Rombertik virus destroys Windows when detected2015-05-07 09:55 by Daniela
Tags: Rombertik, virus
Researchers have found a new malware that attempts to steal information, such as log-in credentials and personal information but also deletes the master boot record—or all user files—to avoid detection.
The spyware, called Rombertik, is detected by ESET as Win32/Spy.Agent.OLJ. It has "multiple layers of obfuscation and anti-analysis functionality". It is being spread through spam and phishing messages, according to Cisco's researchers.
"At a high level, Rombertik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre," Cisco's researchers add. "However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner."
"The interesting bit with Rombertik is that we are seeing malware authors attempting to be incredibility evasive," Alexander Chiu, a threat researcher with Cisco, said. "If Rombertik detects it's being analyzed running in memory, it actively tries to trash the MBR of the computer it's running on. This is not common behavior."
The infection begins by Rombertik checking whether anti-virus software is installed and only continuing if it is not. Then it installs a second copy of itself which contains the real payload. If it detects that it is being analyzed, the malware attacks the master boot record and tries to destroy the computer and prevent it from being used.
Here's what Cisco recommends to users in order to protect themselves:
"Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users. However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially."
Read more -here-