Anti-piracy craking keys available in malware's binary code

May 19, 2015 18:33 GMT  ·  By

Rombertik’s protection, believed to unleash a digital doom on the systems used for analysis by malware researchers, has been cracked, and new findings show that the feature is actually intended to prevent unlicensed use of the malicious software.

Two weeks ago, security experts from Cisco Systems' Talos Group presented a report on Rombertik credential stealer, disclosing that the threat included destructive routines that would render the computer inoperable, if deployed.

The action consisted of corrupting the MBR or encrypting data in the user’s home folder and sending the machine into a continuous reboot loop.

Rombertik is a newer version of Carbon Grabber

Although the general public opinion was led to believe that the malware could react this violently on consumer’s computers, Cisco presented their discoveries as methods of evading security analysis.

They say Rombertik comes with a function that creates a hash of one of its resources and stores it in the memory of the computer. If the resource in the code or the compilation time is changed, the destructive capability is activated, and the message “Carbon crack attempt, failed_” is shown when the computer reboots.

Security researchers from Symantec analyzed the threat and concluded that the violent action is designed as an anti-piracy measure. They say that Rombertik is a newer version of an underground crimeware kit known as Carbon FormGrabber or Carbon Grabber, which explains the reference in the message.

“Each copy of Carbon Grabber is built and licensed for a particular user.  It is built to only contact a predefined command-and-control (C&C) server as specified by the paying customer. It does this by embedding the address of the C&C server within its own binary code,” Symantec’s Dumitru Stama states in a blog post.

Researchers find the keys to bypass the protection mechanism

To prevent unauthorized usage, by replacing the C&C address, Rombertik’s authors have implemented the anti-piracy mechanism.

However, Symantec managed to avoid the restriction and found that the C&C server address is the protected resource, encrypted with a public RSA key. Decrypting it is done with the corresponding private key, whose hash is created and copied in the memory of the computer.

Any attempt to replace the private key triggers the destructive behavior, since the hash in the memory and the one in the binary code would not match. On the other hand, the public key used to encrypt the C&C address would allow the addition of the new IP, without setting off the trap.

Stama says the malware's author made a mistake and included the public/private key pair in a resource containing the RSA key data, allowing the researchers to add an address for a new C&C server in order for Rombertik to contact it for instructions.

“We were able to encrypt a different C&C URL using the public key and decrypt it using the included private key. This means that if somebody wanted to repurpose a copy of the Trojan without paying for a new one, they could do so using this method without triggering the destructive payload,” Stama says.

These findings led to the conclusion that the mechanism was designed as an anti-piracy protection in case someone tried to use the malware without paying the license fee.

Rombertik's protection cracked (2 Images)

Resource containing the public-private key pair
The trigger for the destructive sequence
Open gallery