A new malware is on the prowl. Meet Rombertik, a deadly virus that self-destructs your computer once you detect the malware.
Unlike most computer viruses, Rombertik attempts to avoid detection or analysis by simply making the device it has infected unusable. The "unique" virus resists capture pretty aggressively and, upon detection, begins to delete files on the PC. The virus makes the machine reboot constantly in loop as its evasion mechanism is triggered. The malware also steals a user's login data and other sensitive information.
If Rombertik is successful in avoiding detection in the initial stages, then it installs itself on the AppData and startup folders. At some point, it replaces itself with a new unpacked executable. Once the virus is deeply embedded into the system, the malware is able to perform constant checks against the "unpacked sample."
While Rombertik doesn't exactly destroy the infected machine, it does erase the partition sector of the hard drive—the Master Boot Record (MBR)—and force a machine restart when it senses detection.
If any changes to erase or quarantine it are detected, then Rombertik attacks the MBR and puts it in the restart loop. If it is unsuccessful in its attempts, then Rombertik tries to encrypt files stored in the home folder.
The elusive virus was identified by researchers from the Cisco-led Talos Security Intelligence and Research Group. Rombertik has "multiple layers of obfuscation and anti-analysis functionality."
How does Rombertik install itself on a device?
When a user clicks on attachments that accompany malicious e-mails, the self-destructing virus installs itself in that particular computer.
"Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims ... At a high level, Rombertik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre. However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner," explained Ben Baker and Alex Chiu of Cisco.
How does Rombertik manage to avoid detection?
Rombertik has devised several methods to avoid being detected and analyzed.
1. The Rombertik executable contains a massive amount of "garbage code," which the malware does not utilize. This aids it in inflating the volume of the code, which analysts need to assess and review, succeeding in confusing identification processes.
2. The malware also writes a single byte of arbitrary data to the memory a whopping 960 million times. This is effective in misleading sandboxes into thinking the virus to be a regular program. It ends up growing the data log to over 100GB, which is a time-consuming process and further complicates the analysis and detection of the malware.
How can one guard against Rombertik?
1. Keep your anti-virus software updated.
2. Do not click on e-mail attachments from unknown people.
3. Follow e-mail security policies: block certain types of attachments.
Photo: Norlando Pobre | Flickr