New Rombertik malware attacks hard drives, wipes MBR if detected

[Tony Cole]

No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.

 

[Enju]

No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.

Read the whitepaper please... it doesn't do anything outside of the VM. It would only cause you damage if you tried to analyse it outside of a VM.

 

[Cch123]

Updated the post to remove inaccuracies.

From my reading(s) of several articles no virtual software will stop it, so this one's deadly. I don't understand how on earth someone would click a email link, then think why is it taking 30 minutes to download. Surly 1GB you would notice!

You probably misinterpreted the articles; virtual machines are able to prevent the malware from compromising the host.

No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.

I have a sample of the Rombertik malware and I took a very brief look at it. It doesn't lie dormant for days, but it does lie dormant for some time by looping.

The only thing "interesting" is that unlike most other samples which do not run or act innocently when they detect that it is being analysed, this malware attempts to destroy the analysis machine, triggering behavioural alarm bells all the way. All in all this is just another overhyped piece of malware.

Anyway, the funnier thing is that Kaspersky detects the malware as DarkKomet, a backdoor that was created many years back. They probably gave it a wrong name/ incorrectly identified the malware, but several other vendors are also incorrectly identifying the malware as DarkKomet...makes me wonder if its just a coincidence or are vendors stealing signatures yet again

 

[Tony Cole]

Cisco: If it detects that it’s operating within a Virtual Machine, Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.

At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.

 

[Enju]

Cisco: If it detects that it’s operating within a Virtual Machine, Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.

Do you know how a VM works? All write and read attempts are inside a container (virtual HDD), so it can and will only delete the MBR of the container. Geez!

 

[Tony Cole]

So how does it manage to reboot the computer and start a constant reboot loop with the same message popping up?

 

[Enju]

So how does it manage to reboot the computer and start a constant reboot loop with the same message popping up?

The VM reboots.

 

[rienna]

Wait. So they went with only RC4 encryption?
That same encryption is why WEP is so vulnerable. Literally any computer made within the past decade can crack it, most within minutes or seconds even, RC4 is inherently weak much like the old outdated DEP standard. They're smart little buggers but that flaw will be this malwares first downfall.

 

[Tony Cole]

I do not know much about encryption, however I know this one is weak, the malware is well-engineered, covering its tracks and unfortunately will do a lot of damage, how many home users, or small business users use virtual machines, not many. It's the cryptic words shown "Carbon crack attempt, failed" undoubtedly have importance, what, I don't know, but without doubt given time we will, both a) what and b) what this malware is all about. Its then over to the experts to fathom out how to cure it, and how to prevent it.

 

[aztony]

Didn't realize there was already a posted article.

 

[Babru]

It only deletes the MBR of the VM.
Also the sample is only 1264KB not MB, so it's quite small actually!

pls upload sample on zippyshare

Thanks

 

[jamescv7]

UAC can protect at the highest setting as possible for this nasty malware since it will go to the critical location of Windows.

Secure Boot of Windows 8 should prevent this to modify MBR as possible where it doesn't meet the requirements especially when unsigned.

Matured sandbox shoud protect it as this malware could not execute when detects within isolated environment from assume way.

 

[LabZero]

Rombertik abuse of Windows API and in particular of that code debugging to recognize and send into confusion any sandbox and virtual machines instead of "physically" installed on your PC.

 

[LabZero]

Does anyone know if Shadow Defender stops this happening?

Shadow Defender would prevent writing the MBR but this malware is very complex. ...

 

[frogboy]

Shadow Defender would prevent writing the MBR but this malware is very complex. ...

Thanks for the reply as i value your opinion very much.

 

[Deleted member 2913]

Installer is a packed executable.

Kaspersky anti-executable configuration will block it from installing.

If installed, Kaspersky Application Control will assign it to either Untrusted (blocked from running) or High Restricted (most functions\system resource accesses blocked).

You're protected...

Comodo default autosandbox will protect from this malware?
I use Comodo default as find it suitable & easy for me.

 

[hjlbx]

Unless the installer can by-pass Comodo's anti-executable configuration, your system should be OK:

1: Configure CIS for anti-executable\default-deny using the following settings:

A. Security Settings > File Rating > File Rating Settings > De-select "Trust applications signed by Trusted Vendors."
B. Security Settings > File Rating > File Rating Settings > De-select "Trust files installed by Trusted installers."
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized

 

[Deleted member 2913]

Unless the installer can by-pass Comodo's anti-executable configuration, your system should be OK:

1: Configure CIS for anti-executable\default-deny using the following settings:

A. Security Settings > File Rating > File Rating Settings > De-select "Trust applications signed by Trusted Vendors."
B. Security Settings > File Rating > File Rating Settings > De-select "Trust files installed by Trusted installers."
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized

Customizing CIS will protect the system.

What I meant was default autosandbox i.e if the malware was sandboxed?

 

[hjlbx]

Customizing CIS will protect the system.

What I meant was default autosandbox i.e if the malware was sandboxed?

If I recall what I read the malware is sandbox\virtualization aware. So the user can launch it and it behaves in a non-malicious manner within the sandbox. The user then judges it as safe - and then installs it. Really bad news...

Malware writers are fully aware of the "containment" technologies, especially virtualization, which in essence means that within a decade sandboxes might be inadequate - if not, for the most part, obsolete.

Classical HIPS and firewall shall always remain relevant...

I use Comodo, Kaspersky, and ESET on different systems primarily for their HIPS and firewall. To me Comodo's sandbox is secondary... with any and all signatures a distant consideration.

 

[cruelsister]

Hi Guys- On reading this thread, just a few points-

1). Malware really can't escape from either a VM or a good Sandbox unless it can exploit some coding issue of the Emulator itself. A case in point of this would be the CVE-2014-0983 flaw in VirtualBox discovered by Core early last year (quickly patched).
2). If any follow Cisco Blogs, you will notice that they are using scare tactics to promote their AMP devices (based on SourceFire, which they acquired in 2013). Seriously, any quality Enterprise Sandboxing technology would immediately flag a file that spawns a vbs script. Cisco knows this.
3). Anyone using the Comodo Sandbox should NEVER try to out-think it. Taking something out of the Box will only end in tears, unless you REALLY know what you are doing.

Finally Rombertik isn't really any different from any System Wipe malware which have been around for years in spite of the Cisco Blog.

For any with further interest I did a quick Video:

http://malwaretips.com/threads/comodo-firewall-vs-rombertik.45702/