Cisco Threat Blog recently published information on the Rombertik Malware which takes a fair number of steps to evade sandboxes (not exactly rocket science), but goes even further to disrupt reverse engineering and analysis by malware experts. Fundamentally the Rombertik malware follows the well trodden exploitation life cycle:
- Find a site that's running vulnerable services (Wordpress, Drupal, etc)
- Hack that site to serve up malware
- Send phishing emails to unsuspecting users tricking them to click on links
- Install a key logger in the browser to gather up credentials
It’s a scenario that we’ve seen time and time again – none of the existing security solutions have been able to protect enterprise users from malware infection. We’ve thrown signatures, sandboxes, big data, analytics and numerous other seemingly innovative security technologies at it and yet nothing works. In the State of the Web 2015: Vulnerability Report we published last month, we found that 1 in 3 web sites out there pose some sort of risk to the user. Either they are already compromised or running vulnerable software ready to be pwned.
The part that's new about the Rombertik Malware is the anti-evasion, anti-debugging & anti-analysis mechanisms that are built into it. Here are some noteworthy features of this self-aware malware:
- 8,000 useless & unused functions making up 97% of the packed binary
- Bogus data generator to overwhelm analysis tools
- Multiple ways to detect a sandbox and exit early
- Really complex overlapping function calls (ginormous cyclomatic complexity)
- Self-destruct mechanism that renders the machine useless by wiping out the Master Boot Record on the file system
Stepping back, we’ve been down this road of "one-upping" the malware for two decades now. But all we have as an industry is a dozen variations of obsolete anti-virus technologies that fundamentally either don’t work or have such a short shelf-life they are deemed useless. We really need to be thinking about ways of eliminating malware that doesn’t involve keeping up with the latest trends – something more definitive that just takes the problem off the table.