Skip to comments.
Self-destructing virus kills off PCs
teoti ^
| 9:38 pm 05/05/2015
| tricpe
Posted on 05/07/2015 7:01:36 PM PDT by Utilizer
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was "unique" among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Endless loop
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware "indiscriminately" stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers said.
The malware regularly carries out internal checks to see if it is under analysis.
If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).
It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.
The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Rombertik also uses other tricks to foil analysis.
One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.
"It's not the norm," he said.
"That's because malware these days doesn't want to draw attention to itself, as that works against its typical goal - to lie in wait, stealing information for a long time."
TOPICS: Computers/Internet
KEYWORDS: malware; mbr; pc; virus; windows; windowspinglist
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-62 next last
To: Utilizer
Self-destructing virus kills off PCsStop talking about Windows like that!
21
posted on
05/07/2015 7:29:38 PM PDT
by
Still Thinking
(Freedom is NOT a loophole!)
To: tacticalogic; dennisw
>
Done it many times when doing bare-metal upgrades. The downside is having to re-install all the software. True, but doing in-place upgrades has its downsides too. I believe in ripping out the OS about every two years regardless, and reinstalling everything, because:
- Windows (and most OSes) gets stale after a couple years, sooner with heavy use.
- Windows updates can cause applications to get weird, settings to drift, assumptions to go bad.
- It makes you find all your app install media and license keys, which is a good thing.
- It's a chance to clean out all the stupid cruft and programs you installed that you ended up not using>
and so on.
22
posted on
05/07/2015 7:32:36 PM PDT
by
dayglored
(Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
To: Utilizer
At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn’t, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware’s core functionality.Need to get it in a sandbox it doesn't recognize.
23
posted on
05/07/2015 7:34:10 PM PDT
by
tacticalogic
("Oh, bother!" said Pooh, as he chambered his last round.)
To: dayglored
Oh, no argument at all, I just get a little irritated at these DoomDoomKerboom articles. I last used testdisk about three weeks ago to bring back a partition table on a machine somebody had trashed "irrecoverably". CS major, too. The guy blushed scarlet when he saw how easy it was.
You are, of course, completely correct that the average user might not know about this stuff, more's the pity. So, 'fess up - could you write a script and put it on a bootable medium that would take care of this in a single operation? Yes, you could. Haha - admit it! ;-)
To: tacticalogic; Utilizer
>
Need to get it in a sandbox it doesn't recognize. Tricky. It's a lot easier to detect that you're in one, than to build one that can't be detected.
25
posted on
05/07/2015 7:36:47 PM PDT
by
dayglored
(Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
To: dayglored
I believe in ripping out the OS about every two years regardless, and reinstalling everything,I do it about every 3 years, and start with a new MB, CPU, memory, and HD. A good case and PS will usually be good for 2-3 cycles of that.
26
posted on
05/07/2015 7:39:22 PM PDT
by
tacticalogic
("Oh, bother!" said Pooh, as he chambered his last round.)
To: Billthedrill
>
So, 'fess up - could you write a script and put it on a bootable medium that would take care of this in a single operation? Yes, you could. Haha - admit it! ;-) "Guilty, Your Honor!!"
27
posted on
05/07/2015 7:39:41 PM PDT
by
dayglored
(Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
To: Utilizer
Destroying your computers runs completely counter to the purpose of watching your habits and stealing your personal data. This "article" is written like a junk e-mail ("destroys your computer!").
"involves reinstalling Windows, which could mean important data is lost"
This does not make logical sense, I've reinstalled Windows many times with no loss of data.
To: Utilizer
This will continue until we bring back public hanging.
29
posted on
05/07/2015 7:44:19 PM PDT
by
SWAMPSNIPER
(The Second Amendment, a Matter of Fact, Not A Matter of Opinion)
To: Billthedrill
I just get a little irritated at these DoomDoomKerboom articles Yup. The virus may be for real but this "article" reads like a junk e-mail. We've all seen those before: "indestructible virus", "completely destroys your computer", "intelligently evades detection".
To: SWAMPSNIPER
>
This will continue until we bring back public hanging. Problem: hanging is too quick and reliable.
Writing malware should be punishable by something slow and uncertain. Maybe the honey and fire-ant-hill thing, and THEN hanging.
31
posted on
05/07/2015 7:47:17 PM PDT
by
dayglored
(Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
To: dayglored
Tricky. It's a lot easier to detect that you're in one, than to build one that can't be detected. Figure out what tests it's running and then figure out how to lie to it.
32
posted on
05/07/2015 7:50:10 PM PDT
by
tacticalogic
("Oh, bother!" said Pooh, as he chambered his last round.)
To: Utilizer
Wont affect my awesome linux pc ha
33
posted on
05/07/2015 7:53:45 PM PDT
by
bicyclerepair
(Ft. Lauderdale FL (zombie land). TERM LIMITS ... TERM LIMITS)
To: Billthedrill
public void alwaysDo()
{
User user = new User();
user.keepOriginalSoftware();
user.knowHowToInstallOriginalSoftware();
user.backupYourData(USB_DRIVE);
// for good cloud backup goto http:www.crashplan.com
user.backupYourData(CLOUD);
}
34
posted on
05/07/2015 7:55:49 PM PDT
by
doomtrooper99
(Mr Truman, you did not finish the job)
To: tacticalogic
>
Figure out what tests it's running and then figure out how to lie to it. Well, yes, of course. ;-)
The problem is that if it's smart, it won't let you intercept the fact that it's running a test. That's somewhat more challenging in these days of multiple cores and threads, but it can usually be done.
A very interesting problem in either direction.
35
posted on
05/07/2015 7:58:01 PM PDT
by
dayglored
(Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
To: Utilizer
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.Wrong. Restoring a corrupted MBR is child's play; I've done it several times for clients.
36
posted on
05/07/2015 8:01:28 PM PDT
by
Squawk 8888
(Will steal your comments & post them on Twitter)
To: dayglored
37
posted on
05/07/2015 8:01:52 PM PDT
by
doomtrooper99
(Mr Truman, you did not finish the job)
To: dayglored
The problem is that if it's smart, it won't let you intercept the fact that it's running a test. That's somewhat more challenging in these days of multiple cores and threads, but it can usually be done. I think you should be able to mitigate some of that by running it in a VM.
38
posted on
05/07/2015 8:05:04 PM PDT
by
tacticalogic
("Oh, bother!" said Pooh, as he chambered his last round.)
To: tacticalogic
I HAVE to reinstall Windows once every 2-3 years.
I reinstalled MAC OSX, only once, when I took my MAC Mini to work and wanted to scrub personal data and software..
39
posted on
05/07/2015 8:07:02 PM PDT
by
doomtrooper99
(Mr Truman, you did not finish the job)
To: tacticalogic
I use VMWare’s Player all the time.
www.vmware.com
40
posted on
05/07/2015 8:08:26 PM PDT
by
doomtrooper99
(Mr Truman, you did not finish the job)
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-62 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson