Posted on 05/07/2015 7:01:36 PM PDT by Utilizer
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was "unique" among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Endless loop
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware "indiscriminately" stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers said.
The malware regularly carries out internal checks to see if it is under analysis.
If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).
It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.
The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Rombertik also uses other tricks to foil analysis.
One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.
"It's not the norm," he said.
"That's because malware these days doesn't want to draw attention to itself, as that works against its typical goal - to lie in wait, stealing information for a long time."
They should at least be able to get a read on the outbound payload. If you've got that, you might not be able to prevent the malware from getting in, but you can stop whatever data it's collected from getting back out.
You have got to be kidding.
I have users that have complained of a fault with their computer because it would not shut down, only to arrive to troubleshoot it and have to point out to them that there is a message box onscreen that asks them “[]Logout []Reboot []Shutdown” and they have the Reboot box checked off.
No bloody way they will ever be able to restere their MBR all by themselves. I will have to go there and do it for them.
Then there are those who have so many complaints about problem after problem, never mind that they did it to themselves because they downloaded a “free” screensaver program, or mouse pointer changer, or some other free thingy that they just HAD to try out...
Sometimes I just have to tell them to buy a mac.
THEN I have to try to explain to them why their kids or grandkids games won’t play on the new computer, or why the cute emoticons app they downloaded won’t work!
YOU may think this is a simple problem but for the rest of us that have to support these users, malware such as this is no small problem to consider!
Indeed. Wait until it spreads.
The only MACs we have are a couple of them that the web devs use for QA. They're on a guest VLAN that vendors can use while they're there, but other than that nothing that doesn't belong to the company connects to the network.
It helps if you do frequent backups and if you have your important data on a separate partition. However, the majority of users do not do either of those things, and if the MBR and backup are erased and you have multiple partitions on the main drive, recovery will be problematical if you do not know where the partition breaks were in the original configuration.
For instance, on this machine the important data is on sda3 but on other machines it can be on hda5 or sda6, depending.
Most users treat their PC like an appliance: turn it on, read and send emails, view certain websites. Reconfiguring or reconstructing their machines is not in the cards.
Whoever makes these things need to be drawn and quartered
I also try to have a fairly recent clone of the main hard drive that I can swap out. That plus retrieving data off of the infected drive, as you suggest, has saved my hide on more than one occasion.
wow
Important fact you are overlooking: YOU have done it (restoring MBR) for CLIENTS. THEY were not able to do it THEMSELVES, therefore: NOT “child’s play”.
Then compound the fustercluck with an encrypted disk.
I recommend capital punishment for the animals who create these things. A firing squad would be too kind.
A week ago my second desktop started acting weird, constantly restarting. I fixed the problem by hitting the F2 key and got into Windows. I then ran two anti-virus programs and it hasn’t recurred. Don’t know if this is related but I had never had that happen before. That was my wife’s computer and she is sure that she didn’t download anything but I’m guessing something was downloaded.
BS!
Boot into the recovery console:
bootrec /fixmbr bootrec /fixboot
And you're back. Granted, your system is still infected, but you're not in a boot loop.
I have to imagine they've figured out how to isolate and study this. Virtual machines are a wonderful thing.
Linux live discs anyone? May be the only way to go and on a sacrificial machine at that.
We create a VM with browsers/internet and disable the browsers/Internet from the root OS. If they get infected, you just blow away the VM.
For Windows 7+, the command is apparently
BootRec.exe /fixmbr
Not having a copy of windows around here, I can't verify that.
What I'm wondering about this is if the 'scr' file it creates has to be executed by the user, or if just rendering it in the preview window will effectively 'run' it?
Another example of window's insane decision of making files executable based on names bites their users.
Also, do you have to be administrator to make this work?
LOL! Awesome rant. Can't find a single word that hasn't come out of my mouth at one time or other so I guess I'll just BTT it.
(OK, I stole it too)
Sounds like Rombertik has been through some serious SERE training. =;^)
It is far simpler to have an image backup done once per week...keeping several past images on hand...and on a separate HD.
If Rombertik hoses the drive, wipe the drive and re-image the drive from a clean copy.
This is what I do with Macrium Reflect and it has saved my bacon numerous times.
https://support.microsoft.com/en-us/kb/927392
Hell of a tool. Check out the options:
/FixMbrBCD is of course the multi-boot info, sort of a GRUB-equivalent.This option writes a Windows 7 or Windows Vista-compatible MBR to the system partition. It does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove nonstandard code from the MBR.
/FixBoot
This option writes a new boot sector to the system partition by using a boot sector that's compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:
/ScanOs
- The boot sector was replaced with a nonstandard Windows Vista or Windows 7 boot sector.
- The boot sector is damaged.
- An earlier Windows operating system was installed after Windows Vista or Windows 7 was installed. In this situation, the computer starts by using Windows NT Loader (NTLDR) instead of Windows Boot Manager (Bootmgr.exe).
This option scans all disks for installations that are compatible with Windows Vista or Windows 7. It also displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
/RebuildBcd
This option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, it lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD store.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.