Register | Login
BootSkins XP
Cursor FX
Dream
Icon Packager
LogonStudio XP
LogonStudio
Object Dock
Sound Schemes
Suites
WallPapers
WindowBlinds
All

Search
Forum Home | Login
DrJBHL
DrJBHL
Join Date 04/2002
+4003

‘Bootkit’ Malware “Nemesis”: Your security software won’t detect.

December 9, 2015 11:22:18 AM from JoeUser ForumsJoeUser Forums

 

“Nemesis” infect Windows computers before your security software loads. It’s a ‘rootkit’ – so it will infect your computer’s core components (hardware and software) while often disguising its actions.

“In this case, the Nemesis malware goes a step further and infects the hard drive boot record, which is the very first piece of code which executes when a computer is switched on. It's this code which launches an operating system such as Windows; such an infection is also known as a "bootkit" (boot + rootkit).”- John Lister

The only good news (insert sarcastic tone) here is that it’s currently being deployed against banks and financial firms…not home computers. Yet.

My guess? Won’t be long…and it may get coupled with ransomware…

Source:

https://www.infopackets.com/news/9737/new-bootkit-malware-sidesteps-security-software

Locked Post +1 Karma
Search this post
Advanced Search
Subscription Options
Reason for Karma (Optional)
Successfully updated karma reason!
Fuzzy Logic
DrJBHL
Uvah
Join Date 05/2006
+874
Reply #1 December 9, 2015 11:27:35 AM
from WinCustomize ForumsWinCustomize Forums

I was waiting for this one Doc. Saw the article but was unable to completely read it. Thanks for the heads up.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
ElanaAhova
Join Date 09/2008
+105
Reply #2 December 9, 2015 2:31:48 PM
from Elemental ForumsElemental Forums

preventive measures for home PC users?

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
DaveRI
Join Date 09/2003
+463
Reply #3 December 9, 2015 2:33:26 PM
from WinCustomize ForumsWinCustomize Forums

Thanks for the post.

The article you've linked has another article linked within it that is certainly worth the read as well.  The link is subtle, it's at the end of the next to last paragraph "Source:fireeye.com".  It's well worth the read as well and goes into more detail regarding the behavior and characteristics of the bootkit:

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

 

Reason for Karma (Optional)
Successfully updated karma reason!

Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.

DrJBHL
Fuzzy Logic
Join Date 05/2002
+493
Reply #4 December 9, 2015 3:20:02 PM
from WinCustomize ForumsWinCustomize Forums

Let's hope home users don't get targeted. There's always something... sigh.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
DrJBHL
Join Date 04/2002
+4003 moderator
Reply #5 December 9, 2015 3:31:57 PM
from WinCustomize ForumsWinCustomize Forums

Quoting ElanaAhova,
reply 2

preventive measures for home PC users?

None as of yet...

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
Daiwa
Join Date 07/2001
+349
Reply #6 December 9, 2015 8:35:13 PM
from JoeUser ForumsJoeUser Forums

Looks like DBAN and OS re-install would be an option.  Perhaps the only one at present.

Such a purveyor of Holiday Cheer you are, Doc.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
alaknebs
Join Date 08/2010
+12
Reply #7 December 10, 2015 1:20:44 AM
from Elemental ForumsElemental Forums

surely things like those linux based cd/dvd scans can find it?

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
DrJBHL
Join Date 04/2002
+4003 moderator
Reply #8 December 10, 2015 3:41:29 AM
from WinCustomize ForumsWinCustomize Forums

Surely they don't...they implement during boot BEFORE you security software.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
mozler
Join Date 07/2001
+2
Reply #9 December 10, 2015 5:29:30 AM
from WinCustomize ForumsWinCustomize Forums

Apparently a new addition to the NEMESIS malware suite called Bootrash, at present the only solution is to completely wipe the hard disk then reload the OS.

Hopefully the AV software companies like FireEye can get on top of this very quickly. Incidentally this is only one of a line of several previous Bootkit virus attacks, fortunately (or unfortunately) aimed mainly at financial institutions.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
Jafo
Join Date 03/2001
+1783 sdemployee
Reply #10 December 10, 2015 8:20:56 AM
from JoeUser ForumsJoeUser Forums

Quoting DrJBHL,
reply 8

Surely they don't...they implement during boot BEFORE you security software.

Booting to DVD is implemented at BIOS level...before the HD boot record is accessed...so it 'should' precede a 'bootkit' ...

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
alaknebs
Join Date 08/2010
+12
Reply #11 December 10, 2015 12:50:21 PM
from Elemental ForumsElemental Forums

i would have thought booting to linux via cd/dvd shouldn't be reading off the hdd/mounting them until after the os is loaded?

(obviously... whether the scans will then find the rootkit, etc depends on the signature/heuristics of the scans)

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
kryo
Join Date 05/2003
+458
Reply #12 December 10, 2015 5:44:21 PM
from Stardock ForumsStardock Forums

Couple points:

- It doesn't work on disks using GPT. Which most newer systems should be using (it's required if you have UEFI and aren't running it in BIOS compatibility mode).

- I'd be surprised if booting to the repair console (via windows install disc) and running /fixmbr (assuming it still exists in newer versions of windows) didn't take care of it, since it rewrites the MBR.

- Booting from an optical disc will most definitely bypass it.

- It's only an extension of an APT ecosystem targeted at a specific bank. You won't be seeing it on your desktop, though of course someone else could come out with a bootkit malware targeted at consumers. They aren't a novel technique, and will still rely on some other malware, vulnerability, or social engineering to get themselves installed.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
alaknebs
Join Date 08/2010
+12
Reply #13 December 11, 2015 1:06:40 AM
from Elemental ForumsElemental Forums

... oddly my boot ssd uses mbr not gpt. no idea why (maybe i selected the wrong thing during install ). clean win10 install on it. (new machine with uefi)

also read that it doesn't matter performance wise due to small size (256 gb)... so not going to be bothered about that.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
kryo
Join Date 05/2003
+458
Reply #14 December 11, 2015 7:11:10 AM
from Stardock ForumsStardock Forums

Probably running in BIOS mode.

Reason for Karma (Optional)
Successfully updated karma reason!
DrJBHL
alaknebs
Join Date 08/2010
+12
Reply #15 December 11, 2015 12:02:39 PM
from Elemental ForumsElemental Forums

wonder why... i did have problems (before installing anything) to get video to display anything at all until that fixed itself eventually somehow. (after a few reboots... only empty drives and win10 dvd connected)

.. guess i'll fiddle with that when i have to wipe everything and clean install... hopefully not for years!

Reason for Karma (Optional)
Successfully updated karma reason!
View all recent posts
Mark all posts as read Delete cookies created by the forum Return to Top
Stardock Forums v        Server Load Time:   Page Render Time:


Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2025 Stardock. All Rights Reserved.