Researchers have uncovered a new malware which will try to ‘destroy’ the computer if you try to find him and locked it up. The malware, nicknamed Rombertik by Cisco Systems. Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected. It’s the most intelligent Virus ever have been discovered.
That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.
Such “wiper” malware has been used in the past, notably against South Korean targets in 2013 and against Sony Pictures Entertainment last year, an attack attributed to North Korea by the U.S. government
It first takes aim at the Master Boot Record (MBR), the first sector of a PC’s hard drive that the computer looks to before loading the operating system. If Rombertik doesn’t have access to the MBR, it effectively destroys all of the files in a user’s home folder by encrypting each with a random RC4 key (e.g. C:\Documents and Settings\Administrator\)
As mentioned earlier, the malware features several methods to avoid detection and analysis. The malware executable itself contains thousands of lines of code that are never utilised by it, confusing detection processes. Another detection avoiding tactic is to write a byte of data to memory 960 million times, fooling sandboxes to think it is a normal program, and ends up generating data logs larger than 100Gb, which take time to write.
Finally, Rombertik will assume that all anti-analysis checks have passed and will actually begin doing what was originally intended — stealing user data. Rombertik will scan the user’s currently running process to determine if a web browser is currently running. If Rombertik detects an instance of Firefox, Chrome, or Internet Explorer, it will inject itself into the process and hook API functions that handle plain text data. Once accomplished, Rombertik is then able to read any plain-text data the user might type into their browser and capture this input before it gets encrypted if the input is to be sent over HTTPS. This enables the malware to collect data such as usernames and passwords from almost any website. Rombertik does not target any site in particular, such as banking sites, but instead, attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded to www.centozos.org.in/don1/gate.php (in this example) over HTTP with no encryption.
Worse is that if you attempt to analyse this nasty malware, Rombertik will deliberately attempt to corrupt the master boot record of your storage device, where crucial details such as the location of files on the disk and the layout of the disk’s partitions are stored. The result is that on the following reboot, the disk and everything on it will be useless until wiped and re-installed, removing all your data with it. It’s a pain, and while recovery isn’t out of the question, that’s an even bigger pain. Effectively, Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analysed. You can view full Report on Rombertik here - CISCO TALHow to prevent your PC from Rombertik Malware?
- Ensure that you have anti-malware software, and ensure that it downloads the latest updates and anti-malware definitions — preferably set to do so automatically — and that it’s set to scan all incoming email
- Don’t click on attachments in bizarre emails from unknown senders, nor on unexpected attachments from a trusted sender (this could be any file format). Treat unexpected mails with attachments as suspicious, and scan the file. Eg such as lottery, or job offers