Don’t Panic About The Rombertik Malware

Don’t Panic About The Rombertik Malware

In human culture and warfare, the notion of self-destructive attackers like the Kamikaze pilots deployed during World War II, is pervasive. A more recent conflict is the cyber-war between those creating malware and the security firms and cyber-security specialists that attempt to thwart them. In this battle, the recently revealed Rombertik malware is an interesting evolution.

Picture: Wikimedia Commons/NASA

Rombertik is a complex malware form that’s capable of pulling the pin on a grenade and taking itself and the computer on which it resides down with it as it goes. Rombertik literally self-destructs on discovery, as a means of defending itself against detection. While it’s possible to detect, the malware makes it incredibly difficult to deploy any technological countermeasures.

Take no prisoners

Malware experts are struggling to learn the inner workings of this interesting adversary. Scanning for any opportunities possible, Rombertik will attach itself to a web browser and attempt to capture all the data passing through it. This means that nothing is safe: emails, passwords, personal details, which cat videos you watch — everything is up for grabs.

Worse is that if you attempt to analyse this nasty malware, Rombertik will deliberately attempt to corrupt the master boot record of your storage device, where crucial details such as the location of files on the disk and the layout of the disk’s partitions are stored. The result is that on the following reboot, the disk and everything on it will be useless until wiped and re-installed, removing all your data with it. It’s a pain, and while recovery isn’t out of the question, that’s an even bigger pain.

The war of attrition between those creating anti-virus software and those creating malware leads to a cycle of invention. Many malware have included forms of defence — for example those that stop the user running the Windows task manager to kill the virus process, or detect and disable antivirus software, or prevent internet connections — but Rombertik’s approach is certainly an example of the nuclear option.

Rombertik spreads as an email worm, and can seemingly arrive from a legitimate source. It is very good at concealing itself in all manner of attachments, and is a very small application capable of hiding in a considerably larger payload, once it has embedded itself in your web browser. It’s able to infect Chrome, Firefox and Internet Explorer browsers.

When active, it uses various tricks to confuse some of the various defences of the host operating system. Aimed solely at Microsoft Windows, this means anyone using Windows XP, 7, 8 and 8.1 and Internet Explorer should be concerned. While there’s a worldwide drop in the market share of Windows operating systems on the desktop, the statistics clearly show that there are hundreds of millions, if not billions of Windows installations. Rombertik’s creators are still assured of a popular platform to attack.

What can you do

However, don’t panic. While there’s considerable hype about Rombertik, preventing yourself from becoming a victim is no more difficult that following the common sense rules that apply to avoiding any other malware.

Ensure that you have anti-malware software, and ensure that it downloads the latest updates and anti-malware definitions — preferably set to do so automatically — and that it’s set to scan all incoming email. Many webmail services such as Gmail and Hotmail already do so. Nevertheless, don’t click on attachments in bizarre emails from unknown senders, nor on unexpected attachments from a trusted sender (this could be any file format). Treat unexpected mails with attachments as suspicious, and scan the file.

Rombertik suicide tactics are nothing new, and while the attack vector is aggressive, the solution is very old school.The ConversationAndrew Smith is Lecturer in Networking at The Open University.

This article was originally published on The Conversation. Read the original article.


  • when your antivirus discovers it, your MBR is corrupted

    make sure you get the latest antivirus

    no thanks

    • The key difference, is whether it’s running or not. If it’s not running, it won’t do anything. If it’s already on there and your AV finds it, that could be it.

      The best way to remove it, is to start your computer via something like a Linux bootdisk or an AV bootdisk and scan that way. Because it won’t be running (these disks aren’t Windows based and if they were, wouldn’t startup files on your hard-drive, as Windows-based boot disks are usually missing lots of stuff that makes them run like complete PCs), you can safely remove the malware.

      The key is to take steps to NOT get infected in the first place and if you are, reboot to a boot disk and disinfect. Or take it to your local PC shop and tell them to research the malware before trying to remove.

  • And here’s some more timely advice:

    Don’t. I know it says you have “one (1) free iPod” or “a new message on [some app you don’t use / never heard of]”, but don’t click the link. If you’re tempted to click it, call the IT guy at work, or your son (who is computer savvy) or your computer repair shop and confess that you were tempted by a strange link in your emails. They’ll tell you not to click it.

    After that (and this is VERY important): Don’t click the link. It’s like Stimpy with the red button. It’s so shiny, and someone is pressing your nose against it. See it? It says don’t press it, but would it really hurt if you pressed it?

    Yes it would. Don’t press it.

    TL;DR: Don’t click that link. Don’t.

Show more comments

Comments are closed.

Log in to comment on this story!