Slashdot Mirror

← Back to Stories (view on slashdot.org)

Self-Destructing Virus Kills Off PCs

Posted by samzenpus on from the worst-in-class dept.

mpicpp sends word about particularly bad virus making the rounds, with this snippet from the BBC: "A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."

5 of 107 comments (clear)

  1. Re:You mean, ensures detection by gstoddart · · Score: 1, Interesting

    Honestly though, a borked Windows box often just gets re-imaged because people aren't all that surprised by one which has gone flaky.

    So, you know your machine is having problems, but that doesn't mean you know you have malware.

    And, as TFA says:

    The code replacing the MBR makes the machine print out a message mocking attempts to analyse it.

    Restoring a PC with its MBR deleted involves reinstalling Windows, which could mean important data is lost.

    Basically it sounds like there's not much left to look at.

    --
    Lost at C:>. Found at C.
  2. Is that all??? by EmeraldBot · · Score: 3, Interesting

    Of all the destructive things one could do, it rewrites the MBR? That's it? That's fairly easy to fix, and your data is still easily intact by copying it with a second machine.

    To be honest, a much more dangerous one would be one that sits dormant for, oh, say six months or so. In doing that, it gets itself into all of your backups (if you have any), and now you're going to have trouble separating your data from the virus. If it then activates a random amount of days (1-14) after being restored, it's not obvious which backups are infected and which ones aren't.

    Of course, this is all purely theoretical, and I highly discourage anyone from actually implementing this - it's just an idea...

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  3. Re:You mean, ensures detection by gstoddart · · Score: 4, Interesting

    Sure, but by which point you're doing much more involved forensics and hunting this down.

    In many companies, a misbehaving computer is just re-imaged.

    We used to have a receptionist who put so much crap on her PC that every couple of months when she decided she'd broken it enough, they'd just re-image it.

    Why nobody ever told her to stop putting that crap on in the first place I'll never understand.

    In that kind of scenario, nobody would even know she had any specific malware or what it did.

    --
    Lost at C:>. Found at C.
  4. Re:You mean, ensures detection by tlhIngan · · Score: 3, Interesting

    FIXMBR only works if the bootcode is wrong or missing. It doesn't help if the entire MBR has been cleared, since the disk's partition table is also stored in that sector.

    It's curious why the virus would clear the MBR - if you have a large drive (> 2TB) or Windows 8, your hard drive uses GPT and not MBR. Sure a GPT disk has an MBR (called a "protective MBR") that basically blocks out the GPT partitions, but that's to prevent existing partitioning tools from screwing up the GPT partitions as they'll see a fully partitioned disk.

    If you have GPT, an MBR wipe out means absolutely squat - your partitioner might complain that the protective MBR is missing, but that's trivial to recreate since it basically covers the entire disk (or the first 2TB, the maximum MBR can cover).

  5. Re:You mean, ensures detection by ArsenneLupin · · Score: 4, Interesting

    This sounds like some high school student prank.

    Speaking of high-school pranks. One funny MBR-related thing we did back in the day was creating a loop in the chain of logical partitions (the MBR can only define 4 primary partitions. If you want more than 4 partitions, you created an extended partition which contains a linked list of logical partitions. And we made this linked list loop back to its beginning).

    Windows (or DOS) versions back in the day were so buggy that they didn't notice the loop, and kept scanning, and scanning, and scanning until they reached the end of the list (which happened never, because it was a loop).

    Result: unbootable machine. Even from a floppy. Because the DOS on the floppy was also doing the inventory of all storage media attached to the machine and stumbled upon the same partition loop. And if you removed the (internal) hard disk, well, then you couldn't obviously reinstall Windows on it.

    The only fix was to boot Linux from a floppy, and remove the loop from there. However, back in the day Linux was still obscure enough that the "powers that be" didn't know about this fix...