So it seems that a new, and very nasty piece of malware is making its rounds on the Internet. This malware, called Rombertik, is particularly nasty because if it detects itself to be running in a sandbox (like a virtual machine so people can safely analyze it) it deletes itself, but if it detects that it has been detected on a real machine, it either wipes the storage medium (your hard drive or SSD) or deletes the MBR (Master Boot Record) preventing the computer from starting up again.
If it just deleted the MBR and itself and did nothing afterwards, I wouldn't be too worried about it because I have replaced the MBR before without reinstalling Windows (it's actually rather easy to do) and restored it to its former functionality, but if it does take your files with it, then it's definitely something to look at.
Because Rombertik goes after the Master Boot Record, I'm not sure how it would function on a computer running a UEFI system, because that functions a little more differently. Either way, it's best to keep this little nasty thing away from your computer regardless.
Of course, the main idea for Rombertik is to steal your web browsing data, including login information. It doesn't target just banking information, it targets everything. That means your email, Facebook and Linus Tech Tips accounts will also be stolen by Rombertik.
The only way I know of avoiding it is by avoiding emails which contain attachments (especially if you don't know who the sender is). This is a broad generalization, because as I read Rombertik is often sent through official looking emails appearing to be from big companies such as Microsoft. Microsoft won't send you email attachments, regardless of any circumstances. Even still, if you see an email with an attachment in it, and it looks like a big company, just delete it anyways, and contact the company. If it is legitimate, they will send another if you ask for it. Rombertik also uses phishing tactics to infect computers. Again, keep an eye out for those. I also delete anything and everything in my spambox in Gmail, regardless of whether or not it's legitimate, unless I've been expecting an email that ended up in the spambox.
I don't know how antivirus companies will write their software to protect against this virus. One thing that I can think of is a modified BIOS or UEFI firmware which is modified by a computer's manufacturer which actively looks for such malicious software and removes it before searching for an operating system. This could be effective as once the Rombertik malware has installed itself, it restarts the computer, so by having a BIOS or UEFI implemented scan in place that runs in the BIOS before the operating system is booted, Rombertik cannot detect that it has been detected. But this method would be difficult to implement, and older computers probably won't be supported by this.
Another idea I had was an updated version of Microsoft Defender which is written to a separate partition where only authorized software with a long authorization code known only by Microsoft can run on the storage medium which is accessed first during the boot process (even before the Master Boot Record), and thus preventing Rombertik from running before anything else. Defender would then scan the storage medium for any traces of Rombertik and delete them all. Other antivirus companies such as Avast! or Kaspersky could do this as well, but it would require authorization from Microsoft. Of course, this would be much easier to implement than having a BIOS or UEFI scan that looks for things like Rombertik, but there's a chance that virus makers could intercept this authorization code and implement it into their virus. This is extremely important: Rombertik disguises itself as a .SCR file, a screensaver, but it looks like a .PDF file. This will trick many unknowing users. Of course, as of now, this is what it is being disguised as, that we know of. There may be more disguises now or in the future.
Here are some ways I think viruses can get in, and how you can help stop that:
- Through attachments in emails. Just don't download any attachments, regardless of where it looks like it's from, unless you're expecting it.
- Through phishing. Go to the actual website that an email may be claiming it to be from.
- Through downloader installers. There are some websites which employ their custom-made installers which download the program you want from a server on the Internet. These installers often offer you other crapware that you don't want, but fortunately, most of them don't install them if you uncheck them or decline the licensing agreement for the crapware. CNET uses their installers for some programs, and while CNET is trustworthy, I still don't use their downloaders. I always use their "direct download link" option that is a small link close to the actual download button. So, don't use any downloaders or installers. Look for a direct download link on the website in question. If they don't offer one, look elsewhere.
- Through program installers. This one in particular drives me nuts. Sometimes, I'll be installing a perfectly legitimate program through the actual program installer, but before the installer copies its own files to the storage medium, it offers you one or more (usually three) programs which either have a check box or are automatically checked to "I agree" for the licensing agreement. Again, deselect all of these. Even if they are legitimate programs being offered, they're probably not going to be of much use.
- Use Web of Trust, and actually check the website scorecard. Web of Trust places a circle next to almost every link you see in your web browser. This circle is intended to be an indication of whether a site is trustworthy or not, with green indicating a site which is safe, yellow indicating a site which is not trustworthy, and a red icon indicating a dangerous site. Of course, sometimes these indicators may not be correct (as I believe some bad sites may employ bots to mass rate their site to make it appear good) so always check the site scorecard to see if anyone is leaving negative comments about the site. If you have a bad experience with a site, sign up for Web of Trust and leave a comment on the site's scorecard so other users know about any problems.
- Always have an up-to-date and effective antivirus software. I personally use Kaspersky Internet Security on my main machines. It's expensive, but so worth it. I have never had any serious issues while using Kaspersky. Another good AV software is Avast!. I recommend using the full versions on your most important computers. Norton is not a very effective AV software, and McAfee has a lot of problems, so I don't recommend those. If you can prevent yourself from getting Rombertik in the first place, you've already won.
Comments
Post a Comment