Wednesday, May 13, 2015

Reports of Rombertik have been (greatly) exaggerated [feedly]

Reports of Rombertik have been (greatly) exaggerated
// A Collection of Bromides on Infrastructure

News last week painted Rombertik as the newest "chicken little" security threat, by which I mean "the sky is falling!" By initial reports, Rombertik was a piece of malware so dangerous that it would destroy your computer if it was detected and would create log files for security analysts more than 100 Gb!

So, is the sky really falling?

Bromium had its suspicion that this super smart and destructive malware was a bit over-exaggerated. Although the initial research claims Rombertik is extremely well obfuscated and complex, our analysis did not find this to be true.

Case in point, by simply opening the malicious exe and dumping the whole image, we obtained the de-obfuscated image. We were able to verify this by comparing the number of strings (URLs, IAT, boot sector messages) to the original research. In our investigation, Bromium found that there were only 44 functions as opposed to the 8,000 described in the blog – and none of these functions seem particularly noteworthy.  The payload hooks WSASend in Chrome, HTTPSendRequest in IE and CreateFile in Firefox. What we witnessed were classic injects – all fairly simple stuff. Overall, it is just a simple web inject based stealer.


What of the reports that Rombertik is capable of modifying the Master Boot Record and encrypting files in the home folder?

Yes, Rombertik can infect your MBR as it was described in the original article but on a normal machine it won't happen. Why? Rombertik will only infect the MBR if either resource section was modified (it checks CRC32) or if the username contains as suspicious substring (such as "sandbox"). On a normal PC, this isn't going to happen.

So, no, the sky isn't falling. However, the significance of this malware lies with the attempt by the attacker to address and circumvent the latest security defenses. It appears as if this is just the latest salvo in the never ending battle of attackers finding ways of avoiding the defenders detection efforts. Seems like a good time think about adopting a new approach, isolation, to change the game and quit playing by the attackers rules.


Shared via my feedly reader

Sent from my iPhone

No comments:

Post a Comment