"Self-explosive" virus Rombertik: Multi-Level obfuscation, high complexity, and automatic hard drive erasure during analysis

"Self-explosive" virus Rombertik: Multi-Level obfuscation, high complexity, and automatic hard drive erasure during analysis

 

Rombertik is a highly complex virus (malware) that uses multi-level obfuscation, highly complex escape detection technology, and anti-analysis technology, in addition, the malware can erase hard disk data to prevent others from analyzing the data. In addition, it can collect all information about users' Web browsing websites and obtain user logon creden。 and other sensitive data.

Principle of Rombertik

Recently, security experts from the Cisco Talos team discovered a new type of malware called Rombertik, which implements highly complex escape detection and prevention analysis technologies, it can also delete the victim's hard disk data to make the computer unusable. The purpose of this malware is to collect all information about the user's Web site browsing, user logon creden。, and other sensitive data.

According to researchers, Rombertik infected users by malicious email.

 

Experts from the Talos team have performed Reverse Analysis on the Rombertik proxy and discovered the behavior and purpose of the malware, including multi-level obfuscation and anti-malware analysis, in addition, it can destroy and erase all data in the hard disk at the last moment. The researchers explained:

"Once the Rombertik is executed after shelling, the final anti-analysis function will run. If the detection fails, it will become especially troublesome. This function calculates a 32-bit hash value for a resource in the memory and compares it with the compile timestamp of the PE file without shelling. If the resource or Compilation Time has been modified, the malware will conduct destructive actions. First, it tries to override the Master Boot Record (MBR) of the physical hard disk PhysicalDisk0, which will cause the computer to be unable to operate. If Rombertik has no permissions to rewrite MBR, it will encrypt all files by using the randomly generated RC4 key to destroy the user's main folder (for example, C: \ Documents ents and Settings \ Administrator \) all files in. After the MBR is overwritten or the files in the main folder are encrypted, the computer restarts automatically. MBR starts with some specific code that will be executed before the operating system runs. The rewritten MBR contains some code that prints 'Carbon crack attempt, failed', and then enters an infinite loop to prevent the system from starting ."

Researchers have confirmed that MBR also contains data related to disk partitions, which means that when malicious software modifies MBR, it also sets the partition byte to Null, this makes it difficult for forensic experts to access data. After the computer restarts, the victim will see the following screen.

 

"In fact, Rombertik initially looked like a malicious software sample erased. If it detects that it is being analyzed, it will destroy the user's computer. Although experts from the Talos team have seen anti-analysis and anti-Debugging techniques in previous malware samples, Rombertik is unique in this regard, because when it detects specific attributes related to software analysis, it will try to destroy the entire computer."

Security measures

It is certain that Rombertik is a very complex malware. However, the best defense against Rombertik currently only checks whether anti-virus software is up-to-date and does not open emails with unknown information.