What Is a Bootkit, and Is Nemesis a Genuine Threat?
The threat of picking up a virus is very real. The omnipresence of unseen forces working to attack our computers, to steal our identities and raid our bank accounts is a constant, but we hope that with the right amount of technical nous and a smattering of luck, everything will be okay.
However, as advanced as antivirus and other security software is, would-be attackers continue to find new, devilish vectors to disrupt your system. The bootkit is one of them. While not entirely new to the malware scene, there has been a general rise in their use and a definite intensification of their capabilities.
To understand what a bootkit is, we’ll first explain where the terminology comes from. A bootkit is a variant of a rootkit, a type of malware with the ability to conceal itself from your operating system and antivirus software. Rootkits are notoriously difficult to detect and remove. Each time you fire-up your system, the rootkit will grant an attacker continuous root level access to the system.
A rootkit can be installed for any number of reasons. Sometimes the rootkit will be used to install more malware, sometimes it will be used to create a “zombie” computer within a botnet, it can be used to steal encryption keys and passwords, or a combination of these and other attack vectors.
Boot-loader level (bootkit) rootkits replace or modify the legitimate boot loader with one of its attackers’ design, affecting the Master Boot Record, Volume Boot Record, or other boot sectors. This means that the infection can be loaded before the operating system, and thus can subvert any detect and destroy programs.
Their use is on the rise, and security experts have noted a number of attacks focused on monetary services, of which “Nemesis” is one of the most recently observed malware ecosystems.
A Security Nemesis?
No, not a Star Trek movie, but a particularly nasty variant of the bootkit. The Nemesis malware ecosystem comes with a wide array of attack capabilities, including file transfers, screen capture, keystroke logging, process injection, process manipulation, and task scheduling. FireEye, the cybersecurity company who first spotted Nemesis, also indicated that the malware includes a comprehensive system of backdoor support for a range of network protocols and communication channels, allowing for greater command and control once installed.
In a Windows system, the Master Boot Record (MBR) stores information relating to the disk, such as the number and layout of partitions. The MBR is vital to the boot process, containing the code which locates the active primary partition. Once this is found, control is passed to the Volume Boot Record (VBR) which resides on the first sector of the individual partition.
The Nemesis bootkit hijacks this process. The malware creates a custom virtual file system to store Nemesis components in the unallocated space between partitions, hijacking the original VBR by overwriting the original code with its own, in a system dubbed “BOOTRASH.”
“Prior to installation, the BOOTRASH installer gathers statistics about the system, including the operating system version and architecture. The installer is capable of deploying 32-bit or 64-bit versions of the Nemesis components depending on the system’s processor architecture. The installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the specific type of hard drive. However, if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware will not continue with the installation process.”
Then, each time the partition is called, the malicious code injects the awaiting Nemesis components into Windows. As a result, “the malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware,” leaving an uphill struggle for a clean system.
Funnily enough, the Nemesis malware ecosystem does include its own uninstall feature. This would restore the original boot sector, and remove the malware from your system — but is only there in case the attackers need to remove the malware of their own accord.
UEFI Secure Boot
The Nemesis bootkit has largely affected financial organizations in order to gather data and siphon funds away. Their use doesn’t surprise Intel senior technical marketing engineer, Brian Richardson, who notes “MBR bootkits & rootkits have been a virus attack vector since the days of “Insert Disk in A: and Press ENTER to Continue.” He went onto explain that while Nemesis is undoubtedly a massively dangerous piece of malware, it may not affect your home system so readily.
Windows systems created in the last few years will have likely been formatted using a GUID Partition Table, with the underlying firmware based on UEFI. The BOOTRASH virtual file system creation portion of the malware relies on a legacy disk interrupt that won’t exist on systems booting with UEFI, while the UEFI Secure Boot signature check would block a bootkit during the boot process.
So those newer systems pre-installed with Windows 8 or Windows 10 may well be absolved of this threat, for now at least. However, it does illustrate a major issue with large companies failing to update their IT hardware. Those companies still using Windows 7, and in many places still using Windows XP, are exposing themselves and their customers to a major financial and data threat.
The Poison, The Remedy
Rootkits are tricky operators. Masters of obfuscation, they are designed to control a system for as long as possible, harvesting as much information as possible throughout that time. Antivirus and antimalware companies have taken note and a number of rootkit removal applications are now available to users:
Even with the chance of a successful removal on offer, many security experts agree that the only way to be 99% sure of a clean system is a complete drive format – so make sure to keep your system backed-up!