{"id":8210,"date":"2015-05-05T12:46:04","date_gmt":"2015-05-05T16:46:04","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8210"},"modified":"2015-05-05T12:46:04","modified_gmt":"2015-05-05T16:46:04","slug":"this-terrifying-malware-destroys-your-pc-if-detected","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/05\/05\/this-terrifying-malware-destroys-your-pc-if-detected\/","title":{"rendered":"This terrifying malware destroys your PC if detected"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2918632\/rombertik-malware-destroys-computers-if-detected.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/05\/hack-security-malware-100569441-gallery.jpg\" alt=\"\" \/><\/a><\/p>\n<p>A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.<\/p>\n<p>The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco\u2019s Talos Group blog on Monday.<\/p>\n<p>Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.<\/p>\n<p>That behavior is not unusual for some types of malware, but Rombertik \u201cis unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,\u201d wrote Ben Baker and Alex Chiu of the Talos Group.<\/p>\n<p>Such \u201cwiper\u201d malware has been used in the past, notably against South Korean targets in 2013 and against Sony Pictures Entertainment last year, an attack attributed to North Korea by the U.S. government.<\/p>\n<p>The last check Rombertik does is the most dangerous one. It computes a 32-bit hash of a resource in memory, and if either that resource or the compile time had been changed, Rombertik triggers self-destruct.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2918632\/rombertik-malware-destroys-computers-if-detected.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2015\/05\/rombertik-100583324-large.png\" alt=\"\" \/><\/a><\/p>\n<p>It first takes aim at the Master Boot Record (MBR), the first sector of a PC\u2019s hard drive that the computer looks to before loading the operating system. If Rombertik doesn\u2019t have access to the MBR, it effectively destroys all of the files in a user\u2019s home folder by encrypting each with a random RC4 key.<\/p>\n<p>Once either the MBR or the home folder has been encrypted, the computer restarts. The MBR enters an infinite loop that stops from computer from rebooting. The screen reads \u201cCarbon crack attempt, failed.\u201d<\/p>\n<p>When it first gets installed on a computer, it unpacks itself. Around 97 percent of the content of the unpacked file is designed to make it look legitimate and is composed of 75 image and 8,000 decoy functions that are actually never used.<\/p>\n<p>\u201cThis packer attempts to overwhelm analysts by making it impossible to look at every function,\u201d Talos wrote.<\/p>\n<p>It also tries to avoid sandboxing, or the practice of isolating code for a while until it has checked out. Some malware tries to wait out the period it is in a sandbox, hoping the sandbox period will time out and it can wake up.<\/p>\n<p>Rombertik stays awake, however, and writes one byte of data to memory 960 million times, which complicates analysis for application tracing tools.<\/p>\n<p>\u201cIf an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,\u201d Talos wrote.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2918632\/rombertik-malware-destroys-computers-if-detected.html\" target=\"_blank\">This terrifying malware destroys your PC if detected | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[655,1167],"class_list":["post-8210","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-malware","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-28q","jetpack-related-posts":[{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":8210,"position":0},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":8210,"position":1},"title":"Researchers manage to get malware published in Apple&#039;s iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8976,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/07\/15\/this-android-trojan-blocks-victims-from-alerting-banks\/","url_meta":{"origin":8210,"position":2},"title":"This Android Trojan blocks victims from alerting banks","author":"NCCT","date":"July 15, 2016","format":false,"excerpt":"By Michael Kan | PCWorld A new Trojan that can steal your payment data will also try to stymie you from alerting your bank. Security vendor Symantec has noticed a \u201ccall-barring\u201d function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8920,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/17\/8920\/","url_meta":{"origin":8210,"position":3},"title":"Tech support scammers now utilizing ransomware-like lock screens to threaten people","author":"NCCT","date":"May 17, 2016","format":false,"excerpt":"By Justin Luna | Neowin Some of us may be very well aware of the classic tech support scam stories, where a man randomly calls people, and informs them that they are from \"Windows company\" and that the call recipient's computer has been detected full of viruses. These cold callers\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7608,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software\/","url_meta":{"origin":8210,"position":4},"title":"VirusTotal tackles the tricky false positives problem plaguing antivirus software","author":"NCCT","date":"February 12, 2015","format":false,"excerpt":"VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs. False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6142,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/06\/department-of-homeland-security-warns-retailers-of-backoff-pos-malware-techspot\/","url_meta":{"origin":8210,"position":5},"title":"Department of Homeland Security warns retailers of &#8216;Backoff&#8217; POS malware &#8211; TechSpot","author":"NCCT","date":"August 6, 2014","format":false,"excerpt":"The Department of Homeland Security yesterday issued an alert about a point-of-sale malware that was used in a string of recent attacks by cyber criminals. Dubbed Backoff, the malware has been witnessed on at least three separate forensic investigations since late 2013 and continues to operate today. According to US-CERT,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=8210"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8210\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=8210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=8210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=8210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}