There is a new kid of the virus block, and a pretty nasty kid it is too. Named Rombertik, it is generally picked up from attachments on phishing emails (usually appearing to be a .PDF file in the case of this virus).
Maybe one of those emails you received claiming you have won a prize, claiming to be a message from Microsoft, or asking you to validate your bank details.
It was identified around the start of 2015 by the Talos computer security team at Cisco, who describe it as “unique in that it actively attempts to destroy the computer”.
It works on Windows PCs, connecting into the text entry routines of the user’s web browser, and monitors what you are typing to try and capture login details and other confidential information entered on websites. Since it intercepts text entry before any encryption, passwords are read in the raw, and the fact that a web page’s input data may be destined for transmission by HTTPS does not matter; the data has already been read before that protocol takes over. The graphic below illustrates the process.
All that is nasty enough, but the real unpleasantness kicks in if the virus detects any attempt to track it down or delete it; it looks for certain methods of malware analysis to do this. It first tries to confuse such analysis attempts with a number of anti-detection routines. One thing it does is to suddenly fill up millions of bytes of memory to trick tools that spot malware by monitoring system activity.
In this regard it is similar to another virus, Beebone, which was released in 2014. That too had the ability to detect when it was being inspected or cleaned up. That took a joint operation by Europe’s Joint Cybercrime Action Taskforce, America’s FBI, and various computer security firms to defeat it. But that virus was not as immediately aggressive towards its host computer as this new one is.
If Rombertik comes under attack it immediately overwrites one of the most critical core files of the Windows operating system, the Master Boot Record, a file essential to PC boot-up, and which also holds details about the disk partitions. It then restarts the computer, but without the boot record the machine cannot start at all. The chart below shows the breakdown of the Rombertik executable.
It is recognisable (if you are so unfortunate to have picked it up) because it replaces the boot file with a script that displays the on-screen message “Carbon crack attempt, failed”, scorning the attempts to defeat it.
Unfortunately, once a PC’s master boot record is gone, the only way to repair the machine is by reinstalling Windows from scratch, but with the partition data also destroyed the data on the disks is not easily recoverable. If the virus program fails to overwrite the boot record due to access permissions, it overwrites all the files in the home directory, and the admin settings, instead.
It is very unusual for viruses to be so suicidal in this way – those intended to extract confidential data normally hide themselves; they want to remain undetected for as long as possible so they can continue their insidious work.
Rombertik is an unusually malevolent virus; it indicates a creator so warped in their mind as to want to cause havoc if they can’t steal the data, a step further down in wickedness from the criminals that simply steal.
Alex Viall is the Director of Mustard IT a London based company which offers professional IT Support to businesses across Essex, London and the Home Counties