Posted on 05/07/2015 7:01:36 PM PDT by Utilizer
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was "unique" among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Endless loop
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware "indiscriminately" stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers said.
The malware regularly carries out internal checks to see if it is under analysis.
If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).
It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.
The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Rombertik also uses other tricks to foil analysis.
One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.
"It's not the norm," he said.
"That's because malware these days doesn't want to draw attention to itself, as that works against its typical goal - to lie in wait, stealing information for a long time."
No. The EFI uses a completely different partition table, GPT.
On computers that support booting directly from GPT disks in EFI mode, there may or may not be an MBR at all. Some modern disk utilities, however, will refuse to re-partition the drive if the MBR does not exist. (You would have to erase the entire partition table, and start over)
Otherwise, the disk usually contains a stub MBR whose purpose is to store a custom bootloader for the rest of the GPT disk, in exactly the same way Dynamic Disk Overlays (Kroll) were used in the 90s for large hard drives to overcome various capacity limits.
That’s what I suspected. This won’t work on newer versions of Windows, installed with Safe Boot enabled.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.