Recently a friend of mine sent me a photo of the image on his computer screen. It was a Windows firewall warning message that his computer had been infected with malware. He said that when he tried to re-boot the computer it got into an endless loop and he could not get it to do anything. He finally took it to the computer repair shop, and they had to reload a new system. Thankfully he had a complete, clean, backup of all his files, so he didn’t lose anything. I asked what the repair folks said the problem was, and he indicated that they didn’t tell him anything specific, only that he “probably had bad malware.”
Hmm…His situation intrigued me. Based upon his description and the message on the screen, I believe he was hit with one of two current types of malware that are increasingly spreading and causing damage: Stegoloader and Rombertik.
Rombertik
I asked my friend what some of his actions are prior to getting the malware. He indicated that he had downloaded a couple of apps. Many types of malware are launched from apps. A current one that uses apps as just one of its many infection pathways is Rombertik. The malware also often tricks users into installing it via attachments in bogus phishing emails. Rombertik malware can also be delivered as a document, as a screensaver, a photo, video, or other type of file. Once installed, Rombertik is able to indiscriminately steal data, including information about everything the user does online, including login details for PCs, online banking and any other credentials the user may type on the network.
If Rombertik becomes aware that it has been discovered it will trigger evasion techniques that will render the computer unusable by deleting files and basically destroying the master boot record (MBR) of the PC; putting the PC into a restart loop – until the operating system is reinstalled. Or failing that, Rombertik encrypts files using a random key, if it thinks it has been discovered.
Stegoloader
My friend also indicated that he had downloaded a video and a few photos. This made me think the malware could also have been Stegoloader. While Stegoloader is not new (it’s been around since 2012) it is very tricky and seems to be circulating much more widely and quickly than in the past. Stegoloader is a Trojan piece of malware that embeds its code inside PNG image files in an effort to keep it from being noticed from network and host-based malware detection tools. Check out the following infographic from Dell SecureWorks which shows Stegoloader in action.
Stegoloader can also hide within video images. Infected images and videos look like a legitimate file to those using Skype or Google Talk. It is really hitting healthcare orgs hard; 42% of Stegoloader victims in the U.S. are in the healthcare space. It steals files, such as those containing passwords, health information, and other types information that are valuable to criminals.
Protecting against Stegoloader and Rombertik
The way to effectively protect against these nasty, stealthy malware types is very similar to protecting against any other type of malware except for one very important difference; because many anti-malware tools will not catch them it takes much more conscious effort on the part of individuals to spot suspicious activities and not to download certain types of files, or click on links, photos or images that could be infected.
Make sure you, your family, friends and employees know the following at a minimum:
- Don’t open email attachments from unknown sources, or from senders you know, but for who the message is unlike what they’ve ever sent before.
- Don’t click on links, photos or videos during Skype or Google Talk sessions, on social media sites, or from within messages. Instead, copy the link and see if it is safe by using one of the many sites available to do such checks, such as http://app.webinspector.com/.
- Don’t download photos or videos from sites that you’re not familiar with.
In addition to these human actions that every computer user should be doing, there are also some technology protections that can help computer security to prevent against the destruction of these malware types.
- Use memory forensics.
- Ensure full data backups are made and stored away and disconnected from the computer itself.
- Block photo and video sharing from Skype, Google Talk and other types of online communications tools.
- Keep anti-virus signature files up-to-date.
- Use firewalls and spam blockers.
For more information
Here are some more great sources of information for Stegoloader:
- Stegoloader: A Stealthy Information Stealer
- Stegoloader: A Wolf in Sheep’s Clothing
- Data-stealing component of ‘Stegoloader’ hides in PNG images
- Trojan that hides inside images infects healthcare organizations
- Security Expert Comments on U.S. Healthcare ‘Stegoloader’ Malware
Here are some additional great sources of information for Rombertik:
- Rombertik is a Bizarre, Scary Brilliant Piece of Self-Destructing Malware
- Rombertik: what you should know about the evolution of destructive malware
- Beware Of Rombertik Virus
- On Your Side Alert: Computer virus destroys PC if detected
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: anti-malware, Dell, Information Security, IT compliance, malware, policies and procedures, power more, powermore, privacy, privacy compliance, privacy professor, privacyprof, program changes, risk management, Rombertik, security awareness, security training Rebecca Herold, Stegoloader, toprank