Rombertik malware appears to attack hard drive and delete MBR
The battle between cybercrime and security has entered a new phase with the emergence of Rombertik, a malware (malware) capable of capturing packets to collect personal data while browsing the web simultaneously. will attack and overwrite the MBR (master boot record) of the computer hard drive to remove traces if analyzed by security software .
Revealing a new variant of computer virus can destroy itself when detected
The new malware issue is in a way that prevents the detection of security software. Cisco's security risk response team said that after infecting users, Rombertik would run a series of anti-analysis tests to see if it was running in the sandbox of a good virtual environment. not before decoding and taking the next action.
The below infographic shows how Rombertik works. According to Cisco's analysis, 97% of the packaging data in the file is unused image and feature information, only letting the malicious code look more realistic.
Rombertik started by writing to 960 million random bytes into memory to " flood " the system log file with 100GB of junk data. Next, the malware will check for anti-analysis to see if it is running in a virtual environment.
If not in a virtual machine environment , Rombertik will decrypt, create a copy, and launch the commands to execute. These execution commands are not fixed and are confusing with some unnecessary commands to distract the security expert from analyzing and rediscovering Rombertik's destructive steps.
If the detection is running in the sandbox virtual environment, Rombertik will attempt to access and override the hard drive MBR with null bytes or encrypt the entire data in the C: Documents and SettingsAdministrator folder with the RC4 algorithm. in the absence of the right to write on the MBR.
Overwriting the master boot record with bytes has no value, making it much more difficult to restore the system partition than simply deleting this master boot record.
Rombertik is a combination of a traditional malicious code used to collect personal data when users browse the web and a mechanism against the detection of completely new security software. Although there is not much information about the author and the true purpose of this malicious code, however, with these sophisticated techniques, Rombertik is likely to be used in cyber espionage activities and used to attack purposely on a target
You should read it
- Revealing a new variant of computer virus can destroy itself when detected
- How to restore Master Boot Record in Windows 10
- What is the Master Boot Code?
- What is the Master Partition Table?
- 7 best Sandbox apps for Windows 10
- How to configure Windows Sandbox on Windows 10
- What is a sandbox and how does it sandbox a program?
- 10 commands to master when working with Cisco IOS
- New malware appeared to take advantage of COVID-19 to wipe out the computer and overwrite the MBR
- What is a Volume Boot Record (VBR)?
- Steps to activate Windows Sandbox on Windows 11
- How to turn on / off Windows Sandbox on Windows 10