This article is more than 1 year old

'Rombertik' malware kills host computers if you attempt a cure

Say goodbye to your master boot record and home directory if you try to stop it

Cisco researchers Ben Baker and Alex Chiu have found new malware that destroys a machine's Master Boot Record and home directories if it detects meddling white hats.

The pair from the Borg's TALOS malware probing department say the "Rombertik" malware is designed to steal keystrokes and data and targets Windows users through phishing.

"At a high level, Romberik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server," the pair say in an advisory.

"The process by which Rombertik compromises the target system is a fairly complex, with anti-analysis checks in place to prevent static and dynamic analysis.

"Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analysed in memory [and if so] will attempt to destroy the Master Boot Record (MBR) and restart the computer to render it unusable."

If Rombertik cannot murder the MBR and send the computer into infinite boot loops, it will instead encrypt all files in a user's home folders with a random RC4 key.

The destruction is particularly heinous since most authors choose to limit self-destruction to their own malware in a bid to eradicate evidence that could allow researchers to accurately identify it.

Rombertik runs through the anti-analysis checks before decrypting and kicking off spying operations to identify if it has executed in a researchers' sandbox.

Its packer contains a tonne of garbage code including 75 images and 8000 functions that do nothing but bamboozle white hat researchers.

It confuses sandboxes too by writing a byte of junk data to memory a whopping 960 million times. This is similar to sleeping, but has the added effect of swelling tracing tool logs to a potential 100 gigabytes.

This battery keeps firing by calling a Windows API debug string 335,000 times to fend off debugging.

But that is nothing compared to the complexity of Rombertik's unpacked code.

"The unpacking code is monstrous and has many times the complexity of the anti-analysis code [containing] dozens of functions overlapping with each other and unnecessary jumps added to increase complexity. The result is a nightmare of a control flow graph with hundreds of nodes."

With the researchers and their tools tormented, Rombertik will capture web browser data before it hits HTTPS by injecting into Chrome, Firefox, or Internet Explorer and hooking API functions that handle plain text data.

It targets any and all websites, and spreads through an executable screensaver disguised as an Adobe PDF file. ®

More about


Send us news

Other stories you might like