Here’s a malware that is said to destroy computers.  You may rest easy.  It doesn’t, no matter what hype has been surrounding this malware.

Rombertik malware’s main purpose is to hook itself to the browser and keep track of what you type in.  Such credential stealing malware can lead to compromised bank accounts, stolen data, hacked computers, and more.  However, rest assured it won’t destroy your computer.  In all likelihood, you may lose your data and end up reinstalling your operating system and applications, but your computer will not blow up in your face.

Rombertik is malware is a known to evade detection and analysis, if it becomes aware that it is being challenged.  It also makes the computer it infects unusable.  If it detects any analysis tools, it will attempt to delete the system’s Master Boot Record (MBR) and home directories.  This in turn will cause the victim’s machine to go into an endless restart loop.

Though the MBR is unusable, technically speaking you haven’t lost your data.  With the right recovery tools you may be able to recover your data, but most likely with great difficulty and a lot of frustration along the way.

The malware is installed when users click on malicious attachments in phishing emails.  It will then run anti-analysis checks to determine if it is running within a sandbox (see Definition).  If it isn’t running within a sandbox, it decrypts and installs itself on the victim’s computer.

If Rombertik fails to wipe out the MBR, it will resort to encrypting your files on the disk, just like ransomware.  The malware uses a 256-byte encryption for each file, but none of the keys are saved anywhere.  You end up with “random shredded cabbage instead of your data.”

If it is any source of comfort, files with extensions .EXE, .DLL, .VXD, and .DRV will survive.

Bear in mind that this malware has a non-destructive part mentioned in the beginning of this advisory – to snoop on your browsing and steal your data, which can be painful.

The best thing to do to prevent such threats boils down to best computing practices, so that you do not get infected.

 

Recommendation

1. Keep your operating system and applications patched.
2. Use an active anti-virus program and ensure that it is up-to-date.
3. Avoid opening email attachments from unknown sources.
4. Install email filtering.
5. Logon with administrator privileges only when necessary.
6. Make regular backups, and keep one backup set off-site.
7. Remove unwanted or unnecessary software.

 

Definition

Sandbox – a security mechanism for separating running programs.  It is often used to execute untested code, or untrusted programs from unverified sources – untrusted sources, untrusted websites, suppliers, and third parties.

 

Source

1. The Hacker News.
2. Naked Security from Sophos.
3. Computing (UK) – (including image on pg 1).

 

The Week That Was

1. Google Password Alert – in less than 24 hours after Password Alert, a new phishing alert extension from a Google, was launched, a security researcher showed that he could bypass the feature using deadly simple exploits.
2. Dyre malware evades sandboxes – Dyre malware (see Extol Advisory – Breaking News – 7 April 2015) evades at least 8 popular sandbox tools with effective and unused techniques.
3. USBKill – a program that once activated will instantly disable laptops or computers if there is any activity on the USB port.  This program would be a benefit whistleblowers, journalists, activists or even cybercriminals who would like to keep information away from the authorities and cyber thieves.
4. WordPress flaw exploited – a year old vulnerability in WP plug-in is still being exploited.  The malware is not named, but it redirects users to sites hosting exploits, putting many users at risk.