‘Bootkit’ Malware “Nemesis”: Your security software won’t detect.

By on December 9, 2015 11:22:18 AM from JoeUser Forums JoeUser Forums

DrJBHL

Join Date 04/2002
+2257

 

“Nemesis” infect Windows computers before your security software loads. It’s a ‘rootkit’ – so it will infect your computer’s core components (hardware and software) while often disguising its actions.

“In this case, the Nemesis malware goes a step further and infects the hard drive boot record, which is the very first piece of code which executes when a computer is switched on. It's this code which launches an operating system such as Windows; such an infection is also known as a "bootkit" (boot + rootkit).”- John Lister

The only good news (insert sarcastic tone) here is that it’s currently being deployed against banks and financial firms…not home computers. Yet.

My guess? Won’t be long…and it may get coupled with ransomware…

Source:

https://www.infopackets.com/news/9737/new-bootkit-malware-sidesteps-security-software

15 Replies +1
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
December 9, 2015 11:27:35 AM from WinCustomize Forums WinCustomize Forums

I was waiting for this one Doc. Saw the article but was unable to completely read it. Thanks for the heads up.

Reason for Karma (Optional)
Successfully updated karma reason!
December 9, 2015 2:31:48 PM from Elemental Forums Elemental Forums

preventive measures for home PC users?

Reason for Karma (Optional)
Successfully updated karma reason!
December 9, 2015 2:33:26 PM from WinCustomize Forums WinCustomize Forums

Thanks for the post.

The article you've linked has another article linked within it that is certainly worth the read as well.  The link is subtle, it's at the end of the next to last paragraph "Source:fireeye.com".  It's well worth the read as well and goes into more detail regarding the behavior and characteristics of the bootkit:

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

 

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
December 9, 2015 3:20:02 PM from WinCustomize Forums WinCustomize Forums

Let's hope home users don't get targeted. There's always something... sigh.

Reason for Karma (Optional)
Successfully updated karma reason!
December 9, 2015 3:31:57 PM from WinCustomize Forums WinCustomize Forums

Quoting ElanaAhova,

preventive measures for home PC users?

None as of yet...

Reason for Karma (Optional)
Successfully updated karma reason!
December 9, 2015 8:35:13 PM from JoeUser Forums JoeUser Forums

Looks like DBAN and OS re-install would be an option.  Perhaps the only one at present.

Such a purveyor of Holiday Cheer you are, Doc.

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 1:20:44 AM from Elemental Forums Elemental Forums

surely things like those linux based cd/dvd scans can find it?

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 3:41:29 AM from WinCustomize Forums WinCustomize Forums

Surely they don't...they implement during boot BEFORE you security software.

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 5:29:30 AM from WinCustomize Forums WinCustomize Forums

Apparently a new addition to the NEMESIS malware suite called Bootrash, at present the only solution is to completely wipe the hard disk then reload the OS.

Hopefully the AV software companies like FireEye can get on top of this very quickly. Incidentally this is only one of a line of several previous Bootkit virus attacks, fortunately (or unfortunately) aimed mainly at financial institutions.

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 8:20:56 AM from JoeUser Forums JoeUser Forums

Quoting DrJBHL,

Surely they don't...they implement during boot BEFORE you security software.

Booting to DVD is implemented at BIOS level...before the HD boot record is accessed...so it 'should' precede a 'bootkit' ...

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 12:50:21 PM from Elemental Forums Elemental Forums

i would have thought booting to linux via cd/dvd shouldn't be reading off the hdd/mounting them until after the os is loaded?

(obviously... whether the scans will then find the rootkit, etc depends on the signature/heuristics of the scans)

Reason for Karma (Optional)
Successfully updated karma reason!
December 10, 2015 5:44:21 PM from Stardock Forums Stardock Forums

Couple points:

- It doesn't work on disks using GPT. Which most newer systems should be using (it's required if you have UEFI and aren't running it in BIOS compatibility mode).

- I'd be surprised if booting to the repair console (via windows install disc) and running /fixmbr (assuming it still exists in newer versions of windows) didn't take care of it, since it rewrites the MBR.

- Booting from an optical disc will most definitely bypass it.

- It's only an extension of an APT ecosystem targeted at a specific bank. You won't be seeing it on your desktop, though of course someone else could come out with a bootkit malware targeted at consumers. They aren't a novel technique, and will still rely on some other malware, vulnerability, or social engineering to get themselves installed.

Reason for Karma (Optional)
Successfully updated karma reason!
December 11, 2015 1:06:40 AM from Elemental Forums Elemental Forums

... oddly my boot ssd uses mbr not gpt. no idea why (maybe i selected the wrong thing during install ). clean win10 install on it. (new machine with uefi)

also read that it doesn't matter performance wise due to small size (256 gb)... so not going to be bothered about that.

Reason for Karma (Optional)
Successfully updated karma reason!
December 11, 2015 7:11:10 AM from Stardock Forums Stardock Forums

Probably running in BIOS mode.

Reason for Karma (Optional)
Successfully updated karma reason!
December 11, 2015 12:02:39 PM from Elemental Forums Elemental Forums

wonder why... i did have problems (before installing anything) to get video to display anything at all until that fixed itself eventually somehow. (after a few reboots... only empty drives and win10 dvd connected)

.. guess i'll fiddle with that when i have to wipe everything and clean install... hopefully not for years!

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #101114  walnut1   Server Load Time: 00:00:00.0000234   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2016 Stardock Corporation. All Rights Reserved.