Page 1 of 1

Rombertik

PostPosted: Tue May 05, 2015 6:49 pm
by Splendidbiz
http://blogs.cisco.com/security/talos/rombertik

From what I have read on this nasty bit of code, this is something that appears to already be blocked by CryptoPrevent? If not, I would imagine this is something you would aim to block, and in short order?

Thanks.

Re: Rombertik

PostPosted: Wed May 06, 2015 6:45 pm
by Huskylogic
Does anyone know? Does crypto-prevent block this?

Re: Rombertik

PostPosted: Mon May 11, 2015 1:59 am
by bored369
If the SCR that starts the infection is in the hash definitions it should be blocked as long as the Constant or Suspicious filtering is enabled for SCR. I'll have to track down a sample to see if we can test it and find out for sure.