In early May there was some fuss about a new malware specimen called Rombertik that analysis, the Master Boot Record (MBR) erased from the hard disk and partition with null bytes' wrote about so that all available data was lost. Initially it was thought that it was a measure to thwart security researchers, but according to Symantec, it is a copy.
Rombertik is a new variant of the Carbon FormGrabber, also known as Carbon Grabber. It is a malware kit that is offered on the black market and is intended for cyber criminals who are unable to write their own malware. To combat illegal use of the malware creators have added a copy protection, so that their creation has not been without a valid license to use. Each version of Rombertik's made for a specific user and licensed. The malware connects to a predefined Command & Control server.
An illegal user could change the address of the server, so the malware makes to another address and link it sends the stolen data to. To prevent this, after the change of address copy protection are active. In addition, the malware also shows a message to the software pirate that the squat attempt failed. Symantec concludes therefore that it is not a measure to thwart investigators, but to punish freeloaders who think they can use the malware free.
No comments:
Post a Comment