Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox. In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim’s machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware’s core spying functionality. After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.The best defence in this situation is a layered defence, because Rombertik won’t be able to evade all the layers.
“What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations,”This was according to David Dede, the malware researcher at Sucuri, who discovered the issue and disclosed it. Nearly a dozen WordPress hosts – GoDaddy, WPEngine, and Pagely to name a few – preemptively patched the issue in the week’s leading up to Sucuri’s disclosure. Your best bet now is to keep all WordPress up to date.
“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,”
“The problem is how PHP handles hashed strings when either the double equal (==) or “!=” operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0. So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.”This gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said. Until now, there haven’t been examples of these hash types.
“This is not a problem we can educate our way out of … We need to change training awareness around actions and how awareness is linked to action … Security solutions need to facilitate employees’ work seamlessly.”Bottom line: All the king’s horses and all the kings men can’t fix what goes wrong when Humpty decides to do as he pleases.