Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

A Spiteful New Malware

6 May 2015 by Jenn Granger

A new malware has been found called Rombertik that not only wants to steal your information, but – if you try and take it down – it’ll take you down with it. There are steps you can take to protect yourself though!

binary code

Talos, which creates threat intelligence for Cisco, discovered Rombertik – a particularly spiteful form of malware. Researchers Ben Baker and Alex Chiu say it’s a new and ‘uniquely’ aggressive type of malware which steals all information from all websites indiscriminately and then sends your computer into a freakout of apocalyptic proportions if it thinks it’s going to be discovered.

The pair wrote that, “At a high level, Romberik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server.”

It then regularly sweeps the system to make sure it’s not at risk of detection; if it think it’s about to come under fire it’ll try and destroy the Master Boot Record (MBR) which sends the computer into a loop of attempted restarts. Think Groundhog Day, except instead of a heartwarming storyline, you’re locked out of your computer.

Even if you have safeguards like sandboxes – which section off sensitive info – it confuses them by writing a byte of junk info to the memory 960 million times which then swells tracing tool logs.

Usually malware won’t have functions like this because it cuts down the time that they can steal info – or if they do self-destruct to avoid detection they don’t usually take the user’s info down with it. Our security division, Secarma, explains why the Rombertik malware might do this:

During malware analysis (Reverse engineering) researchers use two approaches; one is static analysis and the second is dynamic analysis.

Static analysis is where the analysis of computer software is performed without actually executing the program. Malware writers were able to make this technique obsolete by encrypting the code and only decoding this during run time.

Dynamic analysis on the other hand is where the computer software is executed and it’s observed how its executed. Malware writers have been trying to outsmart security researchers for quite some time by encoding and packing the malware, making it extremely difficult to understand the code and functionality of the program.

This malware is like any other malicious program, but what it excels in is making life difficult for security researchers who try to dynamically analyse it. It creates multiple functions and sub routines which do nothing but create data for them to sort through and if they are not careful there are many pit falls in the program to clear the MBR and to encrypt the home file.

Rombertik weasels into your computer through phishing; so, as ever, be careful on clicking on links in emails – even if they look like they’ve come from a legit source. Microsoft seems to be a favourite spoof of this particular malware, and Secarma says that accounts departments can also be vulnerable, as attackers are aware that they will be expecting to receive attachments like invoices.

It’s also important to make sure you’re backing up your system regularly – so if you do have to reinstall you won’t lose everything – and if possible implement (or update rules on existing) network intrusion detection systems (NIDS) to identify communications from your network with the C&C. This simply monitors your traffic, so you should be able to tell that there’s something wrong without alerting the attackers. You could then potentially format reinstall (basically remove the data and then restart everything) without losing anything. This is pretty good practice generally!

If you have to reinstall your MBR you would also need to reinstall Windows, and could lose important data – not to mention the massive frustration – so it’d probably be great if you could avoid this hassle in the first place. Don’t let this particularly charming piece of malware into your system!

For more information on how UKFast can help protect your solution, take a look at our website or give us a call on 0208 045 4945.