Cisco security researchers have discovered a virus with strong evasion tools and a very disruptive impact on the smooth running of machines.
The 'Rombertik' virus is the subject of a Cisco Threat Spotlight. Cisco-supported Talos Security Intelligence and Research Group analysts Ben Baker and Alex Chiu said that they had reverse engineered the threat and found it to be significant.
Rombertik employs a number of layers designed to hide itself and avoid analysis. The virus spots and avoids inspection tools, and is able to destroy itself, reboot the computer over and over again and present a blank screen.
Cisco researchers looked beyond the 97% unnecessary code and had a close look at the destructive Rombertik malware http://t.co/kWAioA3ksg— Virus Bulletin (@virusbtn) May 5, 2015
"Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade static and dynamic analysis tools, make debugging difficult," the researchers said.
"If the sample detected was being analysed or debugged it would ultimately destroy the master boot record."
Cisco warned that this would render the machine unusable. "Rombertik begins to behave like a wiper malware sample, trashing the user's computer if it detects it's being analysed," the advisory said.
"Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis."
Rombertik is capable of infecting Firefox, Chrome and Internet Explorer, and will duplicate itself to create a foothold. Once in place it is able to collect sensitive data before it is encrypted and share it with a third party.
Talos said that the virus is able to collect passwords and associated material from a range of sites, and does not distinguish.
"Rombertik [is] able to read any plain-text data the user might type into their browser and capture this input before it gets encrypted if the input is to be sent over HTTPS. This enables the malware to collect data such as usernames and passwords from almost any website," the researchers explained.
"Rombertik does not target any site in particular, such as banking sites, but instead attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded over HTTP with no encryption."
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons