Rombertik malware 'indiscriminately' steals data, renders PCs unusable if discovered
Rombertik malware designed to steal user data and trash PCs when discovered, warns Cisco
Security researchers have unveiled details about a vicious strain of Windows malware designed to "indiscriminately" steal user data, which can make the computer it has infected unusable if discovered.
Called Rombertik, the malware tricks users into installing it via attachments in bogus phishing emails, according to security researchers at Cisco's Talos Group.
Once installed, Rombertik is able to indiscriminately steal information about everything the user does online, including login details for PCs, online banking and any other credentials the user may key-in on the network.
Security specialists have warned that the aggressive self-destructing "Wiper" malware is difficult to fight, once installed, because if Rombertik becomes aware that it is being challenged, it triggers evasion techniques that will render the computer unusable by deleting files and putting the PC into a restart loop - until the operating system is reinstalled.
It's not the first malware capable of shutting down systems. Last month, Kaspersky Labs outlined a security vulnerability in Apple iPhone, iPad and Mac operating systems that leaves the devices open to attacks which could render them unusable.
However, the self-destructive nature of Rombertik makes it a much more dangerous threat than many other variants of the Wiper malware, although at this time infection rates remain low.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," Cisco researchers Ben Baker and Alex Chiu wrote in a blog post.
Cisco describe how the malware constantly analyses internal checks to evaluate whether it is under analysis, triggering its self-destruct mechanism and engaging in an endless-restart loop if the check is positive. "If the resource or compile time has been altered, the malware acts destructively," explained the Cisco post.
It continued: "It first attempts to overwrite the master boot record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user's home folder by encrypting each file with a randomly generated RC4 key.
"After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted."
The researchers also pointed out how, in the case of detection, Rombertik also prints out mocking messages to those trying to analyse or fight it. "The MBR starts with code that is executed before the operating system. The overwritten MBR contains code to print out "Carbon crack attempt, failed", then enters an infinite loop preventing the system from continuing to boot."
The best way of preventing Rombertik from being a threat, Cisco warned, is to ensure computer networks are kept as secure as possible and to ensure that users are educated against potential threats - as well as scanning all incoming email.
"Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users," the blog advised.
"However, a defence-in-depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially," it concluded.