New Malware Erases Entire Hard Drive Upon Detection

John Lister's picture

Tech giant Cisco has warned that a new strain of malware is designed to render a Windows computer virtually useless if it's discovered by security software - effectively executing a boobytrap payload that eventually destroys all user data on the hard drive.

Cisco says that Rombertik has "multiple layers of obfuscation and anti-analysis functionality" meaning that it is hard to discover and hard to examine. It's able to hide itself from both static and dynamic analysis, which respectively scan a computer's files and its currently active applications. (Source: cisco.com)

How the Rombertik Malware Spreads

In its initial stages, Rombertik is reminiscent of many common malware variations. It's spread by bogus emails, many of which appear to come from a non-existent organization called "Windows Corporation." The messages have an attached zip file which, when uncompressed, produces what appears to be a PDF document. In fact, it's an executable file that installs the malware.

Once initiated, the malware scans for any login data and other sensitive information being sent through a web browser, then relays it to a web server presumably controlled by its creators. It's similar to several high-profile malware variations that targeted online banking details, though appears to be less discriminating about what data it gathers.

Malware Fills up Log Files, Resulting in Massive Lag

In addition to stealing user data, Rombertik pulls a few nasty tricks to tie up security software. It does this by taking a single byte of randomly-created data, and then writes it to the computer's memory a whopping 960 million times. Not only does that leave malware and antivirus software scrambling to track the activity, it also creates a massive log file that could become so huge that it slows down the computer to a standstill and / or fills up the hard drive to capacity.

Rombertik Wipes out MBR, Partition Data

What makes Rombertik highly unusual is that it repeatedly checks to see if any security software is examining its files; if it does detect such monitoring, it launches a particularly nasty tactic of deleting the Master Boot Record (MBR) on the hard drive. The Master Boot Record is responsible for allowing Windows and other operating systems to start during the boot process; without it, the computer simply won't boot and/or become stuck in an infinite boot loop cycle.

To make things worse, Rombertik will also erase the hard drive's geometry, which effectively wipes out all partitions on the hard drive. It means that not only will users need to reinstall Windows from scratch, but any subsequent attempt to recover data from the hard drive will be less likely to succeed. (Source: bbc.co.uk)

It's an unusual, and possibly counter-active technique. Normally malware creators try to make something that evades detection and stays active as long as possible so it can gather more data. Completely destroying all data on the hard drive in the way that the Rombertik malware does will prevent it from getting any more details.

How to Prevent Rombertik's Destruction

It's expected that security software manufacturers will update their products with ways to deal with Rombertik. In the meantime, prevention may be the best cure, meaning the need to take care with suspicious emails and unsolicited attachments and links is as important as ever.

With that, by far the best advice is to backup your hard drive on a regular basis using disk imaging software, such as Acronis True Image. This will not only backup your user files, but the Windows Operating system as well - most backup programs cannot backup the operating system, which is what makes disk image backups unique. If anything should happen, you can revert all your data with little effort (even if Windows becomes unbootable). Anyone needing help setting up Acronis True Image on their systems is welcome to contact Dennis for advice.

What's Your Opinion?

Do you think security software makers can keep up with the increasing creativity of malware creators? Does the idea of malware being specifically designed to damage a computer make you more likely to keep security software up to date?

Rate this article: 
Average: 4.9 (37 votes)

Comments

NickyK's picture

Acronis True Image is not inexpensive. Is Windows 7's own back-up system insufficient for the task?

Dennis Faas's picture

Windows Backup definitely does not do disk image backups. Very few programs on the market are capable of doing disk images which can back up the entire operating system, MBR (master boot record), and even sector-by-sector on the hard drive. Acronis True Image can do all of those. If you want to take your chances by not using a disk image backup, I'd say you're shooting yourself in the foot. True Image really doesn't cost that much, either. You can get a 3-PC license of True Image through Infopackets for $79 or a single license for $49. It's also backed by a 30 day guarantee.

stooobeee's picture

AOMEI is both free and paid for, simple to use, backs up sector by sector and incremental. The paid-for Pro version is inexpensive and has free, lifetime upgrades last time I purchased it.

philipreeves46's picture

I've been using acronis true image for many years. It's one of the first programs I put on every pc I buy. A few months ago a Microsoft update trashed my computer. Thank God for my acronis true image backup.

spiras's picture

I too have been using Acronis True Image for several years now and am very happy with it. It has the additional benefit of being able to use the image file as if it were a hard disk, i.e. you can open it with Windows Explorer and copy individual files and folders etc. without having to go through a restore process.

kas_0713's picture

My go to product for imaging and recovery is always StorageCraft ShadowProtect. I use it both personally and professionally. It can be used for free to image any Windows PC with no loss in functionality, except restore. To restore does require a license. Excellent product that I can wholeheartedly recommend.

rbrunermd's picture

For myself, I found that the free version of Macrium Reflect does very nicely. I had a nasty problem on a dual-booted netbook that fouled things up so badly I had to buy another netbook of the same make and model to obtain a working OS. I also had an outboard CD drive that probably foiled by means of the connection arrangement the previous backup of the first netbook. I found that the Windows PE repair disc that can be made from the Macrium Reflect worked well with my netbook arrangement and I now have 2 working netbooks that I eventually upgraded to Windows 7 Home. I like.

swreynolds's picture

Aside from their useless customer support, Acronis does not correctly back up Alternate Data Stream data. Case in point: if you back up a disk containing a QuickBooks installation and then restore it, QuickBooks will get a license failure, or worse, you will need to reinstall it. QuickBooks stores its license information in the ADS. My best success has been with Norton Ghost (unfortunately discontinued). I have been forced to use Acronis for GPT partitions, but the problem persists.