Rombertik’s disk wiping mechanism is aimed at pirates, not researchers

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computer’s Master Boot Record, is actually a newer version of an underground crimeware kit known as Carbon FormGrabber (or Carbon Grabber), Symantec researchers have found.

They also believe that the destructive action performed by the Trojan is not aimed against researchers, but “naive cheapskates who may be trying to use this software for free.”

“Legitimate software vendors often add protection mechanisms that prevent the software from being used without a license, but thats usually the extent of the ‘damage’ caused to digital pirates. In the cybercrime world, things are a bit more cut throat,” researcher Dumitru Stama explained.

The destructive functionality is not something that regular customers of Carbon Grabber have access to. Instead, this code is set up to only spring its trap if the Trojan detects that a user is trying to tamper with its code to make it do something it wasnt licensed to do.”

Carbon Grabber is a general info-stealer Trojan with backdoor capabilities, and criminals who bought it and licensed it receive a custom-built version that has a single C&C server address (provided by them) embedded in the code.

Other criminals who somehow managed to get their hands on a random copy of the malware had to change this address in order to collect the information exfiltrated by the malware, and this is what the aforementioned destructive mechanism aims to prevent.

This would definitely explain the message shown on the thrashed computer after the wiping process is executed:

It’s interesting to note that this protection can be bypassed due to an implementation error made by the malware developer (Stama explains how.)

“Theres no denying the damage that this threat can cause, it really is very destructive, but this is no indiscriminate wiper Trojan,” he concluded.

Fortinet researcher Raul Alvarez also discovered that Rombertik’s MBR wipe routine will not work on newer versions of Windows, as it doesnt have enough permission to do it.

Instead, it will try to overwrite files in the computer, but will avoid file with the following extensions: .dll, .exe, .vxd, and .drv.”