A new virus that crashes a computer when it is detected

Original author: Jeremy Kirk
  • Transfer

A new type of malware paralyzes the computer when it is detected during antivirus scans, dealing a catastrophic blow to its victims.

A virus named by Cisco Systems as Rombertik intercepts any, even the simplest, text entered in a browser window. Further, according to a post from Cisco's Talos Group blog this Monday, the virus spreads through spam and phishing emails.

Rombertik easily carries out several series of checks after its launch on a computer running Windows and continues to act, determining whether it is detected by antivirus programs.

It should be noted that this behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively enough tries to destroy data on the computer if it detects certain traces of the analysis of malware,” - this is how Ben Baker and Alex described the virus Chiu from Talos Group.

Similar malware (“Wiper”) was used in 2013 in attacks against objects located in South Korea, and in an attack against Sony Pictures Entertainment last year. Both attacks are attributed to the US government of North Korea.

The latest Rombertik check is the most dangerous. It calculates the 32-bit hash of the resource in memory, and if this resource or the compilation time has been changed, Rombertik starts the self-destruction process. First, the main goal of the program is the master boot record Master Boot Record (MBR) in the first sector of the PC hard drive, which the computer uses to operating system boot. If Rombertik cannot access the MBR, it destroys all the files in the user's home folder, encrypting each with a random RC4 key.

After the MBR or home folder has been encrypted, the computer restarts. MBR gets into an endless loop that prevents the computer from booting. “Carbon crack attempt, failed” appears on the screen.

After installing on a computer, the virus unpacks itself. About 97 percent of the unpacked file is created in such a way as to make it look like real code. The virus consists of 75 images and 8000 false functions, which are never actually used.

“This virus is trying to make it impossible for antivirus programs to scan each function,” Talos wrote.

He also tries to avoid getting into the sandboxes, or practices quarantine for some time until the end of his check. Some malicious programs try to wait this period, hoping after that to wake up and take action.

Rombertik remains active and writes one byte of data to the memory 960 million times, which makes it difficult for antivirus programs to analyze it.

“And if the antivirus program at this time is trying to fix all 960 million entries, the size of the log file can increase to 100 gigabytes,” Talos wrote.

Also popular now: