Recently, researchers at Cisco Systems identified a new piece of malware armed with sophisticated anti-bugging feature that attempts to overwrite the master boot record if the malware discovers it is being analyzed.
The malware, known as Rombertik, is the latest in a long line of examples of malware designed to make the lives of analysts and researchers harder.
“It is very common for malware to contain anti-debug, anti-virtualization, and anti-analysis features,” said Christiaan Beek, director of threat intelligence for McAfee Labs, part of Intel Security. “Some of the more sophisticated attacks we’re seeing utilize payload delay timing whereas the real payload isn’t dropped until the malware figures out it’s a real target and not some sandbox. Execution of payload is delayed for a specified period of time to determine if the system its running on is a sandbox or a real machine.”
“An overall theme we’re seeing here is that most malware using such tactics are attempting to prevent getting blacklisted so they can infect and persist for a longer period of time,” he continued. “Threats like Rombertik, which perform obviously malicious behavior in the presence of a research environment are less common.”
Rombertik is being spread through spam and phishing messages. According to Cisco, if executed, Rombertik will first stall, then run through a series of anti-analysis checks to see if it is running in a sandbox. Once these checks are complete, the malware will decrypt and install itself on the victim’s computer to maintain persistence.
“After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality,” blogged Cisco researchers Ben Baker and Alex Chiu. “Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record (MBR) and restart the computer to render it unusable.”
This second anti-analysis function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been changed, the malware will try to overwrite the Master Boot Record of PhysicalDisk0, making the computer inoperable. If the malware lacks the permissions to overwrite MBR, it will instead destroy all files in the user’s home folder.
Rombertik also employs several layers of obfuscation, including the use of garbage code. According to Cisco, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. More than 97 percent of the packed file is dedicated to making the file look legitimate by including 75 images and 8,000 functions that are never used, the researchers noted.
“A common technique to evade sandboxes is to sleep for extended lengths of time with the intention of forcing the sandbox to time out before the malware “wakes up” and begins executing,” the researchers explained. “In response, sandboxes got better at detecting and responding when malware slept for extended periods of time. Rombertik employs a similar approach to delay execution, but does so without sleeping.”
Instead, they blogged, it writes a byte of random data to memory 960 million times to consume time. Sandboxes may not be able to immediately determine that the application is intentionally stalling since it is not sleeping. In addition, the repetitive writing would flood application tracing tools.
“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” the Cisco researchers blogged. “Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”
According to Tom Kellermann, chief cybersecurity officer at Trend Micro, common sandbox evasion techniques include having the payload wait until mouse clicks are detected, virtual machine detection and port binding.
Misdirection and dead code is common in malware, but typically not as elaborate as Rombertik, said Tim Stiller, consultant with Rapid7’s analytic response team.
“What makes Rombertik really stand out is its destructive capability to overwrite the MBR or encrypt files if it detects any tampering has occurred,” he said. “Other malware families that use tampering detection normally just exit execution.”
