This content is part of the Essential Guide: Antimalware tools and techniques security pros need right now
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can enterprises protect against Rombertik malware?

Rombertik malware is a new advanced malware that can trigger a system to self-destruct if it's detected. Expert Nick Lewis explains Rombertik and how to keep it from crippling your system.

I read about a newly discovered type of advanced malware called Rombertik that can reportedly cripple a PC when it is detected. What is so different about Rombertik malware, and how can it self-destruct a system if detected? Are there any different antimalware strategies that should be used to detect and quarantine it?

Any malware has the potential to cripple a PC when it infects a system, not just the Rombertik malware. The more advanced a computer is, the more options the malware author has to cripple it. Malware crippling an infected endpoint has been happening since the 1980's when the malware overwrote the boot sector and made the system unusable. However, there are many other ways to effectively cripple an endpoint.

Malware that tries to avoid virtual environments and destroy any evidence of its presence takes longer to detect and analyze. Cisco's Talos research group blogged about the new Rombertik malware, which has multiple checks to determine if it is being analyzed and -- if it determines it is being analyzed -- destroy the system by overwriting the Master Boot Record (MBR).

The threat of overwriting the MBR is not a deterrent to antimalware researchers; they know a mistake could result in destruction of the system and any saved analysis data being destroyed. The more significant risk is the novice IT professional who tries to troubleshoot a problem and removes the malware. They might not know the potential for data destruction when investigating malware and how their login credentials could be captured.

Antimalware strategies for detection and quarantining could make a slight difference when it comes to protection from the Rombertik malware, but the most effective method to recover from an infected endpoint is reinstalling the operating system. If the malware self-destructed and caused the system to not boot, that would not be an issue. But this assumes good backups are in place or the data is stored on a separate system. The malware could still be detected by monitoring the network, but not blocking the network communications of the malware.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Check out more from Nick Lewis:

What enterprises can learn from Conficker

Why migrating away from RC4 can help defend against Bar Mitzvah attacks

How to defend against the current generation of macro malware

New malware threats require new antimalware protection strategy

Advanced malware detection is crucial to enterprise defense

This was last published in December 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal