A new virus that disables the computer when it is detected

A new type of malware paralyzes the operation of a computer when it is detected during antivirus checks, delivering a catastrophic blow to its victims.

The virus, named by Cisco Systems as Rombertik, intercepts any, even the simplest text entered in a browser window. Further, according to a Cisco's Talos Group blog post that Monday, the virus spreads through spam and phishing emails.

Rombertik easily conducts several series of checks after its launch on a computer running Windows and continues to act, determining whether it is detected by antivirus programs.
')
It should be noted that this behavior is not unusual for some types of malware, but Rombertik “is unique in that it is actively trying to destroy data on the computer if it detects certain traces of malware analysis,” as Ben Baker and Alex described the virus. Chiu from Talos Group.

Similar malware (“Wiper”) was used in 2013 in attacks against facilities located in South Korea and in an attack against Sony Pictures Entertainment last year. Both attacks are attributed to the North Korean government.

Last check Rombertik - the most dangerous. It calculates a 32-bit hash of the resource in memory, and if this resource or compile time has been changed, Rombertik launches a self-destruct process. First, the program becomes the master boot record in the first sector of the PC's hard disk, which the computer uses to loading the operating system. If Rombertik cannot access the MBR, it deletes all files in the user's home folder, encrypting each one with a random RC4 key.

After the MBR or home folder has been encrypted, the computer restarts. MBR falls into an infinite loop that does not allow the computer to boot. The inscription “Carbon crackdown attempt, failed” appears on the screen.

Once installed on the computer, the virus unpacks itself. About 97 percent of the unpacked file is created in such a way as to make it look like real code. The virus consists of 75 images and 8000 false functions, which are never actually used.

“This virus is trying to make it impossible for antivirus programs to scan every function,” wrote Talos.

He also tries to avoid getting into the sandbox, or practicing quarantine for a while before the end of his test. Some malicious programs try to wait out this period, hoping to wake up after that and start acting.

Rombertik remains active and writes one byte of data into memory 960 million times, which makes analysis with antivirus programs difficult.

“And if the antivirus program is trying to fix all 960 million records at this time, the size of the log file may increase to 100 gigabytes,” wrote Talos.