Offshore Outsourcing & Scammer

Blog about offshore outsourcing and scammer in the outsourcing industry

Rombertik: Malware deletes itself during discovery - together with the hard drive content

Rombertik VirusOne tricky and complex programmed malicious software collects data from Internet users. if she gets discovered she swallows a digital cyanide pill.

Security researchers of the Talos Group, a division of the network equipment supplier Cisco Systems have discovered a Windows malware that has taken great care to cover up traces of their activities. "Rombertik", as the malware gets called from the experts, captures everything a user is doing with his computer on the Internet. If the malware believes that she got discovered, she makes the hard drive of the affected computer unusable and destroyed so herself.

Another feature of the digital pest is that it's not only searching for user name / password combinations of bank accounts. The malware is recording characterized obviously completely unfiltered everything what the respective users is doing with the infected computers on the Internet.

The distribution channel is not new: Rombertik gets distributed as an e-mail attachment from spam or phishing mails. According to the Talos Group, this emails are especially clever constructed and fooling the users easily. The infected emails mimics the sender "Windows Corporation" as shown by one example of the report

Camouflage by deleting

Noticeable is the elaborate camouflage with which the pest trying to protect themselves from detection. It works on several levels: If a user installs unconsciously the pest, Rombertik analyzes first the environment and checks if it is running in a "Sandbox" environment, an isolated area or the PC, which has no impact to the rest of the computer. Antivirus software uses such a sandbox to analyze suspicious software.

Only when this is excluded, the malware continues her installation. Before the malware starts her work, she is testing if she gets watched by a virus scanner. If so, she attempts to delete the so-called master boot record on the hard disk of the computer to make it unusable. If that does not work, Rombertik encrypts all user data on the boot hard drive of the computer for making them useless and brings the PC to fall into an endless loop of reboots.

Fogging by deflecting

Even if it does not come so far, Rombertik makes the work analysis software difficult: In order not to attract attention, the malware hides itself. Is the 28 kB small installation package gets unpacked, it is 1264 kilobytes long and leads to believe of 8000 program features. Although these are not getting used but makes the analysis extremely complex.

To ensure that the program does not get discovered or it is supposed to run in a sandbox, it uses another perfidious trick: Rombertik writes a file from one byte in a memory sector - 960 million times. Only by logging these processes would result in a log file of 100 gigabyte size explains Talos.

The report of the Talos group says nothing about the spread of Rombertik. User should follow the common recommendations:

Don’t click on links or attachments in emails from unknown senders and use an up to date security software.