Cisco Systems' Talos Group said the Rombertik code is complex that indiscriminately collects everything a user does on the Web, presumably to obtain login credentials and other sensitive data.
It can be installed by clicking on malicious e-mail attachments. Talos researchers reverse engineered the software and found that behind the scenes Rombertik takes a variety of steps to evade analysis.
It contains multiple levels of obfuscation and anti-analysis functions that make it hard for outsiders to peer into its inner workings. But if main yfoye.exe component detects the malware is under the microscope of a security researcher or rival malware writer, Rombertik will self-destruct, taking along with it the contents of a victim's hard drive.
In a blog post published, Talos researchers Ben Baker and Alex Chiu said:
Once the unpacked version of Rombertik within the second copy of yfoye.exe begins executing, one last anti-analysis function is run — which turns out to be particularly nasty if the check fails. The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user's home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted.
The Master Boot Record starts with code that is executed before the Operating System. The overwritten MBR contains code to print out "Carbon crack attempt, failed", then enters an infinite loop preventing the system from continuing to boot.
Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.
Rombertik also uses a variety of less destructive ways to keep its inner workings secret.
To evade sandbox tools that allow malware to run in a carefully controlled laboratory environment, the malware writes a byte of random data to memory 960 million times. The delay trips up the sandbox tool. Random writing to memory thwarts analysis tools that attempt to document the precise malware behaviours.
