Thanks to Utilizer for the ping!
Posted on 05/07/2015 7:01:36 PM PDT by Utilizer
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was "unique" among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Endless loop
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware "indiscriminately" stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers said.
The malware regularly carries out internal checks to see if it is under analysis.
If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).
It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.
The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Rombertik also uses other tricks to foil analysis.
One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.
"It's not the norm," he said.
"That's because malware these days doesn't want to draw attention to itself, as that works against its typical goal - to lie in wait, stealing information for a long time."
Ping.
It’s called Windows?
It’s called Windows?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
No, It’s called Windows Marketing.
Can it overwrite the MBR on a Safe Boot / UFEI machine?
Thanks to Utilizer for the ping!
More info:
Cisco researchers have identified a new malware sample, called Rombertik, that takes its detection evasion features one step further than the average cyber threat.
Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.
This malware spreads through spam and phishing messages sent to possible victims.
In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.
At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn’t, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware’s core functionality.
...
> No, It’s called Windows Marketing.
Wow, tough crowd tonight... :-)
DANG!!
No, it doesn't.
No word yet. It has just been detected and the coders are still examining it.
Best to have backups ready now just in case.
If this happens you take the infected hard drive and install it as a slave (or non bootable) on a clean desktop computer. Pull off all necessary files you want to keep. Wipe clean the infected hard drive and reuse it
> No, it doesn't.
If all that's overwritten is the MBR itself, that can be reconstructed. Hell even old FDISK/MBR might do it.
But if the partition table got overwritten and it was anything other than trivial, the average user will be outta luck.
bing
No doubt created by liberal democrats so Hillary can say that is what happened to all of her e-mails. Yeah, that’s the ticket, virus destroyed my e-mails, and Morgan Fairchild’s too.
MBR wipers are a quarter century old. Restoring a partition table is trivial. This is ridiculous.
Done it many times when doing bare-metal upgrades. The downside is having to re-install all the software.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.So far.
I'm not going to argue with you. I WROTE partition table utilities in the 80's. You're right, it's trivial -- if you are a literate user who knows what a partition table is.
Most Windows users wouldn't know an MBR or partition table if it bit them on the ass.
And besides, these days, computers are using GUID partitioning. You gonna teach users how to use "parted"? Best of luck.
I'm not disagreeing that it's trivial in most cases. I'm saying that trivial or not it is impossible for today's average Windows user.
Mostly humor/gloming on../Windows works great for me... And has for 20+ years.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.