In human culture and warfare, the notion of self-destructive attackers like the Kamikaze pilots deployed during World War II, is pervasive. A more recent conflict is the cyber-war between those creating malware and the security firms and cyber-security specialists that attempt to thwart them. In this battle, the recently revealed Rombertik malware is an interesting evolution.
Rombertik is a complex malware form that’s capable of pulling the pin on a grenade and taking itself and the computer on which it resides down with it as it goes. Rombertik literally self-destructs on discovery, as a means of defending itself against detection. While it’s possible to detect, the malware makes it incredibly difficult to deploy any technological countermeasures.
Take no prisoners
Malware experts are struggling to learn the inner workings of this interesting adversary. Scanning for any opportunities possible, Rombertik will attach itself to a web browser and attempt to capture all the data passing through it. This means that nothing is safe: emails, passwords, personal details, which cat videos you watch – everything is up for grabs.
Worse is that if you attempt to analyse this nasty malware, Rombertik will deliberately attempt to corrupt the master boot record of your storage device, where crucial details such as the location of files on the disk and the layout of the disk’s partitions are stored. The result is that on the following reboot, the disk and everything on it will be useless until wiped and re-installed, removing all your data with it. It’s a pain, and while recovery isn’t out of the question, that’s an even bigger pain.
The war of attrition between those creating anti-virus software and those creating malware leads to a cycle of invention. Many malware have included forms of defence – for example those that stop the user running the Windows task manager to kill the virus process, or detect and disable antivirus software, or prevent internet connections – but Rombertik’s approach is certainly an example of the nuclear option.
Rombertik spreads as an email worm, and can seemingly arrive from a legitimate source. It is very good at concealing itself in all manner of attachments, and is a very small application capable of hiding in a considerably larger payload, once it has embedded itself in your web browser. It’s able to infect Chrome, Firefox and Internet Explorer browsers.
When active, it uses various tricks to confuse some of the various defences of the host operating system. Aimed solely at Microsoft Windows, this means anyone using Windows XP, 7, 8 and 8.1 and Internet Explorer should be concerned. While there’s a worldwide drop in the market share of Windows operating systems on the desktop, the statistics clearly show that there are hundreds of millions, if not billions of Windows installations. Rombertik’s creators are still assured of a popular platform to attack.
What can you do
However, don’t panic. While there’s considerable hype about Rombertik, preventing yourself from becoming a victim is no more difficult that following the common sense rules that apply to avoiding any other malware.
Ensure that you have anti-malware software, and ensure that it downloads the latest updates and anti-malware definitions – preferably set to do so automatically – and that it’s set to scan all incoming email. Many webmail services such as Gmail and Hotmail already do so. Nevertheless, don’t click on attachments in bizarre emails from unknown senders, nor on unexpected attachments from a trusted sender (this could be any file format). Treat unexpected mails with attachments as suspicious, and scan the file.
Rombertik suicide tactics are nothing new, and while the attack vector is aggressive, the solution is very old school.
Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.
Authors: The Conversation