If you haven’t heard of Rombertik, you probably had a nice vacation somewhere. A few weeks ago, Rombertik made its rounds in the news everywhere. Lots of articles and blogs were written about it, so out of curiosity, I had a look into it myself.
I got a sample from our database where Rombertik has been detected as W32/DarkKomet.ENHT!tr.bdr since January of this year. Most of the time, whenever we get a new sample, it is renamed based on some patterns and rules. In this regard, the malware checks if the renamed version of itself has any of the strings: “malwar”, “file.”, “sandb”, “viru”, and “sampl”. Once any of the strings is found, Rombertik skips its malicious activities and terminates. Also, if the pathname of the malware has any of the said strings, it also terminates its execution.
It is one of the malware’s way to dodge analysis. Figure 1 shows the checking of the strings.
Based on some reports, Rombertik wipes your computer’s MBR (Master Boot Record) once it detects that you are analyzing it. I tried to run the sample within the debugger and nothing happened. I can still reboot. I tried to run it by itself. Nothing happened. I can still reboot. That led me to dig deeper into the code to find out why it wasn’t behaving destructively as expected.
I encountered some bugs along the way, and I had to brute force my way into the malware’s code to search for the MBR wipe functionality. Finally, I found it and it actually overwrites your MBR. Figure 2 shows the part where it prepares your MBR to be overwritten.
The good news? If you are using a newer version of Windows, the MBR wipe routine will not work. The malware doesn’t have enough permission to do it.
The bad news occurs if you are still stuck with Windows XP or are still wondering if it is time to upgrade. My 2 cents is to do it now. The threat is real – don’t waste any more time, update your Windows now, if not for Rombertik, then for all of the other malware to which Windows XP is vulnerable.
If the MBR wiping is not successful, Rombertik tries to overwrite files in your computer. It skips file with extensions such as “dll”, “exe”, “vxd”, and “drv”, just to make sure that your system is still functional which is weird, since its first intention is to overwrite your MBR, rendering your system non-functional.
It appears, though, that the malicious function has some sort of bug, because it doesn’t overwrite all files without the said extension names. Figure 3 shows the checking of the extension names to be avoided.
I will say it again – the threat is real, don’t waste any more time. Update your version of Windows now. And of course, always keep your system up-to-date, and make sure that you have updated antivirus and other security software and hardware on your network. Curiosity always kills the cat, but it looks like Rombertik only kills Windows XP.