Super secretive malware wipes hard drive to prevent analysis

Discussion in 'malware problems & news' started by hawki, May 5, 2015.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    It's super effective! As long as you take the bait yourself...
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    frighteningly clever!
     
  4. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,097
    ...... and very easy to avoid.

     
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    Well, no one here will get it, but cyber criminals have developed very sophisticated means of gathering identifying info,friends,interests of individuals who through social engineering may fall victim.

    "Destructive computer virus uncovered

    A computer virus that tries to avoid detection by making the machine it infects unusable has been found..."

    http://www.bbc.com/news/technology-32591265
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    So this destruction procedure is activated only if someone wants to analyze it? Trying to remove it probably wouldn't trigger self destruction, or would it?
     
  7. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    My phone company wants you to keep your profile information current so they send you a email asking your email address and credit card number and your street address and state+country and provide links to fill in your information, to me this sounds like a phishing email with a payload of viruses...so I just ignore the email.
     
  8. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    I don't think it's so much that this particular strain is a threat with the way it's spread (I honestly expect this is a PoC whose code will be for sale on some black market or another) but once others begin adding similar functions into new variants of malware it could start to be a real issue. With so much data to sift through it would take AV vendors even longer to catch up (and they're already behind to start with.) Add to that the wiping ability and I'd hate to have one this like end up on my machine via an ad exploit later down the line. ><
     
  9. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    527
  10. PallMall

    PallMall Guest

    Repeat after anon and I "It gets installed when people click on attachments included in malicious e-mails."
    I know you guys are all aware of this but for the occasional visitor : "It gets installed when people click on attachments included in malicious e-mails."
    Like in West Side Story's "Maria"... I'll never stop saying ... OKAY :)
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Disabling WSH will do, not to mention deleting startup entries/folders before restart/shutdown.
     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    By Tyler Moffitt
    http://www.webroot.com/blog/2015/05/06/rombertik/
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    If you run this inside the sandbox with Sandboxie, it can't do any damage. If run outside the sandbox, a HIPS like SpyShelter should be able to block modification to the MBR. And normally, HMPA should be able to block the file modification part.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    There is also a lot of FUD out there. I saw a BBC article that said if your MBR was wiped out the only solution was to resinstall windows. Apparently they have never heard of Imaging software or the windows repair disk. Geesh.
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    "It gets installed when people click on attachments included in malicious e-mails."
    I would take that with a pinch of salt, it is fallacy to suggest such a sophisticated piece of malware only attacks via email attachments. Email attachments are just one way of delivering executable code to a machine, there are countless other ways.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Rombertik's disk wiping mechanism is aimed at pirates, not researchers
    http://www.net-security.org/malware_news.php?id=3040
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,787
    Location:
    Texas
    http://www.tripwire.com/state-of-se...ertik-a-master-of-evasive-malware-techniques/
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,787
    Location:
    Texas
    http://www.securityweek.com/destructive-rombertik-sample-traced-back-nigerian-man-threatconnect
     
  20. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    From Nigeria's emails through Nigeria's social engineering to Nigeria's advanced ransomware. Seems like pretty skilled hackers there, I wonder what comes next.
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,787
    Location:
    Texas
    http://krebsonsecurity.com/2015/05/malware-evolution-calls-for-actor-attribution/
     
Loading...