New malware destroys HDDs master boot record and causes infinite boot loop

It’s known malware developers perform all kinds of tricks to prevent analysis of their creation, but a new malware version goes further than before and destroys the Master Boot Record (MBR) of the HDD so the computer no longer starts.

compromise-flow-wm

The MBR contains data on the kind of data and location of the logical partitions of a HDD and is essential for a computer to start. Cisco has discovered malware called Rombertik that targets the MBR when researchers try analyse it. The malware spreads through email attachments and presents itself as a PDF file. In reality it’s actually a SCR file that is the actual malware.

As soon as an user opens the attachment the Rombertik malware first checks whether it runs in a sandbox. Sandboxes are often used by researchers to analyse malware and many malware contains checks to determine whether the malware runs in this kind of analysis environment.  In case no sandbox is detected the installation proceeds. Rombertik is developed to steal passwords from browsers.

Before it executes it tasks it performs a last check to see if the malware isn’t analyzed through the computer’s memory. If this check fails, Rombertik strikes, it destroys the MBR and overwrites all partitions with “null bytes”, so recovery of the data is harder. The MBR is modified in such a way that computer goes in an infinite boot loop. If the malware has no permission to overwrite the MBR, the malware overwrites all files in the home directory and encrypts them.