TR Member Perks!

Cisco system’s anti-virus swat team, Telos, has issued a warning about a new malware threat that takes a scorched earth policy to its key logging activities. The malware has been codenamed Rombertik.  Like most modern types of malware, Rombertik has several screens that it uses to evade detection. In attempting to reverse engineer the malware through a ‘sandbox approach,’ wherein the malware was activated in a quarantined and instrumented environment, the Telos team discovered that the virus wrote a random byte of data over 960 million times, thereby stalling it’s execution while confounding the detector by not actually hibernating, like regular malware. This was but one of the innovative evasive techniques discovered before the researchers triggered its ‘nuclear option.’ Beyond the junk code technique, researchers discovered an unpacking code so sophisticated and complex that they describe it both as ‘monstrous’ and ‘nightmarish.’

control-flows-wm

The left represents the complexity of the unpacking functions while the right shows the anti analysis checks (grey) that must be satisfied before the executable function (red).

In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).

At the moment the malicious software seems to be distributed through an email attachment that masquerades as a .pdf but is actually a .scr. As explained by Daily Tech, screensaver files are becoming “increasingly popular exploit vector(s)… as they are allowed to execute shell script code.”

The warning comes after a year where ransomware, another particularly vicious kind of malware, was thrust into the public consciousness.  Whereas Rombertik is simply looking to steal passwords and credit card info, ransomware or cryptolocking viruses demand a direct payment from the victim in order to regain access to their files. Pc world has an excellent guide to identifying and dealing with various kinds of ransomware viruses.

Stay safe folks, and for the love of God, don’t open that e-mail attachment if you don’t know what it is!


Jose Alvarado

Jose is a fan of all things horror and sci-fi related. He's played Sonic The Hedgehog 2 more than any other game in existence, but has never managed to collect all the chaos emeralds



  • Audie Bakerson

    PDF related?

    Between Flash, the countless PDF exploits and more, I seriously suspect Adobe is responsible for more computer infections than anything else combined.

  • jimkatai

    That is just a false prefix because .pdf’s are popular attachments. They could just as easily send the attachment as filename.doc.scr as they could filename.pdf.scr. The software fault here is with the permissions given to scr files, not pdf files.

  • Can it take out GPT?

  • David Kapostasy

    Screensavers are still a thing?

  • Cytos Lpagtr

    wouldnt this just be stopped by any antivirus/firewall when you get that file as an attachment and try to open it?

  • PossiblyCthulhu

    Surely the easiest thing is for MS to just change the execution privileges of screensavers, that may be oversimplifying it, but why does a screen saver of all things need shell access when we have plenty of other systems that for years have used sandboxes to secure code from access to the system

  • True, but Flash and Adobe in general have been the subject of some VERY big holes. They may not be the worst offender, but they are close when it comes to severity of their vulnerabilities.

  • jimkatai

    Oh, definitely. I might even lump them in as the worst offender, given their lackadaisical attitude on fixing their problems. Microsoft has their issues, but it isn’t because of lack of effort in securing their product. Adobe, though, just doesn’t seem to care about all the security exploits they cause.

    Anyways, I just wanted to point out that it isn’t the case here. It’s important that we assess *why* these are security flaws and not just assign them by reputation, otherwise we leave ourselves vulnerable to those who simply haven’t exposed their true character yet.

  • Ben Jeanotte

    Very interesting, thanks for the update. Hopefully this is not an attachment my mom tries to open!

  • jonas nielsen

    Ahhh come on TechRaptor, you’re too good for a headline like that

    It doesn’t destroy your HDD, it destroys the MBR meaning you’ll have to wipe and reinstall

    https://nakedsecurity.sophos.com/2015/05/06/can-the-rombertik-malware-really-destroy-computers-no-no-three-times-no/

  • DoombotBL

    Not to mention Flash crashing frequently, seems like they’ve been sitting on their laurels.

  • In the grand scheme of things, I don’t accuse Microsoft of not caring though. You’re right. The bloody Adobe folks don’t give two shits.