Rombertik strikes! In 10 seconds, this computer will self-destruct
Viruses can be a serious problem and they take myriad forms. Viruses have become increasingly sophisticated over the years, particularly in the methods used to try to evade detection. Now Cisco's Talos security researchers have discovered the Rombertik which goes to extraordinary lengths to avoid analysis.
Researchers managed to reverse-engineer the virus and found "multiple layers of obfuscation and anti-analysis functionality". One sample was found to include code that would destroy the MBR of the host computer if analysis or debugging is attempted.
The effects of a Rombertik can be devastating. Left to its own devices, the malware will sit happily in the background gathering information about online activity, collecting user credentials and feed them back to a remote server. Writing on the Cisco blog, Ben Baker and Alex Chiu explain that while Rombertik's method of propagation -- usually through emails and social networks -- is nothing out of the ordinary, the way it operates is something from a different league.
The infection process starts by Rombertik first checking whether it is running in a sandbox before decrypting and installing itself. Unusually, the virus then installs a second copy of itself but there is a key difference -- the second copy contains the real payload. Rombertik will then check to see that a tool is not trying to block or analyze it, and if it should detect such activity the master boot record will be attacked in a bid to destroy the computer and prevent it from being used.
Talos researchers reveal that the file involved in a Rombertik infection is largely padding. In a file of 1264KB, just 28KB is harmful code while the rest is a combination of unnecessary code, images and extra functions that are not used -- all in a bid to disguise the real payload. To make analysis all but impossible, in the early stages of infection Rombertik writes a random bytes of data to memory 960 million times. Researchers point out that "if an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes".
By attacking the MBR of a computer if analysis is detected, Rombertik can effectively kill a computer, throwing it into an endless reboot loop. But what if the MBR cannot be attacked for some reason? To make sure that it still has an impact, Rombertik will then destroy all of the files found in a user's folder. Oh… and if you were thinking, 'oh, I'll just reinstall Windows', as well as destroying the MBR, Rombertik also tinkers with partitions to make it difficult to recover data from them.