CATEGORIES
home IT/Enterprise

Cisco Unearths ‘Rombertik’ Virus That Self-Destructs When Poked By Security Researchers

by Rob WilliamsTuesday, May 05, 2015, 02:50 PM EDT

Security firms and anti-malware providers sure do have their work cut out for them, a fact that seems to get emphasized every day. As attackers become more creative, researchers have to dig deep in order to understand how malware manages to hide itself so well. It used to be that static scanners would be suitable enough, but that's hardly the case nowadays. Attackers are becoming even more creative, creating almost ninja-like malware.

Take Rombertik, for example. This is a piece of malware that was deeply analyzed by Cisco's Talos Security Intelligence and Research Group that at the high level hooks into a user's Web browser to read sensitive information that is then passed along to a remote attack server. Cisco notes that this is not too dissimilar from the Dyre malware we talked about last month. Unlike Dyre, Rombertik doesn't target banking information specifically, but instead fetches whatever it deems useful.

Rombertik Spam

Rombertik is spread through spam and phishing campaigns, and ultimately persuades its receivers to download, extract, and then open the attachments. It might be hard to believe, and not to mention unfortunate, but yes, people still fall for this.

In Rombertik's case, it seems most attachments were PDFs, or at least looked like PDFs. In reality, they were renamed .SCR screensaver files -- an attack point that has been present for ages. With simple detection mechanisms, Rombertik can go unnoticed as it manages to avoid both static and dynamic analysis.

Once executed, Rombertik will run through a couple of checks to make sure it's not running in a sandbox, and if not, it will fully install itself on the victim's PC. It then copies itself and overwrites the copy with a copy that bundles the malware's core functionality.

Rombertik Design

Here's where things get interesting: if the final check fails, which is to see if it's being analyzed in memory, Rombertik will purge the hard disk's MBR and reboot, so that the PC becomes unbootable. If the MBR is somehow unaffected by its attempts, Rombertik will instead render the user's home folder useless by encrypting each file with a random key, and then reboot. Neither of these routes are ideal, but the former could be fixed - the latter cannot.

If you want to dig deep into how Rombertik works, you'll want to check out the article below, as it's very in-depth, and even a bit enlightening. For the enterprise and home alike, this is yet another example of why staff need to be well-aware of the dangers of opening unsolicited attachments. 

Tags:  Malware, security, Enterprise, Cisco, NASDAQ: CSCO
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment