来源：天极网

5月6日，思科安全情报研究团队Talos Group日前宣称，他们发现一种代号为Rombertik的新式恶意软件。它不同于普通的破坏性病毒，而会更可怕。它可以拦截任何输入浏览器窗口中的纯文本，并通过垃圾邮件和钓鱼邮件传播。如果在安全检查中被发现，这种恶意软件就会“自爆”，竭力毁掉计算机。

 附件: 您所在的用户组无法下载或查看附件

        一旦用户通过点击链接下载Rombertik，它会通过多项检测。一旦其启动，并在Windows电脑上运行，就可以查看自己是否被发现。与其他恶意软件不同的是，Rombertik会尝试毁掉计算机。
　　Talos Group的安全专家本·贝克(Ben Baker)与阿历克斯·邱(Alex Chiu)写道：“这款恶意软件之所以十分独特，是因为一旦其发现与恶意软件分析相关的特定属性后(即可能被发现迹象)，它就会积极尝试毁掉计算机。”
　　Rombertik的首要目标是主引导记录区(MBR)，即计算机开机后加载操作系统前访问硬盘时所必须要读取的首个扇区。如果未能成功进入这里，Rombertik就会通过随机使用RC4密匙加密的方法，迅速毁掉用户主文件夹中的所有文件。而一旦MBR或主文件夹被加密，计算机就会重启。MBR此后会陷入无限循环中，从而阻止计算机重新启动。屏幕上会显示“Carbon crack attempt, failed”的代码。

 附件: 您所在的用户组无法下载或查看附件

        研究人员称：“Romberik是一款非常复杂的恶意软件，其设计目的就是侵入用户浏览器阅读凭证和其他敏感信息，以帮助攻击者渗透和控制服务器。”
　　安全专家们发现，Romberik利用社交工程学手段诱使用户下载、解压缩以及打开附件，最终导致用户妥协。在分析样本时，含有Romberik的邮件似乎来自Windows Corporation。

 附件: 您所在的用户组无法下载或查看附件

        袭击者竭力说服用户查看附件，看他们的业务是否符合目标用户所在机构。如果用户下载和解压缩文件，随后就会看到类似缩略图的文件。一旦它被安装到电脑上，就会自己解压。大约97%的解压文件内容看起来都是合法的，包括75张图片和8000多个实际上没有任何用处的诱饵功能。Talos Group专家称：“如此多的功能超过大多数人的分析能力，根本不可能查看每个功能。”
　　类似Romberik恶意软件过去曾出现过，比如2013年对韩国目标和去年对索尼娱乐有限公司发动的网络袭击。可是Romberik总是保持活跃状态，将一个字节的数据在内存中写下9亿次，这令追踪工具分析起来非常复杂。
　　Talos Group专家称：“如果分析工具试图记录所有9.6亿次指令，这些记录会暴增到100千兆以上。”该公司建议用户保持良好的安全习惯，比如确保安装杀毒软件、确保时常更新、不要点击未知发件人发送的附件、确保对电子邮件充分扫描等。

用户系统信息：Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Rombertik: This malware can destroy your PC if detected

by FP Staff  May 6, 2015 15:33 IST
##CyberSecurity

Researchers have discovered a new malware ‘Rombertik’ that has “multiple layers of obfuscation and anti-analysis functionality.” This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult.
“Security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples. Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis,” Ben Baker and Alex Chiu from Cisco Systems' Talos Group said in a blog post.
The Romberik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre.
However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner, the blog post added.
Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims. Like previous spam and phishing campaigns Talos has discussed, attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user’s compromise.


 附件: 您所在的用户组无法下载或查看附件

The attackers attempt to convince the user to check the attached documents to see if their business aligns with the target user’s organisation. If the user downloads and unzips the file, the user then sees a file that looks like a document thumbnail. While this file may appears to be some sort of PDF from the icon or thumbnail, the file actually is a .SCR screensaver executable file that contains Rombertik. Once the user double clicks to open the file, Rombertik will begin the process of compromising the system, the researchers claimed.
Baker and Chiu further said that the process by which Rombertik compromises the target system is a fairly complex with anti-analysis checks in place to prevent static and dynamic analysis. Upon execution, the malware will stall and then run through a first set of anti-analysis checks to see if it is running within a sandbox.
Once these checks are complete, Rombertik will proceed to decrypt and install itself on the victims computer to maintain persistence. After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality.
Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analysed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable.
The researchers found that Rombertik uses "garbage code" to inflate the volume of code an analyst might have to review and analyse. In addition, the malware stalls in sandboxes by writing a byte of random data to memory 960 million times.
“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes. Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”
Effectively, Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analysed, according to the Talos team. “While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”
Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users, the researchers said.
However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially.

What’s important about Rombertik?
May 6, 2015 | BY Joshua Cannell

A few days ago the Talos Research Group, which supports Cisco by creating threat intelligence, released a blog about a piece of malware known as Rombertik, which has gained a lot of attention mainly because of its anti-analysis capabilities.
We’ve talked a bit about anti-analysis in our blog before, but Rombertik seems to be a little “overly-paranoid”.
What’s mostly uncommon about Rombertik is that, unlike much of the other malware in circulation today, Rombertik will trash the user’s hard drive if certain hash values don’t line up. This is an uncommon practice in malware, although it does happen on occasion.
Recall that the malware involved in the Sony Pictures hack of last year did the same thing, and even earlier attacks were happening against banks in South Korea that did the same thing.


 附件: 您所在的用户组无法下载或查看附件


Unlike those examples though, Rombertik doesn’t appear to be a state-sponsored malware. Instead, it mostly appears in phishing messages and other spam which will fall into the hands of everyday users.
Much like everyday malware, most of Rombertik’s actions aren’t too unique. When looking at the picture depicting Rombertik’s course of action, its noted the malware performs a lot of the same techniques seen in malware over the last several years; things like creating “excessive activity” to blow up procmon logs or having the binary overwrite itself in memory with unpacked code (Run PE) isn’t anything new in the world of malware.
What makes this malware atypical outside of the trashing a user’s hard drive are a few notable things.
First, it has a very, very, bloated size. According to Talos, the unpacked Rombertik sample is a mere 28KB while the packed version is over 1MB, meaning that “over 97 percent of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used”.
This isn’t commonly seen in malware, but it can be very effective at thwarting less-experienced analysts who commonly get caught up in analyzing unnecessary functions.
Secondly, it uses some unconventional methods to delay execution. Many sandboxes, like the well known Cuckoo sandbox, hook relevant APIs like kernel32!Sleep, which tells the program to sleep for a specified time. By hooking the API, Sandboxes can intercept the call and patch the code, bypassing the program’s instruction to Sleep.
In the case of Rombertik, the malware writes random bytes to memory many times before proceeding execution. This would be something that conventional malware sandboxes don’t account for, and therefore would be considered an anti-sandbox technique.
Malwarebytes Anti-Malware detects Rombertik as Trojan.Ransom.ED. For any additional questions or comments about the malware, be sure to post a comment below.

哎呀，只是毁毁文件而已

我以为能毁硬件呢

汗

小毒而已

行为防御可以完美阻止

等有样本后

等有样本后，你要玩毒

那点访问引导区的行为有什么可玩的

这个病毒貌似挺厉害，用瑞星能杀吗

真是防不胜防哦！

最多重装嘛，还以为是电脑CPU自爆呢。

赶紧问了下，能杀，嘿嘿嘿