Wednesday, 6 May 2015

Malware Destroys MBR Hard Disk During Analysis

It is known that malware creators do all sorts of tricks to analysis to prevent their creation but a new one does go very far and "destroy" the Master Boot Record (MBR) of the hard disk, so the computer will not boot. Let researchers know Cisco.

The MBR contains information about the type and location of logical partitions on the hard drive. It is essential for the computer to be able to start. The now discovered Rombertik-malware focuses on the MBR in the case of analysis. The malware spreads via email attachments and poses as a PDF file. In reality it is a SCR file the malware.

Once users open the attachment Rombertik first check whether it is running in a sandbox. Sandboxes are often used by researchers to analyze malware and is regularly checks for malware on the presence of this type of analysis environments. In case there is no sandbox is found, the installation continues. Rombertik is designed to steal passwords from browsers.

Before it does this is a final check there is still carried out in order to check that the malware is not analyzed via the memory.If this check fails to Rombertik strikes and destroys the MBR and overwrites partitions with "null byte", so recovering data from these partitions is difficult. The MBR is further adjusted so that the computer enters an infinite reboot loop. If the malware does not have permissions to overwrite the MBR will overwrite all the user's files in the home directory and encrypt.

No comments:

Post a Comment