Nasty Rombertik malware could wipe your PC's data
Cisco warns "nasty" Rombertik malware could wipe your hard drive if you try to get rid of it
A data-destroying piece of malware that sniffs data from your web browsing and wipes your hard drive has been detected by a Cisco lab.
Rombertik is a piece of malware spread via spam or phishing messages that gathers up all text typed into a web broswer by sneaking into API functions and handing sensitive information such as login credentials to the hackers controlling it.
If that isn't frightening enough, after reverse engineering it, Cisco security lab Talos found that Rombertik would destroy the master boot record on a machine if it was detected or analysed - which the researchers described as a "nasty trap door".
"Before Rombertik begins the process of spying on users, Rombertik will perform one last check to ensure it is not being analysed in memory," researchers Ben Baker and Alex Chiu noted in a Cisco blog post.
"If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable."
If it can't destroy the master boot record, it will instead destroy access to all the files on your home folder by encrypting them. It will then restart your computer, and be stuck at a screen reading "carbon crack attempt failed" until you reinstall the OS.
"While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis," the researchers noted, adding that "Talos expects these methods and behaviours to be adopted by other threat actors in the future."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Hype and hysteria
Such nasty malware is rare, noted security analyst Graham Cluley, but he pointed out that contrary to dramatic reports in the wider media and even Cisco's own blog post, Rombertik won't actually "destroy your computer", but instead wipes or overwrites a hard drive.
"Maybe some of the hype and hysteria would have been avoided if Cisco had been more careful with its words," he wrote in a blog post. "And maybe it was unwise for the company to create an infographic which showed a hard drive catching fire."
His own advice echoed Cisco's: to protect yourself, keep your PC software up to date and run antivirus, and avoid clicking on unexpected email attachments from unknown senders. Plus, it's wise to keep a backup of your data so it's not at risk from such malware - especially if Talos is correct and sabotage attacks such as Rombertik do continue.