If you woke up this morning and read an article about the Rombertik malware on the world's biggest online news website, then you could be forgiven for thinking that the world is about to end.
The headline of the Daily Mail's report read:
Are YOU at risk from Rombertik? Terrifying 'suicide bomber' malware can destroy your computer if it thinks you've detected it
Reading a headline like this, you could be forgiven for thinking that Rombertik is possibly the most sophisticated piece of malware ever discovered, making Stuxnet look like the efforts of Luddite imbeciles.
The truth however is very different and much more mundane.
Yes Rombertik is designed to try and destroy a system when it it has been detected, but what that headline fails to mention is that this destructive mechanism will only kick in when the malware is being investigated by anti-virus researchers.
And even the term "destroy" is a bit strong in this context. What Rombertik does when it thinks it senses the presence of a researcher's tools is to wipe out their hard drive's partition sector (also known as the MBR or Master Boot Record) and force a restart. If this is unsuccessful it will attempt to encrypt the files in the home folder.
But the Daily Mail cannot be held entirely at fault here, as the researchers at Cisco used the term "destroy" four times in their report on Rombertik which starts out as a very straightforward explanation of what the malware is and what it does:
"Rombertik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre. However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner."
The Dyre malware was recently implicated as being used as part of an attack which saw $5m (£3.3m) stolen from Ryanair's bank account.
In the wild
Talking about this approach to avoiding detection, Sagie Dulce, security researcher at Imperva, told IBTimes UK that if you put this malware "in the wild" – on someone's computer for example – you will see it behaving in one way but if you try to analyse it in the lab, you will see a whole different malware.
"Malware writers don't want their code analysed. To avoid analysis they utilise many different techniques that change the behaviour of their malware once it "knows" it is being analysed. In this case, in addition to their usual tricks, they added a wiper functionality that comes into play only when the malware is analysed in a lab.
"This feature won't affect regular victims (one less thing to worry about from the victims' end), just the researchers trying to reverse engineer the code. It is truly a nasty trick, which probably made the job of a research team much harder. I would expect malware writes to start using this feature, as it makes the job of reversing a malware much more tedious."