Rombertik

Last updated

Rombertik is spyware designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers. [1] It was first publicized by researchers at Cisco Talos Security and Intelligence Group.

Operation

Rombertik employs several techniques to make analyzing or reverse-engineering it difficult. Over 97% of the file is unnecessary code or data meant to overwhelm analysts. It loops through code hundreds of millions of times to delay execution, and checks for file names and user names used by Malware Analysis Sandboxes.

If Rombertik detects a modification in the compile time or binary resource in memory, it attempts to overwrite the Master Boot Record (MBR) on the primary hard drive. [2] The MBR contains code necessary to boot the Operating System, as well as information about where partitions are stored on the hard drive. Though the user's data remains on the hard drive, the Operating System is unable to access it without the MBR. In some cases, it may be possible to recover data from a hard drive with a modified MBR. [3]

If the malware does not have the necessary permissions to overwrite the MBR, it instead encrypts each file in the victim's home directory. This directory encryption technique is similar to ransomware, but Rombertik does not attempt to extort money from its victims. Files encrypted with a strong key can be nearly impossible to recover. [4]

Ps installed, it injects code into running processes of Internet Explorer, Firefox, and Chrome. The injected code intercepts web data before it is encrypted by the browser, and forwards it to a remote server. [1]

Related Research Articles

Malware Portmanteau for malicious software

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. By contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.

Disk partitioning Creation of separate accessible storage areas on a raw computer storage device

Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

Boot sector Sector of a persistent data storage device

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

CIH (computer virus) Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus which was coded with the creators first intitial and first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS. The virus was created by Chen Ing-hau who was a student at Tatung University in Taiwan. Sixty million computers were believed to be infected by the virus internationally, resulting in an estimated US$1 billion in commercial damages.

SystemRescue

SystemRescue is a Linux distribution for x86 64 and x86 computers. The primary purpose of SystemRescue is to repair unbootable or otherwise damaged computer systems after a system crash. SystemRescue is not intended to be used as a permanent operating system. It runs from a Live CD, a USB flash drive or any type of hard drive. It was designed by a team led by François Dupoux, and is based on Arch Linux. Starting with version 6.0, it has systemd as its init system.

Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage media that allow previously written data to be recovered. Data remanence may make inadvertent disclosure of sensitive information possible should the storage media be released into an uncontrolled environment.

File deletion is the removal of a file from a computer's file system.

Disk encryption software is computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

Ransomware Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed ransomware or cryptovirology.

In computing, data recovery is a process of salvaging inaccessible, lost, corrupted, damaged or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding malware and what the attacker sees. The antivirus analyst sees a public key contained in the malware, whereas the attacker sees the public key contained in the malware as well as the corresponding private key since the attacker created the key pair for the attack. The public key allows the malware to perform trapdoor one-way operations on the victim's computer that only the attacker can undo.

The startup process of Windows NT 6 differ from the startup process part of previous versions of Windows.

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

Computer virus Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

CryptoLocker Malware

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

Locky

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin. Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.

References

  1. 1 2 "Threat Spotlight: Rombertik". Cisco Blogs. May 4, 2015.
  2. "Self-destructing virus kills off PCs". BBC News. May 5, 2015.
  3. "Partition Recovery Concepts". Active Data Recovery Software. Retrieved May 8, 2015.
  4. Lemos, Robert (June 13, 2008). "Ransomware resisting crypto cracking efforts". SecurityFocus.