Virus that stops Windows running if you try to get rid of it

foxidrive

foxidrive

Retired Admin
"A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."
Click to expand...

I'm not sure how accurate that article is because it goes on to say this - which isn't true, you don't need to reinstall Windows - and I stopped reading.

Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
Click to expand...
 
foxidrive said:
and I stopped reading.
Click to expand...

I stopped here:

While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik. Once the user double clicks to open the file, Rombertik will begin the process of compromising the system.

The process by which Rombertik compromises the target system is a fairly complex with anti-analysis checks in place to prevent static and dynamic analysis. Upon execution, Rombertik will stall and then run through a first set of anti-analysis checks to see if it is running within a sandbox. Once these checks are complete, Rombertik will proceed to decrypt and install itself on the victims computer to maintain persistence. After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality. Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable. The graphic below illustrates the process.
Click to expand...

It's too difficult to achieve without warnings from the OS and/or AV, I believe.
 
misi said:
It's too difficult to achieve without warnings from the OS and/or AV, I believe.
Click to expand...

If the AV is set to monitor the boot record then it should protect the user, assuming they have an AV. :happy

Being careful and using common sense is pretty good protection, right? You wouldn't click on a random thing in an email.

I don't know how it changes the registered icon though. Is it all crap?
 
misi said:
(The AV already's checked the file and gave the all clear signal)
Click to expand...

That part is never certain though - no AV will detect all malware, and the zero day malware is an unknown thing too.

Windows UAC can help, but it's not perfect either. The way the article is written makes it seem unreliable to me too.
 
You must log in or register to reply here.
Back
Top