Self-Destructing Virus Kills Off PCs

mpicpp sends word about particularly bad virus making the rounds, with this snippet from the BBC: "A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."

Another "news for tabloids" article.

[edibobb]

A computer is not "destroyed" if you have to repair the MBR or reinstall Windows. It may be a pain to do, but the computer itself is fine.

Re:Another "news for tabloids" article.

[ArsenneLupin]

A computer is not "destroyed" if you have to repair the MBR or reinstall Windows.

Not to mention, you don't have to re-install Windows. You can install a proper OS instead.

... and if your goal is to analyze the virus, install it in a VM instead, or does it detect that one as well?

Re:You mean, ensures detection

[tlhIngan]

Of course we already know that this virii/trojan/whatever you want to call it isn't messing around with the partition table, so your point is moot. Since fixmbr can rebuild even a ruined boot sector or bad boot code, that solves the majority of the issue in question. Deleting the partition table however would cause more of an issue for most people, since most people have no idea how to rebuild a partition table manually.

From the Cisco link, it does wipe the partition table. In this case, MBR doesn't mean just initial boot code, but the whole boot sector of the system, which contains the partition table as well. (Probably one of those legacy PC things we're still living with... most other sane systems generally move the boot code or the partition table elsewhere.).

Basically it rewrites sector 0.

Which on a modern Windows system, does squat since we're using EFI boot which no longer does the sector chainboot the old BIOS does. Plus, modern systems don't use MBR partitioning, they use GPT, which while having an MBR, the MBR is marked as protective so MBR aware tools won't try to inadvertently create a MBR partition table over the GPT one.

GPT tools can reasily rebuild the protective MBR without even reading the GPT since the protective MBR partition is fixed type, and spans the whole disk (or first 2TB, maxing out MBR).

Destruction is in response to detection attempts

[bdwoolman]

This malware is very hard to detect under normal conditions. But it is outfitted with counter measures. When it detects activities that are consistent with malware detection, study and or/and removal it responds in many destructive ways. It makes it difficult for a white hat to suss it. But, no, it does not give itself away by cutting up rough. It only starts the visible signs of infection when it deems the jig is up anyway.

There is a very good (and somewhat scary) article from The Register. on Rombertik.

This is as nasty a piece of work as you will ever not wish to see anywhere near your equipment.