Rombertik malware appears to attack hard drive and delete MBR

The battle between cybercrime and security has entered a new phase with the emergence of Rombertik, a malware (malware) capable of capturing packets to collect personal data while browsing the web simultaneously. will attack and overwrite the MBR (master boot record) of the computer hard drive to remove traces if analyzed by security software

The battle between cybercrime and security has entered a new phase with the emergence of Rombertik, a malware (malware) capable of capturing packets to collect personal data while browsing the web simultaneously. will attack and overwrite the MBR (master boot record) of the computer hard drive to remove traces if analyzed by security software .

Revealing a new variant of computer virus can destroy itself when detected

The new malware issue is in a way that prevents the detection of security software. Cisco's security risk response team said that after infecting users, Rombertik would run a series of anti-analysis tests to see if it was running in the sandbox of a good virtual environment. not before decoding and taking the next action.

The below infographic shows how Rombertik works. According to Cisco's analysis, 97% of the packaging data in the file is unused image and feature information, only letting the malicious code look more realistic.

Rombertik malware appears to attack hard drive and delete MBR Picture 1

Rombertik started by writing to 960 million random bytes into memory to " flood " the system log file with 100GB of junk data. Next, the malware will check for anti-analysis to see if it is running in a virtual environment.

If not in a virtual machine environment , Rombertik will decrypt, create a copy, and launch the commands to execute. These execution commands are not fixed and are confusing with some unnecessary commands to distract the security expert from analyzing and rediscovering Rombertik's destructive steps.

If the detection is running in the sandbox virtual environment, Rombertik will attempt to access and override the hard drive MBR with null bytes or encrypt the entire data in the C: Documents and SettingsAdministrator folder with the RC4 algorithm. in the absence of the right to write on the MBR.

Overwriting the master boot record with bytes has no value, making it much more difficult to restore the system partition than simply deleting this master boot record.

Rombertik is a combination of a traditional malicious code used to collect personal data when users browse the web and a mechanism against the detection of completely new security software. Although there is not much information about the author and the true purpose of this malicious code, however, with these sophisticated techniques, Rombertik is likely to be used in cyber espionage activities and used to attack purposely on a target

4 ★ | 2 Vote | 👨 201 Views
« PREV POST
NEXT POST »