back to article 'Rombertik' malware kills host computers if you attempt a cure

Cisco researchers Ben Baker and Alex Chiu have found new malware that destroys a machine's Master Boot Record and home directories if it detects meddling white hats. The pair from the Borg's TALOS malware probing department say the "Rombertik" malware is designed to steal keystrokes and data and targets Windows users through …

  1. Phuq Witt

    Sneaky Buggers!

    "...has 8000 functions that do nothing but bamboozle...

    ...writing a byte of junk data to memory a whopping 960 million times....

    ...keeps firing by calling a Windows API debug string 335,000 times to fend off debugging...

    ...code is monstrous and has dozens of functions overlapping with each other and unnecessary jumps added to increase complexity. The result is a nightmare of a control flow graph with hundreds of nodes..."

    Absolutely fiendish! —the authors have even emulated the Microsoft in-house coding style, to help their malware blend in unseen.

    1. veti Silver badge

      Re: Sneaky Buggers!

      Just what I was thinking: "That's not a virus, that's a screensaver written in GW-Basic".

  2. This post has been deleted by its author

  3. amanfromMars 1 Silver badge

    The New Noble Future Virtual Reality for Product Placement by Politically Correct Media and Moguls

    And not so much just another Advanced IntelAIgent Exercising Zeroday Exploiting Vulnerability, more a Quite Stealthy Enough Ab Fab Fabless Opportunity to Right Wrong Systems and Flash Crash Ponzi Markets with Fantasy Game Players and Relatively Anonymous APT Non State ACTors ..... AI in a SMARTR State of NEUKlearer HyperRadioProACTive IT for Live Operational Virtual Environments ‽

    And shared as an exclamatory question for the Register to ponder on and wonder about regarding a more directing engagement and/or source and course mentoring and monitoring/proprietary private product public program development.

    And no, that is not a fantasy for gaming but a honest offer of Advanced Intellectual Property which delivers novel futures and derivatives with options and hedges taking care of risk and guaranteeing supply with .... well, Unlimited Virtual Forces are Immaculately Resourced Assets, are they not, and as Manna from Heaven whenever playing the Fool that is Embedded and Wedded in the Devil of Hell.

    cc BIS/Blighty Intelligence Services .... both of which would benefit greatly, rather than suffer catastrophically, from engagement too, but to be perfectly honest, neither are either vital and necessary for RapidE Ongoing Progress with ProgramMING in the Future Delivery Field.

    1. Anonymous Coward
      Anonymous Coward

      Re: The New Noble Future Virtual Reality (etc)

      You really need your shift key fixed :)

      1. Anonymous Coward
        Happy

        Re: The New Noble Future Virtual Reality (etc)

        Your new here I guess....as are many of the others down voting.

        Freshers, got to love them.

        1. amanfromMars 1 Silver badge

          The New Noble Future Virtual Reality (etc) with Mature Students as Freshers

          Your new here I guess....as are many of the others down voting.

          Freshers, got to love them. ..... Lost all faith

          Moving the debate and action/proaction and HyperRadioProActive IT ever onwards and further upward out of the reach and influence of the down hearted and petrified and righteously terrified of being rumbled for a whole catalogue of pre-organised and endorsed disasters, Lost all faith, please be advised of the following colossus of a titanic playground engagement and reply to Anonymous Coward above ......... http://forums.theregister.co.uk/forum/1/2015/05/05/rombertik_malware/#c_2508305

          There's a lot going on out there, and the dumb natives are getting restless and are quite rightly afeared of being terrorised by their systems administration, which in reality would then be them more mal-administered to within a failed state complex with non state actors.

        2. Anonymous Coward
          Anonymous Coward

          Re: Your new here I guess....as are many of the others down voting.

          Not new, just not amused.

          1. amanfromMars 1 Silver badge

            We be serious ..... Do you have a leader where one be taken to and entertained ....

            .... or is the destructive and disruptive norm and PAR for sub-prime courses, to be detained and abused

            Not new, just not amused .... Anonymous Coward

            Such is then good for slow learners, AC, as the program is much more for helping the outed and struggling sources and resources in edutainment, and not just for more general amusement.

            NEUKlearer HyperRadioProACTive IT in AIR&dDs .... Advanced IntelAIgent Research and digital Developments ....... are serious pieces of kit in All Weather Alien Future Driver Systems.

      2. amanfromMars 1 Silver badge

        Re: The New Noble Future Virtual Reality (etc)

        You really need your shift key fixed :) ..... Anonymous Coward

        Hi, Anonymous Coward,

        :-) I can easily blame, if blame be needed, a spell in Teutonic lands for that affectation if the shift key be in order and innocent of guilt. However, let us move on and cut straight to the chase .......

        Wanna play the Great Game and Greater IntelAIgent Games for real, whatever that may subsequently prove itself to tentatively and momentarily be, or do such as surreal facts and fanciful fantasies leave you for stone dead on the sidelines spectating and commenting with bye bye and buy buy lines with others short selling in long positions for obscenely spectacular fiat monopoly gain?

        When is there ever a right or wrong time to invest in an infestation in order to release the equity of disruptive powers and creative energy change within, whenever Carpe Diem rules and reigns every day anywhere? ........

        An AI and Principled Principal Engineer - Cyber Security supplying builders of innovative global hubs and Centres for Secure Information Technologies [and Queen's University, Belfast] such programming as delivers guaranteed excellences focussing on accelerating the translation of world leading cyber security research into ground-breaking technologies and virtual reality product placements with both the simple and complex media movement of general information and/or special intelligence, is not a Shifty Key Organ, AC, it is one of those aforementioned Immaculately Resourced Assets exploiting and exporting Zeroday Vulnerabilities with the most Noble and Novel of SCADA Executive Administrations in AI Controlling Command of the Realised Power and Virtual Energy in Future Productions/Global Media Hosted Events for Present Profit to Convert and Divert into Bountiful Currency for Distribution .... Smarter Sharing and Selfless Gifting.

        And there y’all were thinking that Titanic Studios and Palace Barracks Thinkers were light years apart rather than just a short stroll away for All Primary Principals into JOINT AIMissions ….. Black Watch Ventures in Deep and Dark Web Enterprises.

        Capiche M/C hammers …. or are you not up to the tasking with inspired aspiring leaderships?

        cc M ….. MI5

        C ….. MI6

        The defence of ignorance of such matters in supposedly Secure UKGBNI and Secret Intelligence Services is now removed from the Virtual Field and Greater IntelAIgent Gameplay with those carbon copied deliveries

        The times and spaces have changed and the worms have turned. There now be fiery fearsome dragons and fearless dragoon foe to do deals with in order to survive and prosper, for an alternative plan for the exercising is in a series of flash crashes and burnings through mountains of trash disguised as cash pimped as wealth, rather than it being recognised and remodelled from its being the printed bauble that blinds and leads arrogant fools and ignorant tools to their enslaved positions.

  4. Dan 55 Silver badge
    Devil

    "spreads through an executable screensaver disguised as an Adobe PDF file"

    Oh FFS MS, just make Explorer refuse point blank to run any file called [name].[legitimate extension].[bat/com/exe/pif/scr/vbs]. If anyone must shoot themselves in the foot they could open a command prompt and rename it.

    Anyone would think they have no interest in making the desktop more secure to push people towards TIFKAM.

    1. Anonymous Coward
      Anonymous Coward

      Re: "spreads through an executable screensaver disguised as an Adobe PDF file"

      "just make Explorer refuse point blank to run any file called [name].[legitimate extension].[bat/com/exe/pif/scr/vbs]"

      I would upvote this 1000 times if I could.

    2. P. Lee

      Re: "spreads through an executable screensaver disguised as an Adobe PDF file"

      How about not making Windows hide bits of the file-name by default.

      How about not using the file-name to denote an executable?

      How about only allowing the screensaver application to load screen savers from a particular set of directories and if someone does try run one outside of those areas, tell them they can't and why. That's a relatively easy fix.

      1. Anonymous Coward
        Anonymous Coward

        Re: "spreads through an executable screensaver disguised as an Adobe PDF file"

        why even install a 3rd party screen saver these days?

      2. david 12 Silver badge

        Re: "spreads through an executable screensaver disguised as an Adobe PDF file"

        Right. Let us SHOW THE FILENAME, and also NOT USE THE FILENAME, so that the filename that is shown does not tell us if the file is executable. wtf?

        Wait, I've go more! How about marking downloaded applications as untrusted, so that the don't run at all, in any area, telling people that they can't and why?

        Um, you knew that screensavers are applications didn't you?

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    MBR

    A destroyed MBR is not a particularly hard problem to recover from.

    Any serious researcher will be analysing the malware on a dedicated machine that doesn't contain any important data, so encrypting the home directory isn't really a problem either.

    The rest of it is interesting though. The author evidently has a good understanding of the tools and techniques used by the researchers and has developed ways to make their life difficult. Now the researchers will have to improve their tools and techniques. It's like an arms race.

    1. auburnman

      Re: MBR

      Agree; it feels almost like a White Hat has gone over to the dark side...

  7. Joey

    Goodie

    Can we have a Mac version too please ;?)

    1. Anonymous Coward
      Joke

      Re: Goodie

      No, Apple are going to make it impossible to make any changes to any part of your system, including the icons or colour scheme, unless pre-approved by iTunes Staff.

      1. Crazy Operations Guy

        Re: Goodie

        I'm surprised they haven't just scrapped OS-X altogether and replaced it with a bloated version of iOS...

  8. Andy The Hat Silver badge

    An executable disguised as a data filef?

    FFS, this is 2015 not 1985 ... why is this still possible? Quick file structure check, ring various bells allow brainless user to run it if they want and the rest of us just say no ... Why run it by default?

  9. Forty Two

    So...

    Disabling machines in the domain from running any .scr screen saver other than a defined selection in Group Policy (there is a setting for client machine screen saver selection and the users ability to change/modify it) should do the trick ?

    1. Anonymous Coward
      Happy

      Re: So...

      Turn off screen saver, save energy, job done.

      It's 2015, not 1995.

    2. Anonymous Coward
      Anonymous Coward

      Re: So...

      Oh yes, also you can do a lot with screen savers and GPO's

  10. MacGyver

    Extension? What's that?

    Well if you leave your computer in "grandma mode" a la "Hide extensions for know types" then you get what get. We should blame Microsoft for still making it the default after all these years, the least they could do would be a warning about "This file has 2 extensions, this is indicative of a virus!"

  11. Alistair
    Coat

    [geek@party ~]$ file /bin/sh

    /bin/sh: symbolic link to `bash'

    [geek@party ~]$ file /bin/bash

    /bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=c9f090657c35c10d6edeca09f62de9d22060a706, stripped

    what? you can't do that?

    1. Jonathan Richards 1

      OT: Not on Ubuntu, then...

      jonathan@Odin:~/tmp$ file /bin/sh

      /bin/sh: symbolic link to `dash' [emphasis added]

      This caught me out a little while ago when I expected /bin/sh to be bash.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like