Home
Internet
Internet News
New 'Rombertik' Malware Wipes Hard Drives if Detected

New 'Rombertik' Malware Wipes Hard Drives if Detected

By NDTV Correspondent | Updated: 6 May 2015 17:36 IST

Researchers from Cisco have identified a new malware that can wipe out a computer in order to prevent detection or analysis.While malware that can detect and evade sandboxes have existed for a while, what makes Rombertik unique is the number of methods it employs to do just this, and that it aggressively wipes out the system.

The malware, named Rombertik by Cisco Systems' Talos Group, was found in a limited number of samples early in the year, but has started to proliferate. The malware, which has been designed to steal user data without discrimination, features multiple layers of obfuscation and complication in order to avoid detection and analysis. Cisco's Ben Baker and Alex Chiu explain, "If the sample detected it was being analysed or debugged it would ultimately destroy the master boot record (MBR)."

(Also see: Blackhat Convinced Me Hollywood Can Never Make a Good Hacker Movie)

Rombertik is software that comprehensively collects the login credentials and other important files after being installed on a target system. Researchers explain that it installs on the PC when a user click on the attachment that are accompanied in malicious emails. "Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims... At a high level, Romberik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre. However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner."

As mentioned earlier, the malware features several methods to avoid detection and analysis. The malware executable itself contains thousands of lines of code that are never utilised by it, confusing detection processes. Another detection avoiding tactic is to write a byte of data to memory 960 million times, fooling sandboxes to think it is a normal program, and ends up generating data logs larger than 100Gb, which take time to write.

If the malware manages to avoid detection from the first few lines of defence, it then installs itself both in the startup folder and AppData folder, and then at some point later replace itself with a newly unpacked executable. Once deeply rooted in the system like this, Rombertik constantly checks its state against an unpacked sample, and if it detects any changes, such that, attempt to wipe it out of quarantine it, it will attack the MBR or Master Boot Record by putting it into an infinite loop preventing the system from continuing to boot. It will also encrypt all files in the user's home folder with a random key nearly impossible to break. Considering MBR includes information on disk partitions, Rombertik makes the altered MBR overwrite the partition data, wiping out the hard drive.

The blog further details the process, "Once the unpacked version of Rombertik within the second copy of yfoye.exe begins executing, one last anti-analysis function is run - which turns out to be particularly nasty if the check fails. The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user's home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted."

Cisco's Ben Baker and Alex Chiu have also listed few security practices to avoid downloading any such malwares such as installing anti-virus software and keeping it up-to-date; not clicking on attachments from unknown senders, and following security policies for email (such as blocking certain attachment types). With the spread of the malware, anti-virus and other security software have started doing a better job of detecting it, however, as mentioned, if the software is not up to date it may miss it. The malware is reportedly also being sent out at an alarming rate now.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.