sciencetech-blog

comments

Security experts have issued a major alert over a new type of malware that can cripple a computer if it is detected during security checks. 

The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. 

It is being spread through spam and phishing messages, according to Cisco's Talos Group blog on Monday.

One of the messages found to contain the Rombertik malware. If the user downloads and unzips the file, the user then sees a file that looks like a document thumbnail.

Once a user has downloaded it by clicking on a link, Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.

However, unlike other software, Rombertik can try and destroy the computer.  

The malware 'is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' wrote Ben Baker and Alex Chiu of the Talos Group. 

Rombertik first takes aim at the Master Boot Record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system. 

If it doesn't have access to the MBR, it effectively destroys all of the files in a user's home folder by encrypting each with a random RC4 key.

Once either the MBR or the home folder has been encrypted, the computer restarts. 

The MBR then enters an infinite loop that stops from computer from rebooting. 

The screen reads 'Carbon crack attempt, failed.'

'At a high level, Romberik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server,' the researchers say.

They found Rombertik uses social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user's compromise.

Once a computer has been destroyed, this message is displayed until the operating system software is reinstalled.

In the sample they analysed, the message appears to come from the 'Windows Corporation,' an organization that possesses 'state-of-the-art manufacturing quality processes.'

The attackers attempt to convince the user to check the attached documents to see if their business aligns with the target user's organization. 

If the user downloads and unzips the file, the user then sees a file that looks like a document thumbnail. 

When it first gets installed on a computer, it unpacks itself. 

Around 97 percent of the content of the unpacked file is designed to make it look legitimate and is composed of 75 image and 8,000 decoy functions that are actually never used.

How Rombertik works: Unlike other software, it can try and destroy the computer.

'This packer attempts to overwhelm analysts by making it impossible to look at every function,' Talos wrote.

Such 'wiper' malware has been used in the past, notably against South Korean targetsin 2013 and against Sony Pictures Entertainment last year, an attack attributed to North Korea by the U.S. government.  

Rombertik stays awake, however, and writes one byte of data to memory 960 million times, which complicates analysis for application tracing tools.

'If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,' Talos wrote.

The firm advises users that 'Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users.'