Bonjour,
L'article original de Cisco s'intitule
Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors. Un chercheur chez Blue Coat a rapidement réfuté la découverte en publiant
The impact of Rombertik. L'auteur mentionne les travaux de Symantec sur Carbon Grabber,
European automobile businesses fall prey to Carbon Grabber.
L'article fût ensuite édité pour y ajouter des nuances et des précisions.
My colleague Ashwin Vamshi took the time to actually unpack the Rombertik sample, and it turns out that I got the story slightly wrong.
Rombertik becomes destructive if its datetime stamp does not match the checksum of a xor-encoded version of its RSA key blob. This is a peculiar self-protection mechanism, apparently detecting whether its encryption key has been tampered with. The logic of this eludes me - but it has nothing whatsoever to do with the malware being run in a VM, or even being reversed.
So, it seems that the Rombertik malware is not an actual standalone malware at all, but an obfuscating wrapper applied to various crimeware [...] When this executable was extracted from memory, it turned out that the malware is fairly well known and has been around a good while. The destructive version has been seen at least since August 2014, but previous versions, without the hard disk wipe, existed well before that.
Aujourd'hui, la grande majorité des codes malveillants visent à réaliser des gains, faire du profit.
Soyons sérieux, les rançongiciels chiffreurs font plus de dégâts que cette famille de wippers.
Liens connexes:
➱ ( 14 May 2015 ) ❴
Exposing Rombertik - Turning the Tables on Evasive Malware ❵