Wednesday, May 6, 2015

Destructive Rombertik Malware Renders System Inoperable

Talos Group (part of Cisco Systems) researchers have written an analysis that deals with malware named Rombertik. The malware is designed to intercept any plain text entered into a browser window. Rombertik is spread through spam and phishing messages.

What makes this malware special is its way to act if it detects certain attributes associated with malware analysis. If such action is detected Rombertik tries first to destroy Master Boot Record (MBR) which is the first sector of a PC's hard drive that the computer looks to before loading the operating system. If it can't access the MBR then it effectively renders all of the files in a user's home folder inoperable by encrypting them with a randomly generated RC4 key. After overwriting the MBR or encrypting the home folder the computer is restarted. The overwritten MBR contains code to print out "Carbon crack attempt, failed" and then enters an infinite loop preventing the system from continuing to boot.

Complete analysis of Rombertik can be read at Talos blog here

No comments: