Security researchers have discovered a new strain of spyware that logs keystrokes and steals data. The malware has unleashing wiper capabilities and could be used in targeted attacks. If the malware realizes it is being audited, the binary will destroy the system. It is a case where attackers are trying to dissuade researchers from obtaining a sample. Rombertik has a number of unusual and complex features, most of which are designed to evade detection and analysis. For example, once the malicious executable is launched from a phishing or spam message, the malware contains volumes of garbage code that would have to be analyzed (1264Kb that includes 75 images and 8,000 functions that are never used). Like many other pieces of malware, this one also contains capabilities to detect and evade sandboxes. Unlike others that sleep for a predetermined period of time before executing, Rombertik writes a byte of random data to memory 960 million times. Sandboxes cannot differentiate this stall tactic from normal behavior, and also, if all that data is logged, the size of the log would exceed 100Gb and would take a half-hour to write to the hard drive.
IT Security News
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street