What Is a Bootkit, and Is Nemesis a Genuine Threat?
The threat of picking up a virus is very real. The omnipresence of unseen forces working to attack our computers, to steal our identities and raid our bank accounts is a constant, but we hope that with the right amount of technical nous and a smattering of luck, everything will be okay.
However, as advanced as antivirus and other security software is, would-be attackers continue to find new, devilish vectors to disrupt your system. The bootkit is one of them. While not entirely new to the malware scene, there has been a general rise in their use and a definite intensification of their capabilities.
To understand what a bootkit is, we’ll first explain where the terminology comes from. A bootkit is a variant of a rootkit, a type of malware with the ability to conceal itself from your operating system and antivirus software. Rootkits are notoriously difficult to detect and remove. Each time you fire-up your system, the rootkit will grant an attacker continuous root level access to the system.
A rootkit can be installed for any number of reasons. Sometimes the rootkit will be used to install more malware, sometimes it will be used to create a “zombie” computer within a botnet, it can be used to steal encryption keys and passwords, or a combination of these and other attack vectors.
Boot-loader level (bootkit) rootkits replace or modify the legitimate boot loader with one of its attackers’ design, affecting the Master Boot Record, Volume Boot Record, or other boot sectors. This means that the infection can be loaded before the operating system, and thus can subvert any detect and destroy programs.
Their use is on the rise, and security experts have noted a number of attacks focused on monetary services, of which “Nemesis” is one of the most recently observed malware ecosystems.
A Security Nemesis?
No, not a Star Trek movie, but a particularly nasty variant of the bootkit. The Nemesis malware ecosystem comes with a wide array of attack capabilities, including file transfers, screen capture, keystroke logging, process injection, process manipulation, and task scheduling. FireEye, the cybersecurity company who first spotted Nemesis, also indicated that the malware includes a comprehensive system of backdoor support for a range of network protocols and communication channels, allowing for greater command and control once installed.
In a Windows system, the Master Boot Record (MBR) stores information relating to the disk, such as the number and layout of partitions. The MBR is vital to the boot process, containing the code which locates the active primary partition. Once this is found, control is passed to the Volume Boot Record (VBR) which resides on the first sector of the individual partition.
The Nemesis bootkit hijacks this process. The malware creates a custom virtual file system to store Nemesis components in the unallocated space between partitions, hijacking the original VBR by overwriting the original code with its own, in a system dubbed “BOOTRASH.”
“Prior to installation, the BOOTRASH installer gathers statistics about the system, including the operating system version and architecture. The installer is capable of deploying 32-bit or 64-bit versions of the Nemesis components depending on the system’s processor architecture. The installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the specific type of hard drive. However, if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware will not continue with the installation process.”
Then, each time the partition is called, the malicious code injects the awaiting Nemesis components into Windows. As a result, “the malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware,” leaving an uphill struggle for a clean system.
Funnily enough, the Nemesis malware ecosystem does include its own uninstall feature. This would restore the original boot sector, and remove the malware from your system — but is only there in case the attackers need to remove the malware of their own accord.
UEFI Secure Boot
The Nemesis bootkit has largely affected financial organizations in order to gather data and siphon funds away. Their use doesn’t surprise Intel senior technical marketing engineer, Brian Richardson, who notes “MBR bootkits & rootkits have been a virus attack vector since the days of “Insert Disk in A: and Press ENTER to Continue.” He went onto explain that while Nemesis is undoubtedly a massively dangerous piece of malware, it may not affect your home system so readily.
Windows systems created in the last few years will have likely been formatted using a GUID Partition Table, with the underlying firmware based on UEFI. The BOOTRASH virtual file system creation portion of the malware relies on a legacy disk interrupt that won’t exist on systems booting with UEFI, while the UEFI Secure Boot signature check would block a bootkit during the boot process.
So those newer systems pre-installed with Windows 8 or Windows 10 may well be absolved of this threat, for now at least. However, it does illustrate a major issue with large companies failing to update their IT hardware. Those companies still using Windows 7, and in many places still using Windows XP, are exposing themselves and their customers to a major financial and data threat.
The Poison, The Remedy
Rootkits are tricky operators. Masters of obfuscation, they are designed to control a system for as long as possible, harvesting as much information as possible throughout that time. Antivirus and antimalware companies have taken note and a number of rootkit removal applications are now available to users:
Even with the chance of a successful removal on offer, many security experts agree that the only way to be 99% sure of a clean system is a complete drive format – so make sure to keep your system backed-up!
There are well over a million apps in the Play Store, covering just about every topic imaginable. But there are others that haven’t made it into Google’s app store for one reason or another, and some of them are well worth investigating.
These apps are easy to install, so long as you know where to find them. Remember that in most cases you won’t be alerted when they are updated, so it’s a good idea to check back with the download location from time to time to ensure you’re always running the latest version.
Now, let’s take a look at the best apps you won’t find in the Play Store.
The official Amazon app is one of the most popular shopping apps on the Play Store, with tens of millions of downloads. But if you’re still using it instead of the Amazon Underground app, you’re missing out.
Download Amazon Underground direct from Amazon instead, and you’ll get the real deal. This app gives you all the usual shopping features along with access to the Amazon Appstore. More importantly, it includes Underground Apps, a selection of $20,000 worth of apps, games, and in-app purchases available for free.
With choice picks ranging from some of the best Android games like Monument Valley, Threes!, and Star Wars: Knights of the Old Republic, to powerful productivity suites like Office Suite Professional (normally $14.99), Amazon Underground is essential for all Android users.
Another way to get paid games on the cheap, Humble Bundle offers regular bundles of games at a price that you set yourself.
Each bundle consists of ten games. You get three if you pay more than a dollar; seven if you pay more than the average price across all users; an eighth for paying more than $6; and two more get unlocked once the total revenue for the bundle reaches a certain level.
When you make a purchase, you also get to choose how your money is used — you can split it between the game developers, a charity of your choice, and Humble Bundle itself.
You can download the Humble Bundle app direct to your device, which you can use to download and update your purchased games, but you must buy them through the website first.
Real Money Poker Apps
If poker’s your thing, you won’t find it on the Play Store. Or, at least, none of the official apps from real money services. While they’re prevalent on Apple’s App Store, Android users need to sideload them.
Virtually all popular poker services have mobile apps, including PokerStars.
They’re not always easily found on their respective websites, but a simple Google search will help you locate the Android app for your chosen service. Just be sure to only download it from the official site, and not anywhere else.
Xposed Framework Installer
The Xposed Framework Installer is the must-have app for rooted Android phones. It gives apps — or modules, as they’re called — the ability to make system-level changes to your device, of the kind you would have previously needed to flash a custom ROM to achieve.
Xposed Modules customize, tweak, and enhance your phone in pretty much every way imaginable. Some of the best Xposed Modules, including the permissions manager XPrivacy, can be downloaded through the Play Store. Others, such as theawesome GravityBox, need to be installed separately.
Tasker is one of the most powerful apps available for Android, and it is available through the Play Store. However, this automation tool has a very steep learning curve and isn’t something you can properly evaluate within Google’s 2-hour refund window.
So, before you choose to buy it, head over to the Tasker website and grab the trial version. It lasts for seven days, and you can even uninstall and reinstall it to extend your trial period further.
It is as comprehensive a file explorer as you can get, with a powerful search function, support for compressed file formats, integration with 19 cloud providers, built-in image and media players. Plus it has a text editor, full root capabilities, and lots more — all wrapped up in a customizable, Material-inspired design.
If you struggle to get a good night’s sleep, there’s a chance your smartphone use is to blame. Phone and tablet screens emit blue light at a frequency that tricks our brains into thinking it’s still daytime.
Short of not using your phone after sunset, the solution can be to use an app that filters the harmful blue light. It should help you sleep better and will reduce eyestrain as well.
The best blue-light filtering app for Android is CF.lumen, as it works in both root and non-root modes. You can download the app from the Play Store, through which you can unlock the advanced features via an in-app purchase. But if you download it straight from the source you can activate the Freeload mode, which enables you to unlock the Pro features without paying. Of course, if you like it, you should probably pay for it to support the developer.
That link also has versions that work on older devices — the Play Store one is Android 5.0 and later only.
Viper4Android is a very powerful audio equalizer app for rooted devices. You can use it to create and customize audio profiles for your phone’s internal speakers, as well as your headphones and Bluetooth audio devices.
It isn’t the easiest to use, but if you’re willing to invest the time to learn it, it can produce great results. The official version of this open source app can bedownloaded from here, while a thread with more information can be found over at xda-developers.com.
The version of V4A found in the Play Store is not the official one, by the way.
In these cases, you can trust the developers at Android enthusiast site XDA-Developers to pull the apps and make them more widely available.
The best recent example is the rather splendid keyboard app for the BlackBerry Priv. It’s fast and intelligent, very cleanly designed, and comes packed with the kind of shortcuts and tricks that were the hallmarks of the classic BlackBerry devices.
Remember, this is all very unofficial, so it’s liable to disappear, and you may encounter bugs with the software. Download from here.
Many of the apps that aren’t in the Play Store are absent for a reason. This usually means that they breach the Store’s terms of service in some way.
Sometimes this can be for innocuous reasons, such as the ban on third party app stores. Other times, it can be because they sit in a legal gray area. There are plenty of apps like this, some of which are pretty good. Videoder is a YouTube downloader that clearly breaches YouTube’s ToS, but may be legal under “fair use” laws.Transdroid is a stylish torrent management client, and Mobdro is a video-streaming app that works along similar lines to the controversial Popcorn Time.
Just remember that downloading from unofficial sources doesn’t give you the protections you get when when getting apps from the Play Store, and if you venture too far from the mainstream, you should be sure you know exactly what you’re downloading and where it came from.