Home Malware Programs Trojans Rombertik

Rombertik

Posted: May 8, 2015

Threat Metric

Threat Level: 9/10
Infected PCs: 82
First Seen: May 11, 2015
OS(es) Affected: Windows

Rombertik is spyware that uses conventional methods of passively capturing Web browser-based data, such as passwords for your online accounts. Apart from its primary payload, Rombertik also includes a variety of unusually sophisticated defenses against analysis by PC security researchers, including some functions that, in theory, may wipe your hard drive. Despite Rombertik's potentially destructive behavior, malware experts continue to recommend preventative security steps to block this spyware's distribution. Standard anti-malware products still should be capable of removing Rombertik if it becomes necessary.

The Trojan Protecting Itself so You can't Protect Your PC

Rombertik was uncovered recently by a derivative of Cisco Systems. Its e-mail phishing campaign required the victim to download threatening, disguised file attachments, which installed Rombertik. However, Rombertik also undergoes a variety of self-defensive steps prior to launching its main attacks, many of which are of especial concern to malware analysts.

Initially, Rombertik writes random bytes to memory, in an attempt to flood any theoretical analysis tools with garbage log files. Rombertik also makes several, intentionally invalid function calls, seemingly in an attempt to detect Virtual Machine or Sandbox environments. If Rombertik detects a VM machine, Rombertik attempts to overwrite the hard drive's Master Boot Record, which may permanently damage your operating system. If Rombertik fails in this attack, Rombertik includes a backup attack that may encrypt files on your Documents and Settings folder (although Rombertik does not attempt to ransom them). Malware experts also found additional junk data in Rombertik's code that amounts to more 'false leads' to trick analytical tools.

If the above conditions aren't verified, Rombertik finally unpacks its primary executable and launches its spyware payload. Malware experts found this payload to consist of typical form-grabbing attacks that collect information from your browser as you type it. The attacks target data before it can be transferred over the Internet (or protected by a website's encryption standard). Passwords, account usernames, and credit card numbers are some examples of data that Rombertik may collect without any visible symptoms.

Stopping the Rombertik Ticking Bomb

The complexity of Rombertik's defenses makes Rombertik exceptionally difficult to analyze or detect. If you need to use anti-malware tools to detect a potential Rombertik infection, all relevant software should be patched to use the latest threat databases available. System recovery from a Rombertik HD-wiping attack may be extremely difficult, if not necessarily impossible, and preemptive security that blocks an infection is highly encouraged, even more than for most spyware. PC users are advised to watch for attacks originating from e-mail file attachments and other, common infection vectors that should be detectable by your security solutions.

Rombertik also includes an additional, incidental moral in its campaign. While some PC users may prefer to use sandboxes and Virtual Machines to protect their systems from threats, malware like Rombertik also is capable of detecting these defenses, in turn. Keeping up-to-date and multilayered security in place is, as always, safer for your computer than assuming that a single strategy will defeat all forms of threatening software.

Loading...