Categories: Security

Malware Wipes System To Avoid Analysis

Security researchers at Cisco said they have uncovered a piece of malware that goes to extraordinary lengths to avoid being analysed, including destroying a user’s hard drive if it thinks it has been detected.

The malware, named Rombertik by Cisco’s Talos Group security operation, is spread by spam and phishing emails, and records any text entered into a browser, presumably in an effort to steal security credentials.

Obfuscation

While malicious programs commonly take measures to avoid security software, Rombertik is “unique” in that it tries to render a system unusable if it believes it has been detected, Cisco said.

The system-wiping techniques it uses are similar to those deployed in attacks on South Korean targets in 2013 and against Sony Pictures last year.

When it is first installed, Rombertik unpacks various pieces of code, 97 percent of which are designed to camouflage the program’s real operations beneath thousands of decoy functions.

“This packer attempts to overwhelm analysts by making it impossible to look at every function,” wrote Talos’ Ben Baker and Alex Chiu in an analysis.

In order to avoid detection by sandboxes, which monitor software for possible security hazards, the program writes one byte of data to memory 960 million times, again in an effort to conceal the malware’s real purpose. Specifically, this measure is intended to confuse analysis tools, since if they tried to log all 960 million write functions, the log would grow to over 100 gigabytes, Talos said.

System wipe

“Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive,” wrote Baker and Chiu. “This complicates analysis.”

Finally, the program’s last anti-analysis function based on the computation of a 32-bit hash of a resource in memory. If the program finds that the resource or the compile time has been altered, it begins trying to destroy the system, first trying to overwrite the Master Boot Record (MBR), or, if it doesn’t have sufficient privileges to do so, instead destroying all files in the user’s home folder by encrypting each with a randomly generated key.

If the MBR rewrite attempt has succeeded, code inserted into it will run after the restart, printing the words “Carbon crack attempt, failed” and then sending the computer into an infinite loop, which will continue until the operating system is re-installed.

The MBR alteration also overwrites disk partition data with Null bytes, making it more difficult to salvage data from the hard disk, Cisco said.

Cisco said it expects such techniques to become more prevalent as the malware landscape becomes increasingly competitive and anti-malware tools grow more powerful.

“Looking forward, Talos expects these methods and behaviours to be adopted by other threat actors in the future,” Baker and Chiu wrote.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago