Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Self-destructing virus kills off PCs
teoti ^ | 9:38 pm 05/05/2015 | tricpe

Posted on 05/07/2015 7:01:36 PM PDT by Utilizer

A computer virus that tries to avoid detection by making the machine it infects unusable has been found.

If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.

Analysts said Rombertik was "unique" among malware samples for resisting capture so aggressively.

On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Endless loop

Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.

Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.

The malware "indiscriminately" stole data entered by victims on any website, the researchers said.

And it got even nastier when it spotted someone was trying to understand how it worked.

"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers said.

The malware regularly carries out internal checks to see if it is under analysis.

If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).

It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.

The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.

Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.

Rombertik also uses other tricks to foil analysis.

One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.

Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.

"It's not the norm," he said.

"That's because malware these days doesn't want to draw attention to itself, as that works against its typical goal - to lie in wait, stealing information for a long time."


TOPICS: Computers/Internet
KEYWORDS: malware; mbr; pc; virus; windows; windowspinglist
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-62 next last
To: dayglored
The problem is that if it's smart, it won't let you intercept the fact that it's running a test. That's somewhat more challenging in these days of multiple cores and threads, but it can usually be done.

They should at least be able to get a read on the outbound payload. If you've got that, you might not be able to prevent the malware from getting in, but you can stop whatever data it's collected from getting back out.

41 posted on 05/07/2015 8:09:19 PM PDT by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Billthedrill

You have got to be kidding.

I have users that have complained of a fault with their computer because it would not shut down, only to arrive to troubleshoot it and have to point out to them that there is a message box onscreen that asks them “[]Logout []Reboot []Shutdown” and they have the Reboot box checked off.

No bloody way they will ever be able to restere their MBR all by themselves. I will have to go there and do it for them.

Then there are those who have so many complaints about problem after problem, never mind that they did it to themselves because they downloaded a “free” screensaver program, or mouse pointer changer, or some other free thingy that they just HAD to try out...

Sometimes I just have to tell them to buy a mac.

THEN I have to try to explain to them why their kids or grandkids games won’t play on the new computer, or why the cute emoticons app they downloaded won’t work!

YOU may think this is a simple problem but for the rest of us that have to support these users, malware such as this is no small problem to consider!


42 posted on 05/07/2015 8:10:06 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Bratch

Indeed. Wait until it spreads.


43 posted on 05/07/2015 8:10:54 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 18 | View Replies]

To: doomtrooper99
I reinstalled MAC OSX, only once, when I took my MAC Mini to work and wanted to scrub personal data and software..

The only MACs we have are a couple of them that the web devs use for QA. They're on a guest VLAN that vendors can use while they're there, but other than that nothing that doesn't belong to the company connects to the network.

44 posted on 05/07/2015 8:17:34 PM PDT by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Excuse_My_Bellicosity

It helps if you do frequent backups and if you have your important data on a separate partition. However, the majority of users do not do either of those things, and if the MBR and backup are erased and you have multiple partitions on the main drive, recovery will be problematical if you do not know where the partition breaks were in the original configuration.

For instance, on this machine the important data is on sda3 but on other machines it can be on hda5 or sda6, depending.

Most users treat their PC like an appliance: turn it on, read and send emails, view certain websites. Reconfiguring or reconstructing their machines is not in the cards.


45 posted on 05/07/2015 8:20:22 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Utilizer

Whoever makes these things need to be drawn and quartered


46 posted on 05/07/2015 8:38:39 PM PDT by GeronL (Clearly Cruz 2016)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dennisw

I also try to have a fairly recent clone of the main hard drive that I can swap out. That plus retrieving data off of the infected drive, as you suggest, has saved my hide on more than one occasion.


47 posted on 05/07/2015 8:39:12 PM PDT by mom of young patriots
[ Post Reply | Private Reply | To 12 | View Replies]

To: Utilizer

wow


48 posted on 05/07/2015 8:39:38 PM PDT by GeronL (Clearly Cruz 2016)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Squawk 8888

Important fact you are overlooking: YOU have done it (restoring MBR) for CLIENTS. THEY were not able to do it THEMSELVES, therefore: NOT “child’s play”.


49 posted on 05/07/2015 8:41:31 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the muzlims trying to kill them)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Utilizer

Then compound the fustercluck with an encrypted disk.


50 posted on 05/07/2015 8:42:12 PM PDT by miliantnutcase
[ Post Reply | Private Reply | To 45 | View Replies]

To: Utilizer

I recommend capital punishment for the animals who create these things. A firing squad would be too kind.


51 posted on 05/07/2015 8:45:36 PM PDT by Steve_Seattle
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

A week ago my second desktop started acting weird, constantly restarting. I fixed the problem by hitting the F2 key and got into Windows. I then ran two anti-virus programs and it hasn’t recurred. Don’t know if this is related but I had never had that happen before. That was my wife’s computer and she is sure that she didn’t download anything but I’m guessing something was downloaded.


52 posted on 05/07/2015 9:33:28 PM PDT by RichardW
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.

BS!

Boot into the recovery console:

bootrec /fixmbr bootrec /fixboot

And you're back. Granted, your system is still infected, but you're not in a boot loop.

I have to imagine they've figured out how to isolate and study this. Virtual machines are a wonderful thing.

53 posted on 05/08/2015 2:41:54 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

Linux live discs anyone? May be the only way to go and on a sacrificial machine at that.


54 posted on 05/08/2015 6:46:50 AM PDT by wally_bert (There are no winners in a game of losers. I'm Tommy Joyce, welcome to the Oriental Lounge.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: wally_bert

We create a VM with browsers/internet and disable the browsers/Internet from the root OS. If they get infected, you just blow away the VM.


55 posted on 05/08/2015 6:50:24 AM PDT by AppyPappy (If you are not part of the solution, there is good money to be made prolonging the problem.)
[ Post Reply | Private Reply | To 54 | View Replies]

To: dayglored
If all that's overwritten is the MBR itself, that can be reconstructed. Hell even old FDISK/MBR might do it. BootRec.exe /fixmbr

For Windows 7+, the command is apparently

BootRec.exe /fixmbr

Not having a copy of windows around here, I can't verify that.

What I'm wondering about this is if the 'scr' file it creates has to be executed by the user, or if just rendering it in the preview window will effectively 'run' it?

Another example of window's insane decision of making files executable based on names bites their users.

Also, do you have to be administrator to make this work?

 

56 posted on 05/08/2015 8:03:16 AM PDT by zeugma (Are there more nearby spiders than the sun is big?)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Utilizer
You have got to be kidding.

LOL! Awesome rant. Can't find a single word that hasn't come out of my mouth at one time or other so I guess I'll just BTT it.

(OK, I stole it too)

57 posted on 05/08/2015 9:05:42 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 42 | View Replies]

To: Utilizer

Sounds like Rombertik has been through some serious SERE training.       =;^)


58 posted on 05/08/2015 9:20:31 AM PDT by Bloody Sam Roberts ("It is never untimely to yank the rope of freedom's bell." - - Frank Capra)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Billthedrill
No, it doesn't.

It is far simpler to have an image backup done once per week...keeping several past images on hand...and on a separate HD.

If Rombertik hoses the drive, wipe the drive and re-image the drive from a clean copy.

This is what I do with Macrium Reflect and it has saved my bacon numerous times.

59 posted on 05/08/2015 9:31:04 AM PDT by Bloody Sam Roberts ("It is never untimely to yank the rope of freedom's bell." - - Frank Capra)
[ Post Reply | Private Reply | To 10 | View Replies]

To: zeugma
Yep, BootRec.exe is part of the Windows Recovery Environment (RE).

https://support.microsoft.com/en-us/kb/927392

Hell of a tool. Check out the options:

/FixMbr

This option writes a Windows 7 or Windows Vista-compatible MBR to the system partition. It does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove nonstandard code from the MBR.

/FixBoot

This option writes a new boot sector to the system partition by using a boot sector that's compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:

/ScanOs

This option scans all disks for installations that are compatible with Windows Vista or Windows 7. It also displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.

/RebuildBcd

This option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, it lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD store.

BCD is of course the multi-boot info, sort of a GRUB-equivalent.
60 posted on 05/08/2015 10:13:31 AM PDT by dayglored (Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
[ Post Reply | Private Reply | To 56 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-62 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson