• By Paul Ducklin, nakedsecurity.sophos.com
• View Original

Thanks to James Wyke of SophosLabs for doing the hard parts of this article.

We didn't really want to get drawn into this one.

But it's hard to avoid commenting on malware that has variously been described as a "terrifying 'suicide bomber'" and as having a payload that "destroys computers."

That's the sort of computer security hyperbole that does nothing but harm.

The best outcome is that you end up being offensive, as you are when you insist on trotting out the phrase "digital Pearl Harbor" and expecting to be taken seriously.

The worst outcome is that you create an entirely false sense of security by describing a manageable, albeit serious, threat as though it were truly extreme.

By creating the impression that a manageable threat is "as bad as it gets," you undermine your readers' interest in bothering about less serious threats at all.

Introducing Rombertik

The malware in question has been nicknamed "Rombertik" (Sophos products will block it as Troj/Delp-AD).

SophosLabs first came across it in January 2015, one of some 300,000 new malware samples that we encounter each day.

→ The vast majority of the samples we get each day aren't truly new. They're unique only in the strictly technical sense that they consist of a sequence of bytes that we haven't encountered before, in the same way that Good morning and GOOD MORNING are not literally the same. Most of the new samples that show up each day are merely minor variants that we already detect, or known malware that has been encrypted or packaged differently. Nevertheless, that still leaves plenty of samples worth looking at.

Rombertik's primary purpose seems to be to hook itself into your browser so it can keep track of what you type in.

Make no mistake, credential stealing malware of this sort is serious, because it can lead to compromised bank accounts, hacked servers, stolen data, decrypted secrets and more.

But it won't destroy your computer, or kill you along with itself.

The cause of the hype

Where the hype-making headlines come from is an anti-hacking trick that's buried in the malware.

Many Trojans and viruses over the years have had some sort of tamper-detection or tamper-prevention built in, just like the security tools that try to detect them in the first place.

Some malware, like Dyreza, about which we wrote recently, tries to work out if it is being run inside a malware research environment, and behaves entirely innocently if so.

This is the low-key way of avoiding notice: give nothing away at all, so that the file gets overlooked and put to the bottom of the queue for attention.

Other malware, like Rombertik, takes a different approach.

If it detects that you have altered the malware in certain ways – for example, if you are another crook trying to repurpose it without paying for the privilege – it will overwrite vital information on your computer.

In all likelihood, you'll lose your data and end up reinstalling your operating system and applications to get up and running again.

You can call it spite, call it revenge, call it retaliation, call it destructive to your data (that much is perfectly true)...

...just don't say that it destroys the computer, and don't even think of comparing it to suicide bombing.

How it works

For what it's worth, Rombertik's data-wiping techniques go something like this:

• Try to wipe out the MBR.

The MBR is the very first data sector on the hard disk, known as the Master Boot Record, and it maintains an index of how your disk is partitioned.

Wiping the MBR really is a spiteful way to proceed, because it leaves you so near, yet so far.

Technically speaking, all your data remains behind, so with the right expertise or recovery tools you may very well get it back, but almost certainly not without plenty of frustration along the way.

It's like putting a vital document through a shredder and then handing back the strips and saying, "There you are. All present and correct! You only have to work out which pieces go where."

Fortunately, writing to the MBR requires Administrator privilege on Windows, so a program run by a regular user can't do it.

If trashing the MBR fails, Rombertik falls back on this:

• Starting in the home folder, overwrite almost all files.

In what is almost certainly a bit of gruesome humour from the crooks, Rombertik works just like ransomware, encrypting your files in place on the disk.

The malware chooses a random 256-byte encryption key for each file, but none of the keys is saved anywhere, so you end up with what is effectively random, shredded cabbage instead of your data.

Only files with the extensions .EXE, .DLL, .VXD and .DRV will survive.

What to do?

Ironically, getting hit right away by Rombertik's data-wiping payload is probably a safer outcome than being infected for days or weeks without noticing.

Remember that the non-destructive part of the malware sets out, amongst other things, to snoop on your browsing and steal your data, perhaps even your identity.

Either way, as with any malware, your best bet is not to get infected in the first place:

• Keep your operating system and applications patched.
• Use an active anti-virus and keep it up-to-date.
• Avoid unexpected attachments.
• Try stricter filtering at your email gateway.

And these precautions will shield you against all sorts of catastrophes, not just destructive malware:

• Only logon with Administrator privileges when you genuinely need to.
• Take regular backups, and keep one backup set off-site.
• Remove unnecessary or unwanted software so there is less to go wrong.