Cisco disclosed about a new malware named Rombertik which is designed hide itself and the others. Was Rombertik designed to conceal other Malware? In post-Edward Snowden era, after the reveal of many malware and security flaws including Heartbleed, which later was one of the reason to start the search and fix the security flaws possibly introduced for Governmental mass surveillance programs, increasing the suspect that this dangerous malware which can “hide” itself when it searched for and can hide other malware was designed with a particular target.
Was Rombertik Was Designed to Conceal Other Malware? What Are the “Features” of Rombertik?
The malware is able to figure out if it was detected by the security scanner and acts accordingly also can invalidate the storage. Cisco System has renamed the malware to Rombertik.
The strategies employed by the malware are in fact are innovative and able to embarrass the various security tools currently in use. First locating Rombertik is complex – only 3% of its code is used for the malicious actions, the remaining 97% is a group of harmless functions and images. For further slowing any scanning software, the malware can create up to 100GB of log files, a considerable amount of data that engages the security tools.
Secondly, the malware is able to determine if it has or not within a sandbox environment or a virtual machine (VM) – possibly some invalid function are able to reveal the presence of a VM.
The most interesting part, however, concerns the way in which the malware reacts in the event that is, when it is identified and/or is discovered to be running inside a VM. It lead to a data loss and/or to fake the uselessness of the affected storage device – the first part of the malware targets the master boot record (MBR) of the hard disk, by overwriting it. This the data and the hard disk virtually impossible to recover itself. This is work of one part. The second part, if access to the MBR is not possible, involves the use of an encryption algorithm that should be of interest to the system administrator.
It is quite normal to start to find base on the natural guess, that whether it was a part of NSA Spyware activities.