Cisco - Rombertik Malware Destroys Computers If Detected

Security researchers of security firm Cisco have discovered a new malware dubbed 'Rombertik' which takes unusual measures to avoid detection and analysis including deleting all hard drive data making a computer unworkable.

Rombertik is a difficult piece of malware which extensively collects everything a user does on the Web, probably to acquire login credentials and other sensitive data. The malware gets installed when people click on attachments enclosed in malicious emails.

Cisco reverse engineered the software and found that Rombertik takes a variety of steps behind the scenes to avoid analysis. It contains manifold levels of complication and anti-analysis functions which makes it difficult for outsiders to peer into its inner workings.

However, the malware is not done with its anti-analysis checks because the final check performed by Rombertik is the most risky one. It calculates a 32-bit hash of a resource in memory and if either that resource or the compiling times get changed, then the Rombertik causes self-destruct.

It aims at the Master Boot Record (MBR) which is the initial sector of hard drive of a PC which the system looks at before the loading of the OS (operating system). If the malware (Rombertik) does not gain access to MBR, it successfully destroys all files in the home folder of the user by encrypting each with an arbitrary RC4 key.

The computer restarts the moment either when the MBR or else the home folder gets encrypted. The MBR enters an unlimited loop which stops the system from rebooting and the screen displays: "Carbon crack attempt, failed."

When initially installed on a computer, Rombertik unpacks it own self. About 97% of the matter of the unpacked file is drafted to give an authentic look, while carrying 75 images and 8,000 distracting functions which are never actually used.

Rombertik also contains capabilities to detect and avoid sandboxes like many other pieces of malware.

Threatpost.com reported on 4th May, 2015 quoting Craig Williams, Security Outreach Manager at Cisco, as saying "when we first found it at the beginning of the year, it was fairly unknown and had almost zero detection rates. Today, there is a decent amount of detection of it and at this point, it's just being sent out shotgun style."

» SPAMfighter News - 5/8/2015