New malware strain destroys master boot record to avoid detection
By Ashley Carman on May 6, 2015
Cisco researchers have identified a new malware sample, called Rombertik, that takes its detection evasion features one step further than the average cyber threat.
Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post.
This malware spreads through spam and phishing messages sent to possible victims.
In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.
At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality.
Then it will check to make sure it isn't being analysed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.
To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file was dedicated to useless files, including 75 images and more than 8000 functions that are never used.
Instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes in size.
All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser.
Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.
“This is the perfect example where layered defence makes a lot of sense,” said Craig Williams, technical leader of Cisco Talos, in an interview with SCMagazine.com.
Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk.
However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.