Essential Guide

Antimalware tools and techniques security pros need right now

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can enterprises protect against Rombertik malware?

Rombertik malware is a new advanced malware that can trigger a system to self-destruct if it's detected. Expert Nick Lewis explains Rombertik and how to keep it from crippling your system.

I read about a newly discovered type of advanced malware called Rombertik that can reportedly cripple a PC when...

it is detected. What is so different about Rombertik malware, and how can it self-destruct a system if detected? Are there any different antimalware strategies that should be used to detect and quarantine it?

Any malware has the potential to cripple a PC when it infects a system, not just the Rombertik malware. The more advanced a computer is, the more options the malware author has to cripple it. Malware crippling an infected endpoint has been happening since the 1980's when the malware overwrote the boot sector and made the system unusable. However, there are many other ways to effectively cripple an endpoint.

Malware that tries to avoid virtual environments and destroy any evidence of its presence takes longer to detect and analyze. Cisco's Talos research group blogged about the new Rombertik malware, which has multiple checks to determine if it is being analyzed and -- if it determines it is being analyzed -- destroy the system by overwriting the Master Boot Record (MBR).

The threat of overwriting the MBR is not a deterrent to antimalware researchers; they know a mistake could result in destruction of the system and any saved analysis data being destroyed. The more significant risk is the novice IT professional who tries to troubleshoot a problem and removes the malware. They might not know the potential for data destruction when investigating malware and how their login credentials could be captured.

Antimalware strategies for detection and quarantining could make a slight difference when it comes to protection from the Rombertik malware, but the most effective method to recover from an infected endpoint is reinstalling the operating system. If the malware self-destructed and caused the system to not boot, that would not be an issue. But this assumes good backups are in place or the data is stored on a separate system. The malware could still be detected by monitoring the network, but not blocking the network communications of the malware.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Check out more from Nick Lewis:

What enterprises can learn from Conficker

Why migrating away from RC4 can help defend against Bar Mitzvah attacks

How to defend against the current generation of macro malware

New malware threats require new antimalware protection strategy

Advanced malware detection is crucial to enterprise defense

This was last published in December 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Antimalware tools and techniques security pros need right now

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What's your organization doing to defend against Rombertik?
Cancel
Great article. A lot of solid advice to address systems after they have already been impacted by Rombertik. To add, organizations may want to consider a structural sanitization approach to remove the initial triggers of Robertik or other advanced malware in emails, downloads, etc.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close