I read about a newly discovered type of advanced malware called Rombertik that can reportedly cripple a PC when it is detected. What is so different about Rombertik malware, and how can it self-destruct a system if detected? Are there any different antimalware strategies that should be used to detect and quarantine it?
Any malware has the potential to cripple a PC when it infects a system, not just the Rombertik malware. The more advanced a computer is, the more options the malware author has to cripple it. Malware crippling an infected endpoint has been happening since the 1980's when the malware overwrote the boot sector and made the system unusable. However, there are many other ways to effectively cripple an endpoint.
Malware that tries to avoid virtual environments and destroy any evidence of its presence takes longer to detect and analyze. Cisco's Talos research group blogged about the new Rombertik malware, which has multiple checks to determine if it is being analyzed and -- if it determines it is being analyzed -- destroy the system by overwriting the Master Boot Record (MBR).
The threat of overwriting the MBR is not a deterrent to antimalware researchers; they know a mistake could result in destruction of the system and any saved analysis data being destroyed. The more significant risk is the novice IT professional who tries to troubleshoot a problem and removes the malware. They might not know the potential for data destruction when investigating malware and how their login credentials could be captured.
Antimalware strategies for detection and quarantining could make a slight difference when it comes to protection from the Rombertik malware, but the most effective method to recover from an infected endpoint is reinstalling the operating system. If the malware self-destructed and caused the system to not boot, that would not be an issue. But this assumes good backups are in place or the data is stored on a separate system. The malware could still be detected by monitoring the network, but not blocking the network communications of the malware.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Check out more from Nick Lewis:
What enterprises can learn from Conficker
Why migrating away from RC4 can help defend against Bar Mitzvah attacks
How to defend against the current generation of macro malware
New malware threats require new antimalware protection strategy
Advanced malware detection is crucial to enterprise defense