Rombertik
Rombertik is spyware designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers.[1] It was first publicized by researchers at Cisco Talos Security and Intelligence Group.
Operation
Rombertik employs several techniques to make analyzing or reverse-engineering it difficult. Over 97% of the file is unnecessary code or data meant to overwhelm analysts. It loops through code hundreds of millions of times to delay execution, and checks for file names and user names used by Malware Analysis Sandboxes.
If Rombertik detects a modification in the compile time or binary resource in memory, it attempts to overwrite the Master Boot Record (MBR) on the primary hard drive.[2] The MBR contains code necessary to boot the Operating System, as well as information about where partitions are stored on the hard drive. Though the user's data remains on the hard drive, the Operating System is unable to access it without the MBR. In some cases, it may be possible to recover data from a hard drive with a modified MBR.[3]
If the malware does not have the necessary permissions to overwrite the MBR, it instead encrypts each file in the victim's home directory. This directory encryption technique is similar to ransomware, but Rombertik does not attempt to extort money from its victims. Files encrypted with a strong key can be nearly impossible to recover.[4]
Promoted via spam and phishing emails,[5] once Rombertik is installed, it injects code into running processes of Internet Explorer, Firefox, and Chrome. The injected code intercepts web data before it is encrypted by the browser, and forwards it to a remote server.[1]
References
- "Threat Spotlight: Rombertik". Cisco Blogs. May 4, 2015.
- "Self-destructing virus kills off PCs". BBC News. May 5, 2015.
- "Partition Recovery Concepts". Active Data Recovery Software. Retrieved May 8, 2015.
- Lemos, Robert (June 13, 2008). "Ransomware resisting crypto cracking efforts". SecurityFocus.
- "How to Remove Rombertik Malware". Wenzler Neo. Retrieved May 11, 2015.>