Self-Destructing Virus Kills Off PCs

← Back to Stories (view on slashdot.org)

Self-Destructing Virus Kills Off PCs

Posted by samzenpus on Wednesday May 6, 2015 @02:09PM from the worst-in-class dept.

mpicpp sends word about particularly bad virus making the rounds, with this snippet from the BBC: "A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."

107 comments

Min score:

Reason:

Sort:

You mean, ensures detection by penguinoid · 2015-05-06 14:13 · Score: 2, Insightful

A virus that evades detection is supposed to have no noticeable effects, not obvious ones like rebooting. And how well does something on your email attachment really "resist capture"?

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
1. Re:You mean, ensures detection by gstoddart · 2015-05-06 14:20 · Score: 1, Interesting
  
  Honestly though, a borked Windows box often just gets re-imaged because people aren't all that surprised by one which has gone flaky.
  So, you know your machine is having problems, but that doesn't mean you know you have malware.
  And, as TFA says:
  
  The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.
  Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.
  Basically it sounds like there's not much left to look at.
  
  --
  Lost at C:>. Found at C.
2. Re:You mean, ensures detection by cheater512 · 2015-05-06 14:20 · Score: 1
  
  It isn't about trying to hide the malware, it is very obvious that it is there.
  It is about thwarting any further analysis, or at least making it a pain in the butt.
  So you know for a fact you've found a bit of malware, but as soon as you probe it to find it's secrets it kills its self.
3. Re:You mean, ensures detection by wisnoskij · 2015-05-06 14:22 · Score: 1
  
  More like ensures self-destruction. You kill the host, and you die. The virus might as well have been cleaned being on an OS that no longer boots properly.
  
  --
  Troll is not a replacement for I disagree.
4. Re:You mean, ensures detection by BoogieChile · 2015-05-06 14:27 · Score: 3, Insightful
  
  No, it just means that Windows can't boot. Mount it on another machine and all the data is still there, ready to be analysed
5. Re:You mean, ensures detection by norpy · 2015-05-06 14:29 · Score: 1
  
  The MBR is trivially easy to recreate, you can even do it from a windows install disk without installing windows.
  This sounds like some high school student prank.
6. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 14:41 · Score: 0
  
  The partition table is in the MBR as well. I doubt the windows install disk will scan and repair that.
7. Re:You mean, ensures detection by Mashiki · 2015-05-06 14:58 · Score: 1
  
  The article is terrible. Bootrec /FIXMBR to the rescue.
  
  --
  Om, nomnomnom...
8. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 14:58 · Score: 0
  
  Maybe, but that means the high schoolers are working one level higher now; the article mentions a particular malware detection detection scheme that is above the average high school prank effort.
9. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 15:02 · Score: 0
  
  Not at all. The software detects someone is trying to study it and then tries to make the researcher's job more challenging. It's done only after it's detected.
  The same is done by game companies to protect from crackers, although they don't destroy the host machine but run different code to fuck with the cracker (the crackers of course end up learning the techniques and how to counter them).
10. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 15:03 · Score: 0
  
  Did you read the summary, or just the headline? The virus only starts trying to destroy the PC once it's been found. That makes it harder for experts to analyze, and might delay a fix being deployed in antivirus programs.
11. Re:You mean, ensures detection by gstoddart · 2015-05-06 15:13 · Score: 4, Interesting
  
  Sure, but by which point you're doing much more involved forensics and hunting this down.
  In many companies, a misbehaving computer is just re-imaged.
  We used to have a receptionist who put so much crap on her PC that every couple of months when she decided she'd broken it enough, they'd just re-image it.
  Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
  In that kind of scenario, nobody would even know she had any specific malware or what it did.
  
  --
  Lost at C:>. Found at C.
12. Re:You mean, ensures detection by un1nsp1red · 2015-05-06 15:17 · Score: 5, Insightful
  
  It sounds like the receptionist is the malicious part of this scenario.
13. Re:You mean, ensures detection by MouseTheLuckyDog · 2015-05-06 15:18 · Score: 1
  
  The Linux TestDisk utility will scan your hd and make an attempt to repair your HD.
  Most people I know, when they see the missing MBR call a techie friend.
14. Re:You mean, ensures detection by sjames · 2015-05-06 15:23 · Score: 1
  
  You could at least try to read the entire summary.
15. Re:You mean, ensures detection by rtb61 · 2015-05-06 15:45 · Score: 2
  
  Except of course altering bios boot queue and shifting it to USB and booting say an Ubuntu image to fix and clear the hard disk drive. So still pretty much targeted at amateurs. Infected computer, once discovered, immediately reboot from a secure stable OS image on a thumb drive, Linux preferable as way to expensive to pay for a second copy of windows just for emergency boots. Then have a good hard look at what is going on with regard to that OS image on the hard disk drive, what files are where and, what they actually are. That lesson was learnt many years ago, getting caught deleting bad stuff only to have it reappear on reboot was to be expected. So normal tactic was to have a non aggressive look around, see what protective software was actually doing and based upon that do a reboot to CD and fix the problems on the hard disk drive, with thumb secure response and repair thumb drives properly set up, the fix is much easier now.
  
  --
  Chaos - everything, everywhere, everywhen
16. Re:You mean, ensures detection by steelfood · 2015-05-06 15:57 · Score: 4, Funny
  
  Sounds to me just like the viruses of the 80's and 90's, pre-internet days. Back then, it wasn't about stealing passwords or holding data for ransom. It was about causing mayhem, and wiping a computer some time after infection, or otherwise damaging the computer's ability to operate normally was the norm (until Windows 95 came along and called it a feature).
  It's not just a virus. It's a retrovirus.
  *ducks*
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
17. Re: You mean, ensures detection by Anonymous Coward · 2015-05-06 16:01 · Score: 0
  
  Sounds like the good ole stoned virus to me, with an updated infection vector.
18. Re:You mean, ensures detection by mysidia · 2015-05-06 16:32 · Score: 1
  
  FIXMBR only works if the bootcode is wrong or missing. It doesn't help if the entire MBR has been cleared, since the disk's partition table is also stored in that sector.
19. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 16:34 · Score: 0
  
  Except of course altering bios boot queue and shifting it to USB and booting say an Ubuntu image to fix and clear the hard disk drive. So still pretty much targeted at amateurs. Infected computer, once discovered, immediately reboot from a secure stable OS image on a thumb drive, Linux preferable as way to expensive to pay for a second copy of windows just for emergency boots. Then have a good hard look at what is going on with regard to that OS image on the hard disk drive, what files are where and, what they actually are. That lesson was learnt many years ago, getting caught deleting bad stuff only to have it reappear on reboot was to be expected. So normal tactic was to have a non aggressive look around, see what protective software was actually doing and based upon that do a reboot to CD and fix the problems on the hard disk drive, with thumb secure response and repair thumb drives properly set up, the fix is much easier now.
  Another satisfied Microsoft customer?
20. Re:You mean, ensures detection by mysidia · 2015-05-06 16:43 · Score: 1
  
  So you know for a fact you've found a bit of malware, but as soon as you probe it to find it's secrets it kills its self.
  This is not something that would thwart sandbox analysis, however...
  In fact... as soon as the software does something, you know that there is actually malicious software, then you can in a single click roll it back, skip the instruction, and run again!
  Doing things aids analysis..... it's software that detects an analysis environment and then silently changes behavior to conceal malicious operation; that is more challenging to begin to analyze, Or at least to determine the answer to one of the most important questions: Is the file malicious?
  If the MBR gets overwritten by it, then you can immediately be certain that it is malicious, and with the obvious messaging, you can be pretty confident that it is a response to detecting a debug environment.
21. Re: You mean, ensures detection by Anonymous Coward · 2015-05-06 17:16 · Score: 0
  
  Except destroying an mbr foes nothing in terms of a skilled forensic (or anyone with a copy of Testdisk / Recuva)...
22. Re:You mean, ensures detection by tlhIngan · 2015-05-06 17:25 · Score: 3, Interesting
  
  FIXMBR only works if the bootcode is wrong or missing. It doesn't help if the entire MBR has been cleared, since the disk's partition table is also stored in that sector.
  It's curious why the virus would clear the MBR - if you have a large drive (> 2TB) or Windows 8, your hard drive uses GPT and not MBR. Sure a GPT disk has an MBR (called a "protective MBR") that basically blocks out the GPT partitions, but that's to prevent existing partitioning tools from screwing up the GPT partitions as they'll see a fully partitioned disk.
  If you have GPT, an MBR wipe out means absolutely squat - your partitioner might complain that the protective MBR is missing, but that's trivial to recreate since it basically covers the entire disk (or the first 2TB, the maximum MBR can cover).
23. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 17:39 · Score: 0
  
  I found this kind of funny. I have always felt modern day viruses are more wimpy even if they do end up being more dangerous.
24. Re:You mean, ensures detection by sg_oneill · 2015-05-06 17:40 · Score: 1
  
  Oh god yeah. There where some nasties back then. I still remember one that would at a random time write junk to the bios effectively permabricking the computer.
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
25. Re:You mean, ensures detection by l0ungeb0y · 2015-05-06 17:57 · Score: 2
  
  Damn, that receptionist must have been seriously hot
26. Re: You mean, ensures detection by Anonymous Coward · 2015-05-06 17:59 · Score: 4, Funny
  
  Yeah, he was.
27. Re:You mean, ensures detection by someone1234 · 2015-05-06 18:16 · Score: 1
  
  I don't think any expert antivirus writer would be delayed by this. This sounds more like simple dickery.
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
28. Re:You mean, ensures detection by Waccoon · 2015-05-06 18:20 · Score: 3, Insightful
  
  Yup, my Amiga days were the first thing to come to mind.
  Upon reading the headline, my first thought was that the virus was wiping out the firmware, which really kills most devices as hardly anything has a ROM backup. Overwriting system files? Yawn.
29. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 18:23 · Score: 1
  
  I lived through the early times of computing and Windows 95 was a lot more stable for me than Windows 3.1, especially when doing the things that computers were most commonly used for in those days: playing games and typing documents. I dreaded the General Protection Fault.
  In my memory, DOS was more stable, but I'd still prefer 3.1. In DOS you needed to quit the current application in order to consult data in a file the current application couldn't read, which was frankly as annoying, and I spent countless hours editing irritating batch files just trying to get some recalcitrant program to work.
30. Re:You mean, ensures detection by Anonymous Coward · 2015-05-06 19:36 · Score: 0
  
  We used to have a receptionist who put so much crap on her PC that every couple of months when she decided she'd broken it enough, they'd just re-image it.
  Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
  Why anybody let her put so much crap on it, is the question. Anybody can make a mistake - screw up something once or twice. Screw up any more, and she can wonder why she can't install anything on the company PC because her user doesn't have any admin rights anymore.
  Or even better, the cost of re-imaging is deducted from her salary. Similiar to how you would make someone pay if they wreck an office chair every month. And if she try to avoid that cost by 'not complaining' and end up unable to do her job due to an unuseable PC - fire her.
31. Re: You mean, ensures detection by ArsenneLupin · 2015-05-06 19:42 · Score: 2
  
  We used to have a receptionist who put so much crap on her PC
  Damn, that receptionist must have been seriously hot
  Yeah, he was.
  :-)
  Apart from that, female sysadmins (or company owners) do exist...
32. Re:You mean, ensures detection by ArsenneLupin · 2015-05-06 19:49 · Score: 4, Interesting
  
  This sounds like some high school student prank.
  Speaking of high-school pranks. One funny MBR-related thing we did back in the day was creating a loop in the chain of logical partitions (the MBR can only define 4 primary partitions. If you want more than 4 partitions, you created an extended partition which contains a linked list of logical partitions. And we made this linked list loop back to its beginning).
  Windows (or DOS) versions back in the day were so buggy that they didn't notice the loop, and kept scanning, and scanning, and scanning until they reached the end of the list (which happened never, because it was a loop).
  Result: unbootable machine. Even from a floppy. Because the DOS on the floppy was also doing the inventory of all storage media attached to the machine and stumbled upon the same partition loop. And if you removed the (internal) hard disk, well, then you couldn't obviously reinstall Windows on it.
  The only fix was to boot Linux from a floppy, and remove the loop from there. However, back in the day Linux was still obscure enough that the "powers that be" didn't know about this fix...
33. Re:You mean, ensures detection by hairyfeet · 2015-05-06 20:34 · Score: 1
  
  I take it they never heard of the "Fix MBR" command?
  That said any PC shop worth its salt will just pull the drive, try to save any personal data by mounting it as a data drive, then just reinstall the system. Since all this does is wipe MBR its really not a threat, not like TFA makes it sound which is that it bricked PCs.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
34. Re: You mean, ensures detection by Anonymous Coward · 2015-05-06 21:08 · Score: 0
  
  Yeah, he was.
  how was this not modded up. genius.
35. Re:You mean, ensures detection by Mashiki · 2015-05-06 21:57 · Score: 1
  
  Of course we already know that this virii/trojan/whatever you want to call it isn't messing around with the partition table, so your point is moot. Since fixmbr can rebuild even a ruined boot sector or bad boot code, that solves the majority of the issue in question. Deleting the partition table however would cause more of an issue for most people, since most people have no idea how to rebuild a partition table manually.
  
  --
  Om, nomnomnom...
36. Re: You mean, ensures detection by Flavianoep · 2015-05-06 23:43 · Score: 1
  
  We used to have a receptionist who put so much crap on her PC
  Damn, that receptionist must have been seriously hot
  Yeah, he was.
  :-)
  Apart from that, female sysadmins (or company owners) do exist...
  Yeah, they do exist, but women are less susceptible to hormones, so it's more likely that if the receptionist were a male, the sysadmins (or company owners) would be gay.
  
  --
  Linux is for people who don't mind RTFM.
37. Re: You mean, ensures detection by alex67500 · 2015-05-07 00:06 · Score: 1
  
  ACs get less upmods than real accounts... but you're right, it made me laugh :-)
38. Re:You mean, ensures detection by Anonymous Coward · 2015-05-07 00:29 · Score: 0
  
  > And it got even nastier when it spotted someone was trying to understand how it worked
  From the headline...
39. Re:You mean, ensures detection by LordLimecat · 2015-05-07 00:36 · Score: 2
  
  An IT department equipped to do reimaging is probably equipped with at least one IT guy dedicated to security who would want to find out what happened and how to prevent it.
40. Re:You mean, ensures detection by Wraithlyn · 2015-05-07 00:48 · Score: 1
  
  > Windows (or DOS) versions back in the day were so buggy that they didn't notice the loop
  That's your idea of "buggy"? Intentional sabotage causing issues?
  That's rather like saying your car is buggy for not working when you disconnect the sparkplugs.
  
  --
  "Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
41. Re:You mean, ensures detection by drinkypoo · 2015-05-07 01:15 · Score: 2
  
  That's your idea of "buggy"? Intentional sabotage causing issues?
  Rule 1: Always check your inputs.
  Rule 2: It comes after rule 1.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
42. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 01:19 · Score: 0
  
  Because its dense. The gender of the secretary is established in the original post with the story...
  
  Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
43. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 01:50 · Score: 1
  
  Except for the fact that the grandparent specifically mentioned that this was a female receptionist five fucking times, numbnuts!
  SJW Epic Fail! DIAF!
44. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 01:53 · Score: 0
  
  Yep. Pure fucking genius to ignore five separate mentions that this was a fucking female receptionist.
  Asshole, if I had mod points right now both you and the dipshit above would be getting -1, you fucking SJW Trolls.
45. Re:You mean, ensures detection by Anonymous Coward · 2015-05-07 02:23 · Score: 0
  
  Sounds like the place I work at. Instead of telling people no and making them accountable, they just installed a draconian piece of software on all the PC's that won't let you install or run anything in its white list. Very annoying for someone in IT that installs and evaluates different programs all the time. It takes forever to get the approvals and then you usually have to go back to them 5 or 6 times because it blocks the thing from running after it is installed.
46. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 03:00 · Score: 0
  
  [citation needed]
47. Re:You mean, ensures detection by tlhIngan · 2015-05-07 03:07 · Score: 3, Informative
  
  Of course we already know that this virii/trojan/whatever you want to call it isn't messing around with the partition table, so your point is moot. Since fixmbr can rebuild even a ruined boot sector or bad boot code, that solves the majority of the issue in question. Deleting the partition table however would cause more of an issue for most people, since most people have no idea how to rebuild a partition table manually.
  From the Cisco link, it does wipe the partition table. In this case, MBR doesn't mean just initial boot code, but the whole boot sector of the system, which contains the partition table as well. (Probably one of those legacy PC things we're still living with... most other sane systems generally move the boot code or the partition table elsewhere.).
  Basically it rewrites sector 0.
  Which on a modern Windows system, does squat since we're using EFI boot which no longer does the sector chainboot the old BIOS does. Plus, modern systems don't use MBR partitioning, they use GPT, which while having an MBR, the MBR is marked as protective so MBR aware tools won't try to inadvertently create a MBR partition table over the GPT one.
  GPT tools can reasily rebuild the protective MBR without even reading the GPT since the protective MBR partition is fixed type, and spans the whole disk (or first 2TB, maxing out MBR).
48. Re:You mean, ensures detection by slashmydots · 2015-05-07 03:51 · Score: 1
  
  I agree. Analyze the virus without running it. Let's see it defend itself then.
49. Re:You mean, ensures detection by Anonymous Coward · 2015-05-07 03:56 · Score: 1
  
  In most versions of Windows, a disagreement between the MBR and the GPT results in the MBR being used instead.
50. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 03:57 · Score: 0
  
  Someone apparently doesn't know the difference between a troll and a joke. Or maybe you've just got sand up your ass. Someone jizz in your wheaties this morning?
51. Re:You mean, ensures detection by Hamsterdan · 2015-05-07 05:24 · Score: 1
  
  Tchernobyl? learned how to hot-flash a BIOS thanks to that one...
  
  --
  I've got better things to do tonight than die.
52. Re: You mean, ensures detection by Anonymous Coward · 2015-05-07 05:49 · Score: 0
  
  The fedora is strong on this one.
53. Re:You mean, ensures detection by Triklyn · 2015-05-07 06:15 · Score: 1
  
  no simple about it. it sounds like monumental, epic dickery.
54. Re: You mean, ensures detection by Flavianoep · 2015-05-07 06:27 · Score: 1
  
  The fedora is strong on this one.
  No, I don't use Fedora. I've tried some times, but I've been choosing Mandrake (or its successors) since 2005, and now I use Mageia.
  
  --
  Linux is for people who don't mind RTFM.
55. Re:You mean, ensures detection by Maritz · 2015-05-07 20:31 · Score: 1
  
  Why nobody ever told her to stop putting that crap on in the first place I'll never understand.
  If only there were some way of stopping people from installing shit on their work computers. ;)
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
56. Re: You mean, ensures detection by RockDoctor · 2015-05-08 23:53 · Score: 1
  
  So the hot female receptionist had the hot female sysadmin sucking up to her ( I chose my words carefully) by repairing her computer instead of caning her pert little behind (I choose, etc) and telling her she's a naughty girl and to never do that again.
  Perfectly reasonable scenario. I'm sure I've seen it in some of those "training videos".
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
57. Re:You mean, ensures detection by Agripa · 2015-05-09 16:47 · Score: 1
  
  That is pretty evil.
  Being a hardware guy, I would have tried either pinning one of the ATA I/O bits to corrupt the data during enumeration or disabling the ATA interface until after DOS is booted. Back then I had an ISA ATA interface card which was just discrete logic bus transceivers, buffers, and some simple decoding logic which could do either easily. I used it for debugging ATA interfaces.
  The ATA interface was originally a buffered version of the ISA bus with some decoding. You can build one with a few TTL logic ICs.
Virtual machine template by Kobun · 2015-05-06 14:15 · Score: 2

This seems like it would be incredibly simple to analyze the second time around. Offline backup into a VM and snapshotting would render the auto-destruct very educational.
1. Re:Virtual machine template by Anonymous Coward · 2015-05-06 15:35 · Score: 0
  
  From reading the article though, it looks like there are routines within Windows that would identify whether or not it is sandboxed, being potentially in a VM. If that is the case, this would be one of the checks this virus looks for, and will respond systematically to. Potential for virus study possibly failed as it might kill itself, or your OS instance....?!?
  Either way, this is a very interesting bit of virus design, and fairly nasty!
2. Re:Virtual machine template by Anonymous Coward · 2015-05-06 15:41 · Score: 0
  
  One of the security researches is Alex Chiu?
  Huh.
3. Re:Virtual machine template by ArsenneLupin · 2015-05-06 19:55 · Score: 1
  
  Couldn't you patch the VM software to hide the VM API's which make it recognizable as such?
4. Re:Virtual machine template by Anonymous Coward · 2015-05-06 22:00 · Score: 0
  
  Any decent OS will detect it's running in a VM and start doing things differently. If you can't detect the VM itself, you'll know when the OS is catering to running in a VM.
5. Re:Virtual machine template by Anonymous Coward · 2015-05-07 04:02 · Score: 0
  
  Even entry level malware solutions implement 'antis' and simply will not run on virtual machines. Coincidentally, fooling your physical machine into reporting it is a virtual machine is a fiendishly clever way to trigger the malware anti-logic and prevent a huge majority of malware from running. (my company's) internal malware research has demonstrated time and time again that the most effective way to thwart most malware is to trick it into thinking your physical machines are actually virtual machines.
This was foretold... by damn_registrars · 2015-05-06 14:16 · Score: 4, Funny

This was an obvious evolutionary next step

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
"Kills Off PCs" -- Um, no it doesn't. by Anonymous Coward · 2015-05-06 14:18 · Score: 1

Did the submitter even bother to read the article?? It can effect a *very* narrow range of Windows PCs, all of which can be restored by replacing any modified files.
1. Re:"Kills Off PCs" -- Um, no it doesn't. by Bomarc · 2015-05-06 14:35 · Score: 1
  
  Did the submitter even bother to read the article??
  Actually he did. The article has the quote "kill off"... (I was going to post the same thing when the article was in Firehose -- but decided not to) however if you read the article the PC isn't killed (reality nothing is) just the MBR is nuked. Anyone ever hear of "backup" ?
  
  The only thing "exciting" about this one is the detection that is being removed ... then it removed the MBR. But there is no elaboration on this action.
2. Re:"Kills Off PCs" -- Um, no it doesn't. by BoogieChile · 2015-05-06 14:42 · Score: 1
  
  > It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted. The MBR also contains information about the disk partitions. The altered MBR overwrites the bytes for these partitions with Null bytes, making it even more difficult to recover data from the sabotaged hard drive.
  I know somebody around here who didn't even read the article....
3. Re:"Kills Off PCs" -- Um, no it doesn't. by ArsenneLupin · 2015-05-06 19:24 · Score: 1
  
  The MBR also contains information about the disk partitions. The altered MBR overwrites the bytes for these partitions with Null bytes, making it even more difficult to recover data from the sabotaged hard drive.
  Nowadays, most drives only contain a single partition (especially those of unsophisticated users), so even that is easy to recover. Or else, look for signatures of partition boot sector in the likely places (aligned on a cylinder start).
HCF by Anonymous Coward · 2015-05-06 14:23 · Score: 0

It could be worse, it could use the "Halt and Catch Fire" instruction.
meh by Revek · 2015-05-06 14:24 · Score: 1

Take the drive out and scan it in a dock. Side load the drives registry and scan it. Its happened before for less capitalist reasons.
CIH
Should have gone ninja... by BoogieChile · 2015-05-06 14:24 · Score: 1

As soon as it detects attempts to analyse it, it deletes itself completely, so the victim is left never knowing if it was really there or not.
Is that all??? by EmeraldBot · 2015-05-06 15:01 · Score: 3, Interesting

Of all the destructive things one could do, it rewrites the MBR? That's it? That's fairly easy to fix, and your data is still easily intact by copying it with a second machine.
To be honest, a much more dangerous one would be one that sits dormant for, oh, say six months or so. In doing that, it gets itself into all of your backups (if you have any), and now you're going to have trouble separating your data from the virus. If it then activates a random amount of days (1-14) after being restored, it's not obvious which backups are infected and which ones aren't.
Of course, this is all purely theoretical, and I highly discourage anyone from actually implementing this - it's just an idea...

--
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
1. Re:Is that all??? by Anonymous Coward · 2015-05-06 16:30 · Score: 0
  
  There are countless variations, some more evil than others. I won't even attempt to think of more, though in general if you have someone clever enough to code it, then they are likely clever enough to think of it. While I don't agree with the idea of preventing a user from running whatever code he wants to run, I do agree with signed code. I want to know that only code that has been signed by a trusted authority runs at least at startup/boot/etc. That doesn't mean the code isn't open source. There could be exact directions to take the open source and produce the same binary. You may even want a popup every time you run any unsigned binary, though that kind of thing might need to be turned off on devs machines or a whitelist made. Selinux and similar is a part of the key, even though I admit to not spending much time learning it. Still, just because a process such as a game runs as user X, does not mean it should have access to the entire real of user X. As part of the signing process we should have the programs limits delineated. For instance a game may choose to open tcp/udp sockets and modify files located in say /c/Users//Application Data/GameSoft/XYZ/savedGameData and that is it, other than adding itself to the menu. Everything it needs to access should be linked against the signature, and it should not be greedy. Unless there is a really good reason, it should resist temptations to run any other application such as web browsers with specified sites, since by doing so you might have to expand the limit on web browser permissions, such as opening arbitrary html or similar files locally, or possibly opening up the links it thinks it should after someone has owned that web site. It may even become to the point worthwhile where every process runs in essentially a secured locked down time space hypervisor section of the OS, so there is clear delineation between them and cut/paste/etc is very well regulated. (The overall hypervisor/permission system/etc would then enforce the separation called for in the signed code.)
  Of course doing all of these things will make certain things harder and support more expensive. I'm just not sure we will be able to throw out any stops when it comes to computer security in the future. We basically need to assume every executable is an active and dangerous virus/worm, or at the least has the potential to become one once an exploit is found, and make sure that even if/when it happens we have contained and limited the damage. Even development should likely use that idea, since we can at least segregate our development code from anything we don't trust as much as it, making sure it remains secure/protected/etc.
2. Re:Is that all??? by mlts · 2015-05-06 18:38 · Score: 1
  
  I wouldn't be surprised to see far worse things come down the pipe, especially malware that exploited domain admin rights to compromise the entire AD forest.
  However, we have one big defense against all of this: Virtualization. Not just VM farms, but VDI (so a compromised desktop can just be rolled back to a known good snapshot almost instantly.) If the malware can't touch hardware, it can still destroy/corrupt files, but VMs have a lot more tools available for mitigating/reversing such attacks, even if it is just a simple snapshot of files taken daily which persists a week before expiring. Of course, snapshots are not backups, but they are a tool to help with RTO/RPO.
  Another defense is separation. The AD domain used for authenticating to the NetBackup server, SAN, and tape drive is completely separate than the AD forest used for day to day user work. This way, a domain or enterprise admin account that gets compromised on a user's desktop cannot be used to destroy all data on a silo, SAN, or NAS. It will still be pure hell rebuilding the AD structure if malware does use it as a propagation vector, but at least the core appliances won't be affected.
  Of course, the final defense are good backup and archival policies. For example, a backup is done daily, and is kept 7-14 days. Another backup is done weekly, kept 4-8 weeks. A monthly backup is fired off, kept 12-24 months, and a quarterly backup is kept 7-20 years on WORM media. Of course, offsite and verification policies go without saying as well. It also doesn't hurt to run a hash of stored files and cryptographically sign that on an offline machine, just as a last resort for detecting tampering.
  I have a feeling we will not just see more destructive attacks, but more subtle ones. A simple change in a purchase order can bankrupt a company. So, because this actually hurts businesses (as opposed to the previous "copy data and leave everything alone" intrusions of the past), we might see actual money spent for handling data integrity as part of enterprise security.
3. Re:Is that all??? by rudy_wayne · 2015-05-06 22:02 · Score: 1
  
  So, because this actually hurts businesses . . . we might see actual money spent for handling data integrity as part of enterprise security.
  You obviously don't have any understanding of business in the real world.
4. Re:Is that all??? by Anonymous Coward · 2015-05-07 02:42 · Score: 0
  
  AC here. I've seen a lot of businesses pay little to no heed to data integrity. Banks do, but you would be surprised on how a good number of firms (from SOHO/SMB shops to larger) pay only lip service to security, since security is perceived as having no ROI (and for businesses, ROI is everything in the real world.)
  Oftentimes, files are stashed on a NAS which might do filesystem snapshots every so often.
  Just a simple security breach that compromises/destroys the SAN fabric or kills the NAS can cause a lot of companies to not be able to function, nor be able to recover to a functional state. This happened about 10 years ago to a textbook store in the city where I live, where they lost their core document storage, and then went under, because their backups were not functioning (or perhaps didn't exist.)
  Of course, doing it "right" isn't that hard. As the GP stated, a large enterprise can afford TSM/Netbackup/MS DPM, and have a backup profile to toss critical documents onto WORM tape (LTO-5 WORM tapes are $30 a pop, so this isn't going to break the bank.) However, it usually isn't done because it costs money to have it implemented.
  I guess I don't have any understanding of business in the real world either, since some people's worlds have 100% secure and perfect backups in their enterprises with every company spending what they can to ensure this... but oh well.
5. Re:Is that all??? by wbo · 2015-05-07 02:51 · Score: 1
  
  Of all the destructive things one could do, it rewrites the MBR? That's it? That's fairly easy to fix, and your data is still easily intact by copying it with a second machine.
  
  On top of that on modern UEFI-based systems the MBR doesn't do anything anyway (it is just there to prevent older partition tools from messing with the disk). It wouldn't surprise me at all if a variant of this appeared that attempts to wipe all copies of the partition information on GPT disks as well making it potentially more dangerous.
  
  Also it looks like if it can't write to the MBR, it proceeds to encrypt all files in a user's profile with a random key which I would consider to be significantly more destructive.
Just a different way to be DickWare by Tablizer · 2015-05-06 15:07 · Score: 1

How is this different than a PC with a non-closable prompt that says, "Your PC is infected. Enter your credit card number to order our cleaning software".
I suppose it could be even worse by deleting all your files and THEN locking up.

--
Table-ized A.I.
Very strange by Anonymous Coward · 2015-05-06 15:23 · Score: 0

This seems like a good idea not very well thought through.
People legitimately attempting to dissect the virus will be using a virtual machine or a physical machine booted onto a template OS image.
This achieves very little.
On the other hand, this code _will_ be false positive triggered, resulting in raising the awareness of the virus sample and drawing more attention to it.
Re:The prison virus by Anonymous Coward · 2015-05-06 15:52 · Score: 0

Sounds like all of the 1833+ American prisons.
Re:They should call it... by Anonymous Coward · 2015-05-06 16:27 · Score: 0

Fuck off back to 8chan,stormfag
Details? by Anonymous Coward · 2015-05-06 17:45 · Score: 0

how about some details of exactly what files are deleted?
Why does it sound like this person is referring to AI?
It's only a matter of time that someone would put a little more logic into a virus to defend itself.
Another "news for tabloids" article. by edibobb · 2015-05-06 18:26 · Score: 4, Informative

A computer is not "destroyed" if you have to repair the MBR or reinstall Windows. It may be a pain to do, but the computer itself is fine.
1. Re:Another "news for tabloids" article. by ArsenneLupin · 2015-05-06 19:20 · Score: 3, Informative
  
  A computer is not "destroyed" if you have to repair the MBR or reinstall Windows.
  Not to mention, you don't have to re-install Windows. You can install a proper OS instead.
  ... and if your goal is to analyze the virus, install it in a VM instead, or does it detect that one as well?
2. Re:Another "news for tabloids" article. by CAOgdin · 2015-05-07 04:06 · Score: 1
  
  Of course, if you make 100% off-line backups of every computer, every night, you can roll-back one or two days and be back in operation in less than an hour. BTW, this is another argument for keeping programs and data separated. I HATE "user profiles" in Windows for storing data adjacent to the O.S. We keep data elsewhere, so software can be restored without losing valuable data. (This happened just yesterday with a new software utility update that trashed the test system. We just rolled back to last-night's backup, then wrote to the vendor, and in our newsletter to clients, saying: Don't Use It!)
3. Re:Another "news for tabloids" article. by Anonymous Coward · 2015-05-07 06:05 · Score: 0
  
  Indeed. I thought this was going to be about something that causes physical hardware damage with smoke and flames. But no, it doesn't even corrupt the firmware. Hey ho.
4. Re:Another "news for tabloids" article. by RockDoctor · 2015-05-09 00:16 · Score: 1
  
  install it in a VM instead, or does it detect that one as well?
  Since TFA (more than TFS) mentions that these various attacks are in response to the virus "realising" that it is running in a "sand box" type environment, then I's expect it to detect many un-stealthed VM environments too.
  I read TFA for about 5 minutes before I came across something remotely interesting. I got it that the malware had substantial checks to make it *harder* for an investigator (virus researcher, forensics investigator after a break-in) to understand what the virus is doing, and that the virus writer wasn't particularly interested in hiding from the user, but in avoiding being analysed by specialists. Fixing an MBR - trivial. User's home directory encrypted - well whoopie-dee, as if that's going to faze a decent investigator (they'll probably put the home directory on the network and sniff to record write instructions but not necessarily carry them out). So that's a [SHRUG]. But this :
  
  If Rombertik detects an instance of Firefox, Chrome, or Internet Explorer,
  So, virus writers really are getting over the IE monopoly? I hadn't noticed, not having used Windows for myself for several years, and not having used IE for even longer, if at all possible to use anything else.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Does BBC now stand for narrow-mindedness or what? by ArsenneLupin · 2015-05-06 19:19 · Score: 0

... or why those stupid horse blinkers?
hmm by Anonymous Coward · 2015-05-06 19:34 · Score: 0

Was wondering what the hell happend to a laptop i tried to fix the other day. good thing i didnt connect it to my home network...
Hmmm... by Anonymous Coward · 2015-05-06 19:41 · Score: 0

The true purpose of this virus is obviously to discredit the self-educated basement experts who maintain the computers of their friends, in the eyes of these friends. If I'm Joe the User, after one of these experts tries to clean my computer and trashes my home directory instead, I'm not going to let him anywhere near my hardware anymore.
Kills PC, by making the machine unusable... by JasterBobaMereel · 2015-05-06 19:45 · Score: 2

Does nothing to the machine at all, just attacks the operating system ...not news ...

--
Puteulanus fenestra mortis
1. Re:Kills PC, by making the machine unusable... by CastrTroy · 2015-05-07 00:56 · Score: 2
  
  That has to be the stupidest virus on the planet. Why would you want to do this I mean, sure, you annoy somebody for a day or so, possibly make them spend money to get it fixed, but then the problem is solved. The most successful viruses are ones that nobody knows are there. You can then spread to other machines silently without anybody knowing. Then the virus gives you remote control over the machine so you can collect valuable information. If you really just want to annoy the user and break their computer, you could probably just have the virus flash the BIOS with some invalid firmware.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I would worry about by Anonymous Coward · 2015-05-06 20:27 · Score: 0

I guess I would worry about someone using this kind of virus to cause a distraction, and who knows (I have no idea), maybe removing the virus could be thought to somehow cover over the "tracks" of other kinds of intrusion on someones computer.
- not a computer scientist :)
A real Mission Impossible by Anonymous Coward · 2015-05-06 22:05 · Score: 0

Should anyone find out your installed your PC will self destruct in 5 seconds. Good luck, PC user.
Doesn't make sense by Anonymous Coward · 2015-05-06 22:39 · Score: 0

Isn't malware analysed in a sandbox? If we're talking about removal tools being used on a live system, isn't that a bad idea; removal should always be carried out offline either from a live CD or from another OS.
Not new. by Lumpy · 2015-05-06 22:49 · Score: 1

There was one that would attempt to find the BIOS flash and write FFFF to the first 2 bytes making the computer never boot again until the flash was pulled and re-written.

--
Do not look at laser with remaining good eye.
Hosts help here (stop data theft) by Anonymous Coward · 2015-05-07 00:31 · Score: 0

Per my subject: Add the C&C servers to your custom hosts file (as blocked using 0.0.0.0):
0.0.0.0 www.centozos.org.in
0.0.0.0 centozos.org.in
0.0.0.0 org.in
* They WILL "stall it" in its TRUE intended purpose: Data Theft (the destructive parts only apparently 'detonate' IF you attempt to debug/analyze it...) since those are the ones this malware uses.
PERTINENT QUOTE PROOF EXCERPT:
"Rombertik does not target any site in particular, such as banking sites, but instead, attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded to www.centozos.org.in"
Per the CISCO blog about it here that this article points to -> http://blogs.cisco.com/securit...
APK
P.S.=> Of course, lastly? For the BEST in protection for security (as well as more speed + reliability online) using hosts files for FAR MORE than just this threat?
Well - you know ('shameless plug', but true):
APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...
... apk
Destruction is in response to detection attempts by bdwoolman · 2015-05-07 04:02 · Score: 3, Informative

This malware is very hard to detect under normal conditions. But it is outfitted with counter measures. When it detects activities that are consistent with malware detection, study and or/and removal it responds in many destructive ways. It makes it difficult for a white hat to suss it. But, no, it does not give itself away by cutting up rough. It only starts the visible signs of infection when it deems the jig is up anyway.
There is a very good (and somewhat scary) article from The Register. on Rombertik.
This is as nasty a piece of work as you will ever not wish to see anywhere near your equipment.

--
"No fear. No envy. No meanness." Liam Clancy
NSA Please Help !. by hamsterz1 · 2015-05-08 13:43 · Score: 1

Just imagine a helpful e-mail from the NSA . Dear Sir, it has come to our attention, in scanning your e-mail, that a virus, or malware is hidden in your e-mail claiming to be from Microsoft, please delete this e-mail ASAP. Sincerely The NSA. "We Spy Because We Care".
Moderators... by ArsenneLupin · 2015-05-11 21:43 · Score: 1

... how can a comment about the article (linked to in the summary) be off-topic? Is there even something which could be more on-topic that a commentary about the article?
(Even if it's just about a presentational aspect?)