Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rombertik Malware Destroys Computers If Detected


  • Please log in to reply
20 replies to this topic

#1 saw101

saw101

  • Members
  • 415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great Pacific Northwest
  • Local time:08:04 PM

Posted 05 May 2015 - 01:36 AM

A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.

The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.

Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.

That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.

 

Read Full Article Here: http://www.pcworld.com/article/2918632/rombertik-malware-destroys-computers-if-detected.html#tk.rss_all


I never make the same mistake twice....I always make it 5 or 6 times just to be sure!


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:04 AM

Posted 05 May 2015 - 02:19 AM

I don't see the point of being this destructive, to be honest... cybercriminals are out there to make money, and destroying computers won't do them any good. (well, unless it was a ploy to fool researchers...)

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 05 May 2015 - 05:34 AM

I don't see the point of being this destructive, to be honest... cybercriminals are out there to make money, and destroying computers won't do them any good. (well, unless it was a ploy to fool researchers...)

It the intended use is against other governments the attacker deems as hostile, that would explain the destructive nature.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:04 AM

Posted 05 May 2015 - 05:36 AM

If that was the case then I would expect some specialized targeting routines similar to Stuxnet. But then, what do I know?

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 AM

Posted 05 May 2015 - 06:53 AM

From the description of cisco they destroy the machine if they detect an attempt of analysis. So it's an anti-analysis technique, even if it's a quite extreme one. They want to piss off malware analysers and their setups, which, for them, obviously are the bad guys and they want to harm them.
The malware either starts spying or deletes the MBR, it doesn't do both. Deleting the malware once it has been activated shouldn't pose the same danger.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 05 May 2015 - 10:16 AM

They want to piss off malware analysers and their setups, which, for them, obviously are the bad guys and they want to harm them.


Looks like they didn't succeed against the CISCO' Talos Group :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 RolandJS

RolandJS

  • Members
  • 4,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:04 PM

Posted 05 May 2015 - 10:22 AM

What would be the best solution if one suspects the dreaded R is in the computer?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 Naught McNoone

Naught McNoone

  • Members
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:11:04 PM

Posted 05 May 2015 - 11:03 AM

What would be the best solution if one suspects the dreaded R is in the computer?

 

I suspect that removal may have to be done from a live CD/DVD or USB to prevent the infection from becoming active on boot.
 
Cheers!
 
Naught


#9 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:08:04 PM

Posted 05 May 2015 - 07:26 PM

Despite all our teachings and efforts to the contary, sometimes Bare Metal Restore can be the most economic pathway to recovery.

 

Yet prevention still trumps all everytime.


Edited by 1PW, 05 May 2015 - 07:29 PM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#10 simrick

simrick

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:04 PM

Posted 07 May 2015 - 09:59 PM

 

What would be the best solution if one suspects the dreaded R is in the computer?

 

I suspect that removal may have to be done from a live CD/DVD or USB to prevent the infection from becoming active on boot.
 
Cheers!
 
Naught

 

What is best to use as a live CD/DVD cleaner?



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 08 May 2015 - 05:17 AM

Kaspersky's Rescue CD works good. If you know what you're doing, you could boot in a Live Linux distro (like Ubuntu) and remove the infection manually from there (the files at least).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 08 May 2015 - 04:11 PM

List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 simrick

simrick

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:04 PM

Posted 10 May 2015 - 10:13 PM

 

TYVM!



#14 PhotoAce

PhotoAce

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:03:04 PM

Posted 10 May 2015 - 11:31 PM

More about Rombertik - "So, it seems that the Rombertik malware is not an actual standalone malware at all, but an obfuscating wrapper "

 

 https://www.bluecoat.com/security-blog/2015-05-07/impact-rombertik#sthash.r2SSNr3l.dpuf



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 AM

Posted 11 May 2015 - 06:55 AM

I would like to highlight once more a part of the article:

The malware reacts to reverse engineering by wiping the hard disk, but does not trigger if it is not reverse engineered.
[...]
This leads us to believe that the real-life impact of this destructive strategy is minor.
- See more at: https://www.bluecoat.com/security-blog/2015-05-07/impact-rombertik#sthash.r2SSNr3l.tFSuAQvU.dpuf

If you do not reverse engineer the infection, you do not run risks of getting your hard drive wiped. While using a LiveCD can not hurt, it is absolutely not necessary. These are not trip wires that will activate if you remove the malware, only if you try to analyse it.
Normal users infected by this infection can delete the files in the same way as they would delete any other infection. This is also why nobody has been offering special removal guides for this infection.
The interesting side of the malware concerns only malware analysers, not malware victims.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users