Rombertik acts much like a normal virus in its ability to infect machines. For example, once embedded in one machine in a network it will send phishing emails to others to infect other machines and uses other typical malware behavior. But what is special about Rombertik and other new malware is how hard they fight to stay in the system. For example, the virus contains a false-data generator to overwhelm analysis tools, contains tools that can detect and evade a sandbox (a common way to trap and disarm malware), and has a self-destruct mechanism that can kill the infected machine by wiping out the master boot record.
The problem with this new family of malware is that it evades the normal methods of detection. Typical malware detection tools look for telltale signs that a given website, file, or app contains malware. But this new malware is specifically designed to either hide the normal telltale signs, or else to morph into something else when detected. So as this new malware is detected, by the time you try to eradicate it in its original location it has moved somewhere else.
This new discovery is typical of the ongoing cat and mouse game between hackers and malware security companies. The hackers always get a leg up when they come out with something new and they generally can go undetected until somebody finally figures out what they are up to.
This whole process is described well in two reports issued by web security companies. Menlo Security reports that there was 317 million pieces of malware produced in 2014 in their State of the Web 2015: Vulnerability Report. In this report they question if the security industry is really ready to handle new kinds of attacks.
The report says that enterprises spent more than $70 billion on cybersecurity tools in 2014 but still lost nearly $400 billion as a result of cybercrime. They report that the two biggest sources of malware in large businesses come either through web browsing or from email – two things that are nearly impossible to eliminate from corporate life.
Menlo scanned the Alexa top one million web sites (those getting the most traffic) and found the following:
- 34% of web sites were classified as risky due to running software that is known to be vulnerable to hacking.
- 6% of websites were found to be serving malware, spam, or are part of a botnet.
The other recent report on web vulnerabilities came from Symantec, which can be downloaded here. Symantec said that hackers no longer need to break down the doors of corporate networks when the keys to hack them are readily available. That mirrors the comments by Menlo Security and is referring to the fact that companies operate software with known vulnerabilities and then take a long time to react when security breaches are announced.
The report says that in 2014 firms took an average of 50 days to implement security patches. Hackers are launching new kinds of malware and then leaping on the vulnerability before patches are in place. The biggest example of this in 2014 was the Heartbleed malware, where hackers were widely using it within 4 hours of it hitting the web while companies took a very long time to come up with a defense. Symantec says there were 24 separate zero-day attacks in 2014 – meaning an introduction of a new kind of malware that was either undetectable or for which there was no immediate defense.
Symantec reports much the same thing as Menlo Security in that the big vulnerability of malware is what it can do once it is inside of a network. The first piece of malware can hit a network in many different ways, but once there uses a number of sophisticated tools to spread throughout the network.
There is certainly nothing foolproof you can do to keep malware out of your corporate systems. But most of the ways that networks get infected are not through hackers, but though employees. Employees still routinely open spam emails and attachments and respond to phishing emails – so making sure you employees know more about malware and it’s huge negative impact might be your best defense.