New Rombertik malware attacks hard drives, wipes MBR if detected

Status
Not open for further replies.

Tony Cole

Level 27
Verified
May 11, 2014
1,639
No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.
 

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.
Read the whitepaper please... it doesn't do anything outside of the VM. It would only cause you damage if you tried to analyse it outside of a VM. ;)
 

Cch123

Level 7
Verified
May 6, 2014
335
Updated the post to remove inaccuracies.

From my reading(s) of several articles no virtual software will stop it, so this one's deadly. I don't understand how on earth someone would click a email link, then think why is it taking 30 minutes to download. Surly 1GB you would notice!

You probably misinterpreted the articles; virtual machines are able to prevent the malware from compromising the host.

No it deletes the real MBR, it has the ability to lay dormant for days, then once the virtual software stops, it kicks in. Basically it leaves the computer a total brick, with the message Carbon crack attempt, failed - what that means, we will find out, it obiviously means something to the author/authors.

I have a sample of the Rombertik malware and I took a very brief look at it. It doesn't lie dormant for days, but it does lie dormant for some time by looping.

The only thing "interesting" is that unlike most other samples which do not run or act innocently when they detect that it is being analysed, this malware attempts to destroy the analysis machine, triggering behavioural alarm bells all the way. All in all this is just another overhyped piece of malware.

Anyway, the funnier thing is that Kaspersky detects the malware as DarkKomet, a backdoor that was created many years back. They probably gave it a wrong name/ incorrectly identified the malware, but several other vendors are also incorrectly identifying the malware as DarkKomet...makes me wonder if its just a coincidence or are vendors stealing signatures yet again :D
 
Last edited:

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Cisco: If it detects that it’s operating within a Virtual Machine, Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.

At the end of this process, Rombertik computes a 32-bit hash, compares it to an unpacked sample and, if it detects that it’s running in a VM, immediately declares war against the Master Boot Record of your hard drive. If it can’t access and overwrite the MBR, it encrypts all files within the C:\Documents and Settings\Administrator folder using an RC4 key. If it can get its hands on the MBR, it overwrites the partition data with null bytes, making it extremely difficult to restore the drive.
 

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
Cisco: If it detects that it’s operating within a Virtual Machine, Rombertik, will go nuclear and attempt to overwrite the master boot record of the local hard drive.
Do you know how a VM works? All write and read attempts are inside a container (virtual HDD), so it can and will only delete the MBR of the container. Geez!
 
  • Like
Reactions: FleischmannTV

Tony Cole

Level 27
Verified
May 11, 2014
1,639
So how does it manage to reboot the computer and start a constant reboot loop with the same message popping up?
 

rienna

Level 2
Verified
Mar 28, 2015
64
Wait. So they went with only RC4 encryption?
That same encryption is why WEP is so vulnerable. Literally any computer made within the past decade can crack it, most within minutes or seconds even, RC4 is inherently weak much like the old outdated DEP standard. They're smart little buggers but that flaw will be this malwares first downfall. :p
 
  • Like
Reactions: Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
I do not know much about encryption, however I know this one is weak, the malware is well-engineered, covering its tracks and unfortunately will do a lot of damage, how many home users, or small business users use virtual machines, not many. It's the cryptic words shown "Carbon crack attempt, failed" undoubtedly have importance, what, I don't know, but without doubt given time we will, both a) what and b) what this malware is all about. Its then over to the experts to fathom out how to cure it, and how to prevent it.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
UAC can protect at the highest setting as possible for this nasty malware since it will go to the critical location of Windows.

Secure Boot of Windows 8 should prevent this to modify MBR as possible where it doesn't meet the requirements especially when unsigned.

Matured sandbox shoud protect it as this malware could not execute when detects within isolated environment from assume way.
 
  • Like
Reactions: frogboy and LabZero
L

LabZero

Rombertik abuse of Windows API and in particular of that code debugging to recognize and send into confusion any sandbox and virtual machines instead of "physically" installed on your PC.
 
D

Deleted member 2913

Installer is a packed executable.

Kaspersky anti-executable configuration will block it from installing.

If installed, Kaspersky Application Control will assign it to either Untrusted (blocked from running) or High Restricted (most functions\system resource accesses blocked).

You're protected...

Comodo default autosandbox will protect from this malware?
I use Comodo default as find it suitable & easy for me.
 
H

hjlbx

Unless the installer can by-pass Comodo's anti-executable configuration, your system should be OK:

1: Configure CIS for anti-executable\default-deny using the following settings:

A. Security Settings > File Rating > File Rating Settings > De-select "Trust applications signed by Trusted Vendors."
B. Security Settings > File Rating > File Rating Settings > De-select "Trust files installed by Trusted installers."
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized
 
D

Deleted member 2913

Unless the installer can by-pass Comodo's anti-executable configuration, your system should be OK:

1: Configure CIS for anti-executable\default-deny using the following settings:

A. Security Settings > File Rating > File Rating Settings > De-select "Trust applications signed by Trusted Vendors."
B. Security Settings > File Rating > File Rating Settings > De-select "Trust files installed by Trusted installers."
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized
Customizing CIS will protect the system.

What I meant was default autosandbox i.e if the malware was sandboxed?
 
H

hjlbx

Customizing CIS will protect the system.

What I meant was default autosandbox i.e if the malware was sandboxed?

If I recall what I read the malware is sandbox\virtualization aware. So the user can launch it and it behaves in a non-malicious manner within the sandbox. The user then judges it as safe - and then installs it. Really bad news...

Malware writers are fully aware of the "containment" technologies, especially virtualization, which in essence means that within a decade sandboxes might be inadequate - if not, for the most part, obsolete.

Classical HIPS and firewall shall always remain relevant...

I use Comodo, Kaspersky, and ESET on different systems primarily for their HIPS and firewall. To me Comodo's sandbox is secondary... with any and all signatures a distant consideration.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Hi Guys- On reading this thread, just a few points-

1). Malware really can't escape from either a VM or a good Sandbox unless it can exploit some coding issue of the Emulator itself. A case in point of this would be the CVE-2014-0983 flaw in VirtualBox discovered by Core early last year (quickly patched).
2). If any follow Cisco Blogs, you will notice that they are using scare tactics to promote their AMP devices (based on SourceFire, which they acquired in 2013). Seriously, any quality Enterprise Sandboxing technology would immediately flag a file that spawns a vbs script. Cisco knows this.
3). Anyone using the Comodo Sandbox should NEVER try to out-think it. Taking something out of the Box will only end in tears, unless you REALLY know what you are doing.

Finally Rombertik isn't really any different from any System Wipe malware which have been around for years in spite of the Cisco Blog.

For any with further interest I did a quick Video:

http://malwaretips.com/threads/comodo-firewall-vs-rombertik.45702/
 
Last edited:
  • Like
Reactions: Maikuolan
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top