Rombertik - When Detection Leads to Destruction

May, 05, 2015 Franklyn Jones

An interesting article just published in Security Week highlights some great new investigative work by the Cisco security team. It has to do with Rombertik, an impressive piece of malware that has the ability to overwrite the master boot record on your PC (destroying loads of data in the process) if it senses that there is any sort of malware detection process underway to identify it and shut it down.

The attack often starts through a very convincing, targeted phishing email with an attachment that simply must be opened. Of course, once it's opened, the malware finds its way into your browser, then starts recording all your keystrokes from various web sites.

Just as bad, this clever malware has the ability to sense when it's in a sandbox and create more deception. Check out this excerpt from the article:

Many sandboxes are designed to monitor a file only for a certain period of time to determine if it's malicious or not. That is why malware developers have started programing their creations to sleep before starting their malicious routines. Rombertik doesn't sleep. Instead, it evades sandboxes by writing one byte of random data to memory 960 million times. While this method is similar to sleeping, it can be much more effective against tracking tools and sandboxes.

Ouch. This is the second time in the last week we've seen evidence that sandboxes are not nearly as effective or as secure as some vendors would lead you to believe. A few days ago, The Register published another article highlighting research done by Seculert, which showed that the Dyre browser-hooking malware was able to escape eight different security sandboxes (this is the same malware blamed for successfully breaching many bank accounts).

What all of this suggests is that software sandboxes – including those that should be protecting your endpoint devices – are not necessarily reliable. And in the case of Rombertik, the malware can escape the sandbox, take control of your browser, and establish communications back to the command & control (C&C) center to export your confidential data.

A browser isolation system like the one from Spikes Security can help in a couple ways. First, we take the browser off your endpoint and deploy it on a hardened SE Linux appliance in your DMZ, then ensure each web session is isolated in its own VM. If there is malware in the original web content, it stays in the VM and is destroyed when the session is over. There is no software sandbox trying to decide if something is good or bad – we just assume it's all bad, and keep it in the DMZ.

Second, internal users are connected to the external appliance – not the web. As a result, we can shut down port 80 and 443 and thus eliminate primary channels for C&C communications.

Learn more at

Franklyn Jones, CMO, Spikes Security


Keep informed.