New 'Bootkit' Malware Sidesteps Security Software

John Lister's picture

A newly-identified piece of malware has achieved arguably the ultimate goal of cybercriminals. "Nemesis" is able to infect a Windows computer before the operating system is loaded.

The malware is a particularly nasty form of a rootkit. That's software which is able to inappropriately access some of the core components of a computer (both hardware and software), often disguising its actions. A rootkit is a serious problem because it's often completely undetectable, which means that it can easily override antivirus software to carry out malicious tasks.

In this case, the Nemesis malware goes a step further and infects the hard drive boot record, which is the very first piece of code which executes when a computer is switched on. It's this code which launches an operating system such as Windows; such an infection is also known as a "bootkit" (boot + rootkit).

Bootkit Runs Before Security Software

That brings some major problems. Rootkits (and especially bootkits) can make it difficult or impossible to block via security software, simply because the bootkit always has a head start. Additionally, some bootkits have the capability to compromise security tools, which encrypt the entire contents of a hard drive. Even worse is that bootkits can still operate even if the user reinstalls an operating system; that's because they stay resident in memory each time the computer is turned on or rebooted. (Source: arstechnica.com)

Mandiant Consulting, the security firm which identified Nemesis (whose name comes from documents written by the people who created it), says a bootkit is "unusual, but not unknown." It notes that a previous piece of malware which used a bootkit was considered so valuable by cybercriminals that it was sold by its creator for $40,000 despite some questions over how well it worked.

Bootkit Weapon Currently Deployed to Banks

As things stand, Mandiant believes Nemesis is primarily being used to target financial institutions, either to directly steal confidential data, or as part of a high-stakes blackmail plot. However, it's argued that the problem could have wider ramifications, especially if the malware is used to target the general public.

The company says bootkits will require a complete rethink of many common anti-malware practices. It says security firms will need to develop tools which are better able to find rootkits and bootkits in the first place. It also warns that in most cases, the only safe solution is to physically wipe the data from affected hard drives before reinstalling the operating system. (Source: fireeye.com)

What's Your Opinion?

Do you believe there's a serious risk of criminals deploying bootkits in widespread attacks, or will they remain a tool for more focused targeting? Do you think it's realistic to try to tackle bootkits, or are they too fundamental a problem to solve?

Rate this article: 
Average: 5 (6 votes)

Comments

Dennis Faas's picture

As long as the hard drive's boot sector is not checked / attempted to load during a boot / reboot / power on, then there is no way for the malware to load. In this case, the rootkit / bootkit can be removed if the hard drive is removed from the computer's boot sequence (perhaps by removing it from the computer entirely), then re-attached in a safe environment (perhaps via an external enclosure) after a clean operating system or bootable antivirus has been loaded. Of course this will only work if the antivirus has the capability to detect and remove the rootkit / bootkit.

Boots66's picture

From what I read above in your article Dennis, it seems that the only way to clear out CRAP like this, and sadly it means the drive gets totally wiped, is to use a program (if it is still out there), called WIPE. I used it the past at a different job, to totally clean off HDD's before they went out the door - it wrote, read and then rewrote ???'s or the code for a ? to every single location on the HDD, including the MBR (Master Boot Record) - Then you had to do a low level format of the HDD to reform the MBR and then you could reuse the HDD - How sad that we have people out there that have nothing but useless time on their hands to pull this off!

Dennis Faas's picture

A low level format would basically do the same using Windows as far as I understand - just don't use 'quick' format option. You can also use Darik's boot and nuke (dban) to do a low level format @ www.dban.org.

nate04pa's picture

1. I thought that the "Secure Boot" system would not allow this type of code to execute. Of course there are millions of PCs that do not have this feature or it has been disabled.

2. Wouldn't booting from a Windows repair disk and rewriting the MBR take care of this problem?

Dennis Faas's picture

Secure boot should provide protection against MBR (master boot record) attacks, providing the UEFI (unified extensible firmware interface) is not modifiable through the operating system. There was already an article at PCworld to show UEFI can be hacked and boot record modified in this manner.

ronbh's picture

This sounds like something a government has developed and has escaped into the wild.

inuvato_6208's picture

There was something similar that was used by the NSA leaked by Snowden. Referred to as "Bulldozer" when initiated it would work during POST and insert itself into the BIOS as an extension or option ROM. It is magic backdoor\bypass that is persistent embed in BIOS to hardware that can't be detected and has real mode access to the targeted system. The amount of code is very small and I'm not sure if it could be removed from a BIOS update. I worked on a special forensic recovery for one of my friends and I was trying to make a custom option ROM to access a severely damaged system. Well the magic or madness of the making is there is very small amount of space and to make it work there is a dance but some parts are never really wiped when flashed. Kind of like how can't delete if its loaded and then comes back out of cache or prefetch\swap

dbrumley3077's picture

How does the infection happen in the first place?

Dennis Faas's picture

Malware / virus / rootkits all infect usually in the same manner. Malicious code is executed (think: infected email, download, etc), and if your system is not up to date (windows updates, antivirus, etc) then you get infected.

dbrumley3077's picture

So the trick is to avoid the infection in the first place, pretty much like all malware except the damage can be far greater. Plus it's harder to detect after the damage is done, let alone remove, and since there is no outward appearance of an infection, it could go on for a long time before being found and neutralized, if ever. Lovely. It definitely pays to follow the news on sites such as this. Knowledge is the best defense.

Doccus's picture

I.m pretty sure that in the past my multiboot software had a facility that compared the boot record to a backup copy and replaced it if it were corrupted. I think it existed on a 2MB partition or so. I haven't used it in many years though ... System commander I think it was called although I'm not sure. Wouldn't something like this be the answer? Since these bootkits are more than likely to increase in number in future I think it may well be warranted...

Dennis Faas's picture

Disk images backup the boot record, so if you want to protect it you should get something like Acronis True Image and make backups on a regular basis.

inuvato_6208's picture

If you wanted to be confidently protected against this threat you could
A) Run Virtual Machine off a secured Linux Host.
B) Run LiveCD or LiveOS (so your operations are from external immutable media thats ok)
C) Have a disconnected system that doesn't install or use apps or media from outside and is almost never shutdown.
All three are real solutions that are applied for high security or risk where accountability and assurance precede over all.

Because the issue is that if it happened you'd never know and if you did find it would be forensically. Any actions taken against the system and its users was already done. A bootkit just like a rootkit and most virii are polymorphic 'solutions'. The bootkit would be pun intended "bootstrap operation" to infiltrate into the system in Real mode before the OS and its apps\services load. Then it would subvert bring in the rest of its "team" like a rootkit and log poisoner to cloak actions and then who knows ? Who would right? .. Never happened