Self-destructing virus kills off PCs
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik’s evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was “unique” among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information.
Endless loop
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware “indiscriminately” stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
“Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” the researchers said.
The malware regularly carries out internal checks to see if it is under analysis.
If it believes it is, it will attempt to delete an essential Windows system file called the Master Boot Record (MBR).
It will then restart the machine which, because the MBR is missing, will go into an endless restart loop.
The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Rombertik also uses other tricks to foil analysis.
One involves writing a byte of data to memory 960 million times to overwhelm analysis tools that try to spot malware by logging system activity.
Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.
“It’s not the norm,” he said.
“That’s because malware these days doesn’t want to draw attention to itself, as that works against its typical goal – to lie in wait, stealing information for a long time.”
“Security expert Graham Cluley said destructive viruses such as Rombertik were quite rare.” Is that comment supposed to make us feel safer? Doesn’t matter that it’s “rare”. This one is alive and doing it’s intended malicious damage.
I wonder what the world would look like if these malware writer folk used their talents for doing good.
Interesting question. Probably be much more good freeware!
Well once again, use common sense, an XP operating system and free antivirus and who is afraid of the big bad Rombertik! Eh??
Is there, or will there be, a fix for this nasty…
It’s not in wild – i.e. not in circulation yet. By the time it is, I would imagine most security software companies will be aware of it and offer defenses against it; it’s too early to tell though.
Bigart…….. Irrespective of the OS and free antivirus does not stop a virus, including Rombertik.
If you have taken note of the advice from TC & EB, anti-virus programs are not 100% guaranteed to completely protect a computer every moment they are operating.
Emsisoft, not free, does a much better job of detecting many more ‘nasties’ than viruses alone, all types of malware that can infect a computer, at the same time it is up to the operator to be 100% vigilant in checking everything that is in the queue waiting to enter the computer.
Vigilance means checking carefully anything which is remotely suspicious or understood, and if there is doubt, run the information through Emsisoft for approval, or learn how by asking.
Be very aware, and it has been said many times here in the past, many free anti-virus programs have been known to miss catching many ‘nasties’, and it is wise to keep up with the regular laboratory tests of every well-known anti-virus program, because several are a waste of computer space for their ineffective protection, and two ‘anti-virus’ programs are in the spotlight at the moment for falsifying, or not supplying correct information for testing.
Read the report :-
http://www.av-test.org/fileadmin/pdf/VB-AVC-AVT-press-release.pdf
I am not a business person so I ignore all letters or go directly to the web site to check it out before opening anything, is it a pain , no but opening the letter could be the biggest pain and loss we have ever seen on a PC. So stick with this thought, Micro soft will not send any letters to you the personal user and if they did do not open it but contact Micro soft to see if it is legit. my bank sends stuff to me but I never open the web site from email I always go direct to them or call them .