Developers of Rombertik Stopping Its Illegal Use - Symantec

Earlier this month, Cisco reported that the Rombertik malware tries to destroy the master boot record (MBR) of infected devices to stop researchers from examining the threat. However, Symantec says that the feature is designed to stop the usage of Trojan illegally.

Symantec says that Rombertik is a new type of Trojan which is called Carbon Grabber (Infostealer.Retgate). This malware enables cybercriminals to steal information and gives them access to infected devices through backdoor.

The malware has many mechanisms of anti-analysis designed to stop researchers from running it in a sandbox but if someone tries to fiddle with it, the malware tries to overwrite the MBR of the device while encrypting files. However, Symantec believes that this damaging payload is not actually meant for researchers of the security firm.

Researchers believe that the feature is actually a trap for those who might try to use and adjust the malware without any authorization. When cybercriminals buy Rombertik from its author, they receive a copy which converses with their server of command and control (C&C) only and the address of the C&C implanted in the binary code.

For any new cybercriminals, who have succeeded in getting a copy of the malware and would like to use it without paying, they could identify C&C address with only some basic skills and try to change it to point to another selected address by only hacking the binary file itself.

However, if they were fool enough to do this, they would activate the damaging protection mechanism unknowingly. This is, may be, to project punishment for attempting to sabotage the malware.

Net-security.org published news on 18th May, 2015 quoting Dumitru Stama, a Researcher with Symantec, as saying: "It is exciting to find that this mechanism of protection can be ignored because of execution of error made by the developer of the malware".

Net-security.org published news on 18th May, 2015 stating that Raul Alvarez, a Researcher with Fortinet, also revealed that MBR wipe routine of Rombertik will not work on new versions of Windows because it does not have sufficient approval to do it.

However, it will attempt to overwrite files in the computer but will avoid files with following extensions: .exe,.dll, .drv. and .vxd.

» SPAMfighter News - 5/27/2015