysed, including destroying a user’s hard drive if it thinks it has been detected.

The malware, named Rombertik by Cisco’s Talos Group security operation, is spread by spam and phishing emails, and records any text entered into a browser, presumably in an effort to steal security credentials.

Obfuscation

While malicious programs commonly take measures to avoid security software, Rombertik is “unique” in that it tries to render a system unusable if it believes it has been detected, Cisco said.

The system-wiping techniques it uses are similar to those deployed in attacks on South Korean targets in 2013 and against Sony Pictures last year.

When it is first installed, Rombertik unpacks various pieces of code, 97 percent of which are designed to camouflage the program’s real operations beneath thousands of decoy functions.

“This packer attempts to overwhelm analysts by making it impossible to look at every function,” wrote Talos’ Ben Baker and Alex Chiu in an analysis.

In order to avoid detection by sandboxes, which monitor software for possible security hazards, the program writes one byte of data to memory 960 million times, again in an effort to conceal the malware’s real purpose. Specifically, this measure is intended to confuse analysis tools, since if they tried to log all 960 million write functions, the log would grow to over 100 gigabytes, Talos said.

System wipe

“Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive,” wrote Baker and Chiu. “This complicates analysis.”

Finally, the program’s last anti-analysis function based on the computation of a 32-bit hash of a resource in memory. If the program finds that the resource or the compile time has been altered, it begins trying to destroy the system, first trying to overwrite the Master Boot Record (MBR), or, if it doesn’t have sufficient privileges to do so, instead destroying all files in the user’s home folder by encrypting each with a randomly generated key.

If the MBR rewrite attempt has succeeded, code inserted into it will run after the restart, printing the words “Carbon crack attempt, failed” and then sending the computer into an infinite loop, which will continue until the operating system is re-installed.

The MBR alteration also overwrites disk partition data with Null bytes, making it more difficult to salvage data from the hard disk, Cisco said.

Cisco said it expects such techniques to become more prevalent as the malware landscape becomes increasingly competitive and anti-malware tools grow more powerful.

“Looking forward, Talos expects these methods and behaviours to be adopted by other threat actors in the future,” Baker and Chiu wrote.

Are you a security pro? Try our quiz!