*The malware, nicknamed Rombertik by Cisco Systems,

* designed to intercept any plain text entered into a browser window

*It is being spread through spam and phishing messages,
*Rombertik is spyware designed to collect data on everything a victim does onlin
e,
doing so in an indiscriminate manner rather than focusing on areas such as Inte
rnet banking or social media accounts.
* After being loaded into a system via a phishing campaign and malicious email a
ttachments,
Rombertik runs a series of anti-analysis checks, such as checking to see if it
is running within a sandbox.
Once complete, Rombertik will then decrypt and install itself on a victim's comp
uter.
Following installation, a second copy of itself is launched and overwritten wit
h the malware's core spying functionality.
The spyware is unusual, however, in how far the malicious code will go to preven
t detection, analysis and debugging.
According to Cisco, before the malware begins spying on a victim Rombertik runs
a final check to detect if it is being analyzed in memory.
If this check fails, it will destroy the master boot record (MBR) of a compromi
sed computer -- rendering the PC inoperable.
The team captured a small sample and found the unpacked Rombertik sample was 28
KB, while the packed version is 1264KB -*It first takes aim at the Master Boot Record (MBR), the first sector of a PC s ha
rd drive that the computer looks to before loading the operating system.
If Rombertik doesn t have access to the MBR, it effectively destroys all of the f
iles in a user s home folder by encrypting each with a random RC4 key.
Once either the MBR or the home folder has been encrypted, the computer restarts
.
The MBR enters an infinite loop that stops from computer from rebooting. The sc
reen reads Carbon crack attempt, failed.
*It also tries to avoid sandboxing, or the practice of isolating code for a whil
e until it has checked out.
Some malware tries to wait out the period it is in a sandbox, hoping the sandbo
x period will time out and it can wake up.
Rombertik stays awake, however, and writes one byte of data to memory 960 millio
n times, which complicates analysis for application tracing tools.
If an analysis tool attempted to log all of the 960 million write instructions, t
he log would grow to over 100 gigabytes, Talos wrote.
*********************************
In computer security, a sandbox is a security mechanism for separating running p
rograms.
It is often used to execute untested code, or untrusted programs from unverified
third parties, suppliers, untrusted users and untrusted websites
* you've seen & used Antivirus software. Right? It is also a kind of sandbox.
It puts restrictions on what any program can do. When a malicious activity is de
tected,
it stops and informs user that "this application is trying to access so & so re

sources. Do want to allow?".