Sophos Cloud Optix
Thanks to James Wyke of SophosLabs for doing the hard parts of this article.
We didn’t really want to get drawn into this one.
But it’s hard to avoid commenting on malware that has variously been described as a “terrifying ‘suicide bomber’” and as having a payload that “destroys computers.”
That’s the sort of computer security hyperbole that does nothing but harm.
The best outcome is that you end up being offensive, as you are when you insist on trotting out the phrase “digital Pearl Harbor” and expecting to be taken seriously.
The worst outcome is that you create an entirely false sense of security by describing a manageable, albeit serious, threat as though it were truly extreme.
By creating the impression that a manageable threat is “as bad as it gets,” you undermine your readers’ interest in bothering about less serious threats at all.
Introducing Rombertik
The malware in question has been nicknamed “Rombertik” (Sophos products will block it as Troj/Delp-AD).
SophosLabs first came across it in January 2015, one of some 300,000 new malware samples that we encounter each day.
→ The vast majority of the samples we get each day aren’t truly new. They’re unique only in the strictly technical sense that they consist of a sequence of bytes that we haven’t encountered before, in the same way that Good morning and GOOD MORNING are not literally the same. Most of the new samples that show up each day are merely minor variants that we already detect, or known malware that has been encrypted or packaged differently. Nevertheless, that still leaves plenty of samples worth looking at.
Rombertik’s primary purpose seems to be to hook itself into your browser so it can keep track of what you type in.
Make no mistake, credential stealing malware of this sort is serious, because it can lead to compromised bank accounts, hacked servers, stolen data, decrypted secrets and more.
But it won’t destroy your computer, or kill you along with itself.
The cause of the hype
Where the hype-making headlines come from is an anti-hacking trick that’s buried in the malware.
Many Trojans and viruses over the years have had some sort of tamper-detection or tamper-prevention built in, just like the security tools that try to detect them in the first place.
Some malware, like Dyreza, about which we wrote recently, tries to work out if it is being run inside a malware research environment, and behaves entirely innocently if so.
This is the low-key way of avoiding notice: give nothing away at all, so that the file gets overlooked and put to the bottom of the queue for attention.
Other malware, like Rombertik, takes a different approach.
If it detects that you have altered the malware in certain ways – for example, if you are another crook trying to repurpose it without paying for the privilege – it will overwrite vital information on your computer.
In all likelihood, you’ll lose your data and end up reinstalling your operating system and applications to get up and running again.
You can call it spite, call it revenge, call it retaliation, call it destructive to your data (that much is perfectly true)…
…just don’t say that it destroys the computer, and don’t even think of comparing it to suicide bombing.
How it works
For what it’s worth, Rombertik’s data-wiping techniques go something like this:
• Try to wipe out the MBR.
The MBR is the very first data sector on the hard disk, known as the Master Boot Record, and it maintains an index of how your disk is partitioned.
Wiping the MBR really is a spiteful way to proceed, because it leaves you so near, yet so far.
Technically speaking, all your data remains behind, so with the right expertise or recovery tools you may very well get it back, but almost certainly not without plenty of frustration along the way.
It's like putting a vital document through a shredder and then handing back the strips and saying, "There you are. All present and correct! You only have to work out which pieces go where."
Fortunately, writing to the MBR requires Administrator privilege on Windows, so a program run by a regular user can't do it.
If trashing the MBR fails, Rombertik falls back on this:
• Starting in the home folder, overwrite almost all files.
In what is almost certainly a bit of gruesome humour from the crooks, Rombertik works just like ransomware, encrypting your files in place on the disk.
The malware chooses a random 256-byte encryption key for each file, but none of the keys is saved anywhere, so you end up with what is effectively random, shredded cabbage instead of your data.
Only files with the extensions .EXE, .DLL, .VXD and .DRV will survive.
What to do?
Ironically, getting hit right away by Rombertik’s data-wiping payload is probably a safer outcome than being infected for days or weeks without noticing.
Remember that the non-destructive part of the malware sets out, amongst other things, to snoop on your browsing and steal your data, perhaps even your identity.
Either way, as with any malware, your best bet is not to get infected in the first place:
- Keep your operating system and applications patched.
- Use an active anti-virus and keep it up-to-date.
- Avoid unexpected attachments.
- Try stricter filtering at your email gateway.
And these precautions will shield you against all sorts of catastrophes, not just destructive malware:
- Only logon with Administrator privileges when you genuinely need to.
- Take regular backups, and keep one backup set off-site.
- Remove unnecessary or unwanted software so there is less to go wrong.
Free Virus Removal Tool
The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
It sounds like the viruses of 20+ years ago when the intent was just to cause a problem. It seems like most malware today is either designed to steal data or ransom your computer; this is more like something that would infect SCADA. I wonder if this is a test of a more malicious virus to come.
Don’t forget this part of the article:
You are absolutely correct that it doesn’t damage the physical computer, and some headlines are hyperbolic… That said, it is destructive malware that destroys our data, and what good is an information system without that data?
Anyway… you can reinstall the OS and recover the computer, but be sure to backup so you don’t loose the MORE important stuff…. Your work, livelihood, or priceless media.
GREAT job being anti-FUD though… While I like our field has enough attention to make headlines, many are overstated to catch attention!
I think that erasing the MBR is more akin to ripping the table of contents out of a text book. All of the content is still there, but it takes some effort to find the start of each chapter.
Sort of. But not really. You can still read a text book without the ToC (or index), but a computer with a Rombertik-trashed MBR won’t boot at all, and the disk won’t mount even if you plug it into a working computer as a secondary drive.
(Trashing the MBR is a bit like ripping the spine off a book so you you can’t read it normally, and then shrink wrapping the whole thing in a super-strong transparent sheath as well, so you can see it’s all there but not actually access any part of it in any useful way. You can recover but you have to find a way to cut or burn off off the shrink wrap without damaging what’s inside, then repair the spine of the book.)
Someone should tell the BBC News website that they got it a bit off beam. They are perpetuating the ‘kills PCs’ and Pearl Harbour overstatements on their Technology section
Be our guest 🙂 You may refer them to this article if you like.
Why would the OS allow even an admin to overwrite the MBR? Shouldn’t direct access to that only be allowed to the system itself? Now, encrypting the files is a different matter; users have to be able to edit their own files.
Historical reasons, I suppose. More recent versions of Windows lock you out of the disk sectors that are actually part of a mounted volume (so you can’t zap the Master File Table, for example) but not the parts that aren’t…and the MBR, by definition, is outside any logical volume on the physical drive – it’s sort of metametadata for the logical volumes, if you like.
So it has remained open to overwrite…
Having said that, malware these days that wants low level access to a mounted volume may well carry around a kernel driver that it drops and then uses (if it has sufficient privilege) as a lever to do the sector-level lifting where it’s not supposed to.
Interesting, thanks for your reply!
Finally, a reasonable approach! Thank you.
At first, the exaggerated wording in most other articles talking about this virus had made me think it was a hoax, and I was surprised to see even “serious” security sites repeating that it “destroys computers”.
Most people already have difficulty telling software from hardware, and wording like that adds even more to the confusion.
Great article. Than you for being an island of reason in a sea of hyperbole. I agree that the stealing your bank account part should be scarier and more headline grabbing than causing damage to your data.
There’s a typo, though, “but none of the keys is saved.” Are saved.
My favourite lexicographers assure me that the word “none” can take a singular _or_ a plural verb, as the writer wishes. And with “none” being derived from a good old Anglo Saxon word, they also tell me it’s been happily used either way in English for 1000 years.
I’m sticking with “none is.” I think it makes the emphasis I want here…a singular absence of anything to help you recover 🙂
ok, if it deploys on contact with malware/anti-virus scans, besides all the patching stuff, what can we do about an infection? would we even know it is there? how?
thank you,
It doesn’t deploy when you scan for it. It deploys if you try to modify the malware in certain ways and then redeploy it.
That’s why I’m speculating this is a “crook-versus-crook” technique.
(IIRC one of the parts that is monitored for unauthorised modification is the “call home” location to which stolen data is sent. So if you’ve paid for a copy of the malware to send data to example.org, your rivals in cybercrime can’t just grab your copy of the malware and change it to use example.net instead. Well, they can, but if they do then they will get a shot across their bows when they try to test it on their owm computers 🙂
hi, does this overwrite both copies of the MBR in NTFS?
The MBR isn’t part of any partition or logical volume. (NTFS volumes have their own boot sector, which is indeed stored redundantly, but inside the volume itself and therefore not in the MBR.)
Indeed, another name for MBR is “partition table” (strictly speaking, the partition table is part of the MBR), which is where the logical volumes are defined.
If you zap the MBR you zap the apparent existence of your NTFS volume altogether 🙁
Paul,
Thanks for the article. It puts the recent discussions about Rombertik in perspective.
After reading about 15 other articles about this, I wasn’t able to understand the use of “destroying the PC” as this malware isn’t using BIOS/UEFI/Firmware infectors (which are rare in typical PC environments) so I wondered why the phrase was being widely used in these online reports.
However, I think that many PC users tend to characterize HDD failures or malicious infections that are limited to the HDD in the same manner as depicted in the other articles about malware in general.
While not wanting to minimize the impact of any malicious intrusions, recovery from virtually all of these intrusions can be achieved quickly with an installed Cloned HDD or Image recovery path.
Having said that, this one’s vindictive in that it seeks to render the MBR inoperable or failing that, encrypts files.
The part about overwriting the Partition Table is interesting as that would appear to render the BOOTREC utility ineffective in repairing the MBR as the /FIXMBR option doesn’t write to the Partition Table.
Fortunately, there are several online tools available that can backup the MBR in the event that the user may be inclined to attempt repairing the infected HDD vs recovering from HDD backup strategies.
The “suicide bomber” term was doubly offensive because if the malware does trigger, the one thing it doesn’t delete is itself. If you recover your MBR and reboot, the system will still be infected. (And it will stab you in the MBR one more time, of course.)
Right, since the malware elements are still on the affected HDD if installing an MBR sector backup copy. Thanks for the correction 🙂