A piece of Malware called Rombertik has been discovered. It is particularly interesting for the way in which it defends itself: namely by trying to mangle your Hard Drive.
A piece of malware that defends itself is nothing new: some malware will delete or disable your AV in an effort to stay hidden or even alter how your system functions in order to be overlooked.
Other pieces of malware bury themselves so deep in your system that even reinstalling windows might not get rid of them.
And it’s becoming increasingly common to see malware which changes itself with each infection, giving it a unique signature each time: like Beebone for example, which we covered here.
Master Boot Record
Rombertik is entirely more aggressive in its self-defence than the aforementioned methods: Rombertik attempts to render your system inoperable, in a manner of speaking.
This is the point in the story when typical media sensationalism gets a hold of the story. The Mail Online called Rombertik a “suicide bomber” (subtle) whilst even the BBC claimed that it “kills off PCs”.
The reality is a little less dramatic, as some of the more grounded journalists have been reporting.
What Rombertik actually does, as explain by Graham Cluley: “if it believes it is under analysis…” such as in a virus research lab, it will try to “…wipe out your hard drive’s partition sector (also known as the MBR or Master Boot Record) and force a restart.”
“If it’s unable to do this it will attempt to encrypt the files in your home folder.” Thanks for clearing that up Graham, it doesn’t like much like a “suicide bomber” that is going to “destroy the computer”, as the Daily Mail and Cisco reported respectively.
The key to this story is in one’s definition of destroy. Does removing the MBR ruin your day? Yes it does. Does it destroy your computer? No. It does render the HDD itself inaccessible, meaning that the system can’t access the data on it: of course this is bad.
To me “destroy the computer” means that you’re going to have to spend a lot of money replacing components, as opposed to re-formatting and restoring files from a backup (which you hopefully have). This USB literally destroys components in your PC.
Defence against the Dark Arts
Even though it’s not going to brick your system, you obviously still don’t want to go getting infected by it. Rombertik’s defence mechanism is drawing all the headlines but the virus itself is designed to steal login data and other confidential info.
How does it get onto your system? Nothing too fancy here, it arrives via a dodgy attachment on an even dodgier phishing email.
Solution? Same as usual, run an up-to-date antivirus program (why not try ESET?) and always double check before you download.
Even if it comes from a bank or service that you use, check it. If it comes from a trusted contact then check it, you can’t be sure that they haven’t been compromised. Even if you’re 100% expecting it, check it!
If you do end up deciding to download it then run a quick scan on that file specifically: a few seconds of scanning could save you potentially hours of malware nightmares.
Join the ESET UK LinkedIn Group and stay up to date with the blog.
Have you ever been caught out by a phishing email attachment?