Rombertik Malware Virus: New self-destructing virus kills computers when detected. If it finds that its plan has been foiled, it deletes the Windows Master Boot Record (MBR)- a critical system file. It then reboots the machine.

May 9, 2015 in Technology

A new form of self-destructing virus has been discovered with a unique agenda. The malware can work out when anti-virus programs have detected it and then renders the computer unusable so that it can keep on operating. 

Named Rombertik, the virus is spreading around the Internet in attachments on fake emails, according to a blogpost by Cisco security researchers Ben Baker and Alex Chiu. In the message that it was first discovered on, a company purporting to be the "Windows Corporation" promised "state-of-the-art manufacturing quality processes" once you open the attachment to view the "specifications" for the products. The attachment, made to look like an ordinary PDF document, actually contained the Rombertik malware though. The infection begins by Rombertik checking whether virus detection software is installed and only continuing if it is not. It then decrypts and uninstalls itself before overwriting that installation with a new one to prevent anti-virus software from noticing it. With the complex installation complete, Rombertik does one last check to see if a detection program is running in memory before it finally begins to spy on users in their web browsers, stealing login data including usernames and passwords as well as other confidential information on the computer. The BBC reports that data was "indiscriminately" collected and sent to the attackers. Once the program is started, Rombertik continues to frequently check whether it has been detected or not. If it finds that its plan has been foiled, it deletes the Windows Master Boot Record — a critical system file. It then reboots the machine.

The Rombertik malware wipes hard drives when detected

Cisco

This puts the computer into an endless reboot loop as it is impossible for Windows to load without the Master Boot Record. Restoring the computer requires a reinstall of Windows which could result in the loss of data if the machine is not correctly backed up. If it fails to delete the Master Boot Record, it opts for an alternative method of destruction and wipes everything in the current user's folder. If it successfully deletes the Record, the computer becomes inoperable and displays the message "Carbon crack attempt, failed" on the screen.Rombertik is an abnormal form of malware. Most viruses try not to draw attention to themselves. In comparison, Rombertik seems paranoid, continually afraid of detection and ready to use force should that happen. This makes it very hard for security engineers to crack — as soon as they start meddling about, the malware sees that and destroys the system.

More about Computer, Virus, Malware, Detection, Evasion