Security "Bits"

Here's How Nasty "Rombertik" Malware Evades Detection

By Rich Campagna | May 6, 2015 at 10:39 AM

rombertik_destroys_hard-driveWhat's even worse than a nasty malware infection that exfiltrates your data and prevention-focused security tools can't detect? One that destroys your computer if it doesn't get its way. That's the modus operandi of the Rombertik malware, and the latest example of the bad guys staying one step ahead of security professionals. 

Rombertik indiscriminately collects user credentials (and any other sensitive data) entered into the browser of infected machines. 

It infects by using the the usual, tried-and-true technique - sending phishing emails to overly trusting users who open the attachment that contains the malware.

Rombertik is interesting because it uses several techniques developed specifically to evade detection by the latest and greatest security products - especially those executing malware in sandbox environments. Techniques include:

  • Most of the file (97%) consists of legitimate looking code, with a large number of functions that are not at all malicious. The idea? Hide the nasty stuff amongst legitimate code in the hopes that analysis will view the file as clean.
  • Overwhelm the sandbox technology by writing nearly a billion bytes of data to memory. The idea here is to take advantage of the fact that most sandboxing products have limited memory and disk capacity, by leveraging a very time-consuming, performance intensive technique. 
  • After running through several other detection evasion tests, Rombertik's final test (if it fails) overwrites the Master Boot Record of the disk and then reboots the machine, rendering it inoperable until the operating system is reinstalled. 

If you're lucky(?) enough not to have to reimage your machine, Rombertik takes over by capturing any plaintext data you type into any browser on the device. Because of the way that Rombertik hooks into the browser processes, Rombertik is even able to capture information that is being exchanged with a website over HTTPS. For example, if you're buying something online, the connection is secured via HTTPS, but Rombertik captures the data before it's encrypted - meaning it captures your credit card and any other information you type into the browser.

This is just the most recent example of how sophisticated malware is evading prevention focused mechanisms, speaking to the emerging need for breach discovery mechanisms that identify breaches early, helping you to limit damage where your first line of defense fails. In this case, the malware in question makes outbound calls to command and control sites on suspicious new domains, both of which are detected by sophisticated breach discovery products. 

For more information on the Bitglass Breach Discovery service, or to try it yourself, click here. And don't forget to catch the replay of last week's webinar, How to Limit Breach Damage - Think Like a Hacker.






see all