Windows 8 and 8.1 Forums


Super Secretive Malware Wipes Hard Drive to Prevent Analys

  1. #1



    Trying to Sith things out
    Bamberg Germany
    Posts : 2,290
    Windows 10 Pro 64 bit

    Super Secretive Malware Wipes Hard Drive to Prevent Analys


    Researchers have uncovered new malware that takes extraordinary measures to evade detection and analysis, including deleting all hard drive data and rendering a computer inoperable.

    Rombertik, as the malware has been dubbed by researchers from Cisco Systems' Talos Group, is a complex piece of software that indiscriminately collects everything a user does on the Web, presumably to obtain login credentials and other sensitive data. It gets installed when people click on attachments included in malicious e-mails. Talos researchers reverse engineered the software and found that behind the scenes Rombertik takes a variety of steps to evade analysis. It contains multiple levels of obfuscation and anti-analysis functions that make it hard for outsiders to peer into its inner workings. And in cases that main yfoye.exe component detects the malware is under the microscope of a security researcher or rival malware writer, Rombertik will self-destruct, taking along with it the contents of a victim's hard drive.
    Read more.
    Source: Ars Technica.

      My System SpecsSystem Spec

  2. #2


    Trnava
    Posts : 683
    Win 8.1.1 Pro x64


    To install itself, Rombertik first creates a VBS script named fgf.vbs, which is used to kick off Rombertik every time the user logs in, and places the script into the users Startup folder.
    Thanks for info. It seems, that disabling VBS prevents it from working effectively.
    Not to mention deleting startup entries and folders before restart/shutdown.

    [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
    "Enabled"=dword:00000000

    Code:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    [-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Script]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"=-
    "VMApplet"=-
    
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
    [-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Script]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
    "AlternateShell"=-
    
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\Windows\\system32\\userinit.exe,"
      My System SpecsSystem Spec

  3. #3


    Austin TX metro area
    Posts : 640
    Windows 7 Pro 64bit [MS blue-disk set]


    Disabling VBS would shut down 3 of my on-demand SRP VBS scripts. Is there another way?
      My System SpecsSystem Spec

  4. #4



    Trying to Sith things out
    Bamberg Germany
    Posts : 2,290
    Windows 10 Pro 64 bit


    I believe Trnava is talking about after one has been infected so you can "clean up". or?
      My System SpecsSystem Spec

  5. #5


    Trnava
    Posts : 683
    Win 8.1.1 Pro x64


    I mean it like a prevention measure. I prefer to rely on things, which disable even unknown malware.
      My System SpecsSystem Spec

  6. #6


    Posts : 356
    Windows 8.1 Enterprise


    Quote Originally Posted by RolandJS View Post
    Disabling VBS would shut down 3 of my on-demand SRP VBS scripts. Is there another way?
    I wonder if creating new user account works:
    Quote Originally Posted by TairikuOkami View Post
    To install itself, Rombertik first creates a VBS script named fgf.vbs, which is used to kick off Rombertik every time the user logs in, and places the script into the users Startup folder.
    Probably not if you're an administrator and click on random links
      My System SpecsSystem Spec

  7. #7


    Posts : 375
    Win 8.1 64bit


    Enough said:

    It gets installed when people click on attachments included in malicious e-mails.
      My System SpecsSystem Spec

  8. #8



    Trying to Sith things out
    Bamberg Germany
    Posts : 2,290
    Windows 10 Pro 64 bit


    For more information on Rombertik go to Threat Spotlight: Rombertik at cisco blog
      My System SpecsSystem Spec

Super Secretive Malware Wipes Hard Drive to Prevent Analys
Related Threads
Any idea why my SSD is listed as a 'Hard disk drive' instead of 'Solid state drive' as in your screenshots above? I am running W8 Pro x64 RTM from Technet. In Device Manager my SSD shows as a 'Samsung SSD 830 Series SCSI Disk Device'. I wonder if it's being on a Marvell controller might be the...
Can you save to hard drive and One Drive at Same Time?
Hard drive crash enquiry My hard drive recently crashed on my desktop running XP and due to the discontinuation of support for XP, I decided to upgrade with a new motherboard, memory, hard drive etc., now running Win 8.1, which has been working fine so far. My problem is that there is...
The idea here is to mimic the operation of the Adaptive Memory Technology used in hybrid hard drives. - Hybrid Hard Drives use both a larger mechanical drive coupled with a smaller SSD drive. The software for the adaptive memory technology places the programs/windows functions you run the most...
I'm booting off my SSD which is drive C:\ and I have games and programs on an extra hard drive which was origanally drive H:\ but after a restart it switched to I:\ and when I go into Disk Management to change it Drive H:\ isn't there.
I have a 2TB Western Digital My Book Essentials, it's filled with tons of old photos, movies, docs, games, and I'm scared to think of what else. The SATA to USB connector broke on it, so I took the drive apart and put it inside my computer. I opened up device manager because it wasn't showing up...
So the same issues i had in Windows 8 Release Preview too and i was hoped to be fixed in Windows 8 RTM but still the same! So the issue about HDD is that i'm using two hard drives; one is Western Digital which is primary with Windows 8 installed on it and the other is Hitachi which i use it for...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook