Self-Destructing Virus Kills Off PCs 107
mpicpp sends word about particularly bad virus making the rounds, with this snippet from the BBC: "A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."
You mean, ensures detection (Score:2, Insightful)
A virus that evades detection is supposed to have no noticeable effects, not obvious ones like rebooting. And how well does something on your email attachment really "resist capture"?
Re: (Score:2, Interesting)
Honestly though, a borked Windows box often just gets re-imaged because people aren't all that surprised by one which has gone flaky.
So, you know your machine is having problems, but that doesn't mean you know you have malware.
And, as TFA says:
Basically it sounds like there's not much left to look at.
Re: (Score:3, Insightful)
No, it just means that Windows can't boot. Mount it on another machine and all the data is still there, ready to be analysed
Re:You mean, ensures detection (Score:5, Interesting)
Sure, but by which point you're doing much more involved forensics and hunting this down.
In many companies, a misbehaving computer is just re-imaged.
We used to have a receptionist who put so much crap on her PC that every couple of months when she decided she'd broken it enough, they'd just re-image it.
Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
In that kind of scenario, nobody would even know she had any specific malware or what it did.
Re:You mean, ensures detection (Score:5, Insightful)
Re: (Score:3)
Re: You mean, ensures detection (Score:4, Funny)
Yeah, he was.
Re: (Score:3)
We used to have a receptionist who put so much crap on her PC
Damn, that receptionist must have been seriously hot
Yeah, he was.
:-)
Apart from that, female sysadmins (or company owners) do exist...
Re: (Score:2)
We used to have a receptionist who put so much crap on her PC
Damn, that receptionist must have been seriously hot
Yeah, he was.
:-)
Apart from that, female sysadmins (or company owners) do exist...
Yeah, they do exist, but women are less susceptible to hormones, so it's more likely that if the receptionist were a male, the sysadmins (or company owners) would be gay.
Re: (Score:2)
The fedora is strong on this one.
No, I don't use Fedora. I've tried some times, but I've been choosing Mandrake (or its successors) since 2005, and now I use Mageia.
Re: (Score:2)
ACs get less upmods than real accounts... but you're right, it made me laugh :-)
Re: (Score:1)
Except for the fact that the grandparent specifically mentioned that this was a female receptionist five fucking times, numbnuts!
SJW Epic Fail! DIAF!
Re: (Score:2)
Perfectly reasonable scenario. I'm sure I've seen it in some of those "training videos".
Re: (Score:3)
An IT department equipped to do reimaging is probably equipped with at least one IT guy dedicated to security who would want to find out what happened and how to prevent it.
Re: (Score:2)
Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
If only there were some way of stopping people from installing shit on their work computers. ;)
Re: (Score:2)
The MBR is trivially easy to recreate, you can even do it from a windows install disk without installing windows.
This sounds like some high school student prank.
Re: (Score:2)
The Linux TestDisk utility will scan your hd and make an attempt to repair your HD.
Most people I know, when they see the missing MBR call a techie friend.
Re:You mean, ensures detection (Score:5, Interesting)
This sounds like some high school student prank.
Speaking of high-school pranks. One funny MBR-related thing we did back in the day was creating a loop in the chain of logical partitions (the MBR can only define 4 primary partitions. If you want more than 4 partitions, you created an extended partition which contains a linked list of logical partitions. And we made this linked list loop back to its beginning).
Windows (or DOS) versions back in the day were so buggy that they didn't notice the loop, and kept scanning, and scanning, and scanning until they reached the end of the list (which happened never, because it was a loop).
Result: unbootable machine. Even from a floppy. Because the DOS on the floppy was also doing the inventory of all storage media attached to the machine and stumbled upon the same partition loop. And if you removed the (internal) hard disk, well, then you couldn't obviously reinstall Windows on it.
The only fix was to boot Linux from a floppy, and remove the loop from there. However, back in the day Linux was still obscure enough that the "powers that be" didn't know about this fix...
Re: (Score:2)
> Windows (or DOS) versions back in the day were so buggy that they didn't notice the loop
That's your idea of "buggy"? Intentional sabotage causing issues?
That's rather like saying your car is buggy for not working when you disconnect the sparkplugs.
Re: (Score:3)
That's your idea of "buggy"? Intentional sabotage causing issues?
Rule 1: Always check your inputs.
Rule 2: It comes after rule 1.
Re: (Score:2)
That is pretty evil.
Being a hardware guy, I would have tried either pinning one of the ATA I/O bits to corrupt the data during enumeration or disabling the ATA interface until after DOS is booted. Back then I had an ISA ATA interface card which was just discrete logic bus transceivers, buffers, and some simple decoding logic which could do either easily. I used it for debugging ATA interfaces.
The ATA interface was originally a buffered version of the ISA bus with some decoding. You can build one with a f
Re: (Score:2)
The article is terrible. Bootrec /FIXMBR to the rescue.
Re: (Score:2)
Re:You mean, ensures detection (Score:4, Interesting)
It's curious why the virus would clear the MBR - if you have a large drive (> 2TB) or Windows 8, your hard drive uses GPT and not MBR. Sure a GPT disk has an MBR (called a "protective MBR") that basically blocks out the GPT partitions, but that's to prevent existing partitioning tools from screwing up the GPT partitions as they'll see a fully partitioned disk.
If you have GPT, an MBR wipe out means absolutely squat - your partitioner might complain that the protective MBR is missing, but that's trivial to recreate since it basically covers the entire disk (or the first 2TB, the maximum MBR can cover).
Re: (Score:1)
In most versions of Windows, a disagreement between the MBR and the GPT results in the MBR being used instead.
Re: (Score:2)
Of course we already know that this virii/trojan/whatever you want to call it isn't messing around with the partition table, so your point is moot. Since fixmbr can rebuild even a ruined boot sector or bad boot code, that solves the majority of the issue in question. Deleting the partition table however would cause more of an issue for most people, since most people have no idea how to rebuild a partition table manually.
Re:You mean, ensures detection (Score:4, Informative)
From the Cisco link, it does wipe the partition table. In this case, MBR doesn't mean just initial boot code, but the whole boot sector of the system, which contains the partition table as well. (Probably one of those legacy PC things we're still living with... most other sane systems generally move the boot code or the partition table elsewhere.).
Basically it rewrites sector 0.
Which on a modern Windows system, does squat since we're using EFI boot which no longer does the sector chainboot the old BIOS does. Plus, modern systems don't use MBR partitioning, they use GPT, which while having an MBR, the MBR is marked as protective so MBR aware tools won't try to inadvertently create a MBR partition table over the GPT one.
GPT tools can reasily rebuild the protective MBR without even reading the GPT since the protective MBR partition is fixed type, and spans the whole disk (or first 2TB, maxing out MBR).
Re: (Score:3)
Except of course altering bios boot queue and shifting it to USB and booting say an Ubuntu image to fix and clear the hard disk drive. So still pretty much targeted at amateurs. Infected computer, once discovered, immediately reboot from a secure stable OS image on a thumb drive, Linux preferable as way to expensive to pay for a second copy of windows just for emergency boots. Then have a good hard look at what is going on with regard to that OS image on the hard disk drive, what files are where and, what
Re: (Score:2)
Re: (Score:2)
It isn't about trying to hide the malware, it is very obvious that it is there.
It is about thwarting any further analysis, or at least making it a pain in the butt.
So you know for a fact you've found a bit of malware, but as soon as you probe it to find it's secrets it kills its self.
Re: (Score:2)
So you know for a fact you've found a bit of malware, but as soon as you probe it to find it's secrets it kills its self.
This is not something that would thwart sandbox analysis, however...
In fact... as soon as the software does something, you know that there is actually malicious software, then you can in a single click roll it back, skip the instruction, and run again!
Doing things aids analysis..... it's software that detects an analysis environment and then silently changes behavior to conceal
Re: (Score:2)
Re: (Score:2)
I don't think any expert antivirus writer would be delayed by this. This sounds more like simple dickery.
Re: (Score:2)
no simple about it. it sounds like monumental, epic dickery.
Re: (Score:2)
You could at least try to read the entire summary.
Re:You mean, ensures detection (Score:5, Funny)
Sounds to me just like the viruses of the 80's and 90's, pre-internet days. Back then, it wasn't about stealing passwords or holding data for ransom. It was about causing mayhem, and wiping a computer some time after infection, or otherwise damaging the computer's ability to operate normally was the norm (until Windows 95 came along and called it a feature).
It's not just a virus. It's a retrovirus.
*ducks*
Re: (Score:2)
Oh god yeah. There where some nasties back then. I still remember one that would at a random time write junk to the bios effectively permabricking the computer.
Re: (Score:2)
Tchernobyl? learned how to hot-flash a BIOS thanks to that one...
Re:You mean, ensures detection (Score:4, Insightful)
Yup, my Amiga days were the first thing to come to mind.
Upon reading the headline, my first thought was that the virus was wiping out the firmware, which really kills most devices as hardly anything has a ROM backup. Overwriting system files? Yawn.
Re: (Score:1)
I lived through the early times of computing and Windows 95 was a lot more stable for me than Windows 3.1, especially when doing the things that computers were most commonly used for in those days: playing games and typing documents. I dreaded the General Protection Fault.
In my memory, DOS was more stable, but I'd still prefer 3.1. In DOS you needed to quit the current application in order to consult data in a file the current application couldn't read, which was frankly as annoying, and I spent countless h
Re: (Score:2)
Destruction is in response to detection attempts (Score:4, Informative)
This malware is very hard to detect under normal conditions. But it is outfitted with counter measures. When it detects activities that are consistent with malware detection, study and or/and removal it responds in many destructive ways. It makes it difficult for a white hat to suss it. But, no, it does not give itself away by cutting up rough. It only starts the visible signs of infection when it deems the jig is up anyway.
There is a very good (and somewhat scary) article from The Register. [theregister.co.uk] on Rombertik.
This is as nasty a piece of work as you will ever not wish to see anywhere near your equipment.
Virtual machine template (Score:3)
Re: (Score:2)
This was foretold... (Score:5, Funny)
"Kills Off PCs" -- Um, no it doesn't. (Score:1)
Did the submitter even bother to read the article?? It can effect a *very* narrow range of Windows PCs, all of which can be restored by replacing any modified files.
Re: (Score:2)
Did the submitter even bother to read the article??
Actually he did. The article has the quote "kill off"... (I was going to post the same thing when the article was in Firehose [slashdot.org] -- but decided not to) however if you read the article the PC isn't killed (reality nothing is) just the MBR is nuked. Anyone ever hear of "backup" ?
... then it removed the MBR. But there is no elaboration on this action.
The only thing "exciting" about this one is the detection that is being removed
Re: (Score:1)
> It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted. The MBR also contains information about the disk partitio
Re: (Score:2)
The MBR also contains information about the disk partitions. The altered MBR overwrites the bytes for these partitions with Null bytes, making it even more difficult to recover data from the sabotaged hard drive.
Nowadays, most drives only contain a single partition (especially those of unsophisticated users), so even that is easy to recover. Or else, look for signatures of partition boot sector in the likely places (aligned on a cylinder start).
meh (Score:2)
Take the drive out and scan it in a dock. Side load the drives registry and scan it. Its happened before for less capitalist reasons.
CIH [wikipedia.org]
Should have gone ninja... (Score:1)
As soon as it detects attempts to analyse it, it deletes itself completely, so the victim is left never knowing if it was really there or not.
Is that all??? (Score:4, Interesting)
Of all the destructive things one could do, it rewrites the MBR? That's it? That's fairly easy to fix, and your data is still easily intact by copying it with a second machine.
To be honest, a much more dangerous one would be one that sits dormant for, oh, say six months or so. In doing that, it gets itself into all of your backups (if you have any), and now you're going to have trouble separating your data from the virus. If it then activates a random amount of days (1-14) after being restored, it's not obvious which backups are infected and which ones aren't.
Of course, this is all purely theoretical, and I highly discourage anyone from actually implementing this - it's just an idea...
Re: (Score:2)
I wouldn't be surprised to see far worse things come down the pipe, especially malware that exploited domain admin rights to compromise the entire AD forest.
However, we have one big defense against all of this: Virtualization. Not just VM farms, but VDI (so a compromised desktop can just be rolled back to a known good snapshot almost instantly.) If the malware can't touch hardware, it can still destroy/corrupt files, but VMs have a lot more tools available for mitigating/reversing such attacks, even if i
Re: (Score:2)
So, because this actually hurts businesses . . . we might see actual money spent for handling data integrity as part of enterprise security.
You obviously don't have any understanding of business in the real world.
Re: (Score:2)
On top of that on modern UEFI-based systems the MBR doesn't do anything anyway (it is just there to prevent older partition tools from messing with the disk). It wouldn't surprise me at all if a variant of this appeared that attempts to wipe all copies of the partition information on GPT disks as well making it potentially more da
Just a different way to be DickWare (Score:1)
How is this different than a PC with a non-closable prompt that says, "Your PC is infected. Enter your credit card number to order our cleaning software".
I suppose it could be even worse by deleting all your files and THEN locking up.
Another "news for tabloids" article. (Score:5, Informative)
Re:Another "news for tabloids" article. (Score:4, Informative)
A computer is not "destroyed" if you have to repair the MBR or reinstall Windows.
Not to mention, you don't have to re-install Windows. You can install a proper OS instead.
Re: (Score:2)
Since TFA (more than TFS) mentions that these various attacks are in response to the virus "realising" that it is running in a "sand box" type environment, then I's expect it to detect many un-stealthed VM environments too.
I read TFA for about 5 minutes before I came across something remotely interesting. I got it that the malware had substantial checks to make it *harder* for an investigator (virus researcher, forensics investigator after a b
Re: (Score:2)
Does BBC now stand for narrow-mindedness or what? (Score:1)
Moderators... (Score:2)
(Even if it's just about a presentational aspect?)
Kills PC, by making the machine unusable... (Score:3)
Does nothing to the machine at all, just attacks the operating system ...not news ...
Re: (Score:3)
That has to be the stupidest virus on the planet. Why would you want to do this I mean, sure, you annoy somebody for a day or so, possibly make them spend money to get it fixed, but then the problem is solved. The most successful viruses are ones that nobody knows are there. You can then spread to other machines silently without anybody knowing. Then the virus gives you remote control over the machine so you can collect valuable information. If you really just want to annoy the user and break their com
Not new. (Score:2)
There was one that would attempt to find the BIOS flash and write FFFF to the first 2 bytes making the computer never boot again until the flash was pulled and re-written.
NSA Please Help !. (Score:1)