What Is a Bootkit, and Is Nemesis a Genuine Threat?

Ads by Google

The threat of picking up a virus is very real. The omnipresence of unseen forces working to attack our computers, to steal our identities and raid our bank accounts is a constant, but we hope that with the right amount of technical nous and a smattering of luck, everything will be okay.

However, as advanced as antivirus and other security software is, would-be attackers continue to find new, devilish vectors to disrupt your system. The bootkit is one of them. While not entirely new to the malware scene, there has been a general rise in their use and a definite intensification of their capabilities.

Let’s look at what a bootkit is, examine a variant of the bootkit, Nemesis, and consider what you can do to stay clear.

What Is A Bootkit?

To understand what a bootkit is, we’ll first explain where the terminology comes from. A bootkit is a variant of a rootkit, a type of malware with the ability to conceal itself from your operating system and antivirus software. Rootkits are notoriously difficult to detect and remove. Each time you fire-up your system, the rootkit will grant an attacker continuous root level access to the system.

A rootkit can be installed for any number of reasons. Sometimes the rootkit will be used to install more malware, sometimes it will be used to create a “zombie” computer within a botnet, it can be used to steal encryption keys and passwords, or a combination of these and other attack vectors.

Ads by Google

Boot-loader level (bootkit) rootkits replace or modify the legitimate boot loader with one of its attackers’ design, affecting the Master Boot Record, Volume Boot Record, or other boot sectors. This means that the infection can be loaded before the operating system, and thus can subvert any detect and destroy programs.

Their use is on the rise, and security experts have noted a number of attacks focused on monetary services, of which “Nemesis” is one of the most recently observed malware ecosystems.

A Security Nemesis?

No, not a Star Trek movie, but a particularly nasty variant of the bootkit. The Nemesis malware ecosystem comes with a wide array of attack capabilities, including file transfers, screen capture, keystroke logging, process injection, process manipulation, and task scheduling. FireEye, the cybersecurity company who first spotted Nemesis, also indicated that the malware includes a comprehensive system of backdoor support for a range of network protocols and communication channels, allowing for greater command and control once installed.

In a Windows system, the Master Boot Record (MBR) stores information relating to the disk, such as the number and layout of partitions. The MBR is vital to the boot process, containing the code which locates the active primary partition. Once this is found, control is passed to the Volume Boot Record (VBR) which resides on the first sector of the individual partition.

The Nemesis bootkit hijacks this process. The malware creates a custom virtual file system to store Nemesis components in the unallocated space between partitions, hijacking the original VBR by overwriting the original code with its own, in a system dubbed “BOOTRASH.”

“Prior to installation, the BOOTRASH installer gathers statistics about the system, including the operating system version and architecture. The installer is capable of deploying 32-bit or 64-bit versions of the Nemesis components depending on the system’s processor architecture. The installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the specific type of hard drive. However, if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware will not continue with the installation process.”

Then, each time the partition is called, the malicious code injects the awaiting Nemesis components into Windows. As a result, “the malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware,” leaving an uphill struggle for a clean system.

Funnily enough, the Nemesis malware ecosystem does include its own uninstall feature. This would restore the original boot sector, and remove the malware from your system — but is only there in case the attackers need to remove the malware of their own accord.

UEFI Secure Boot

The Nemesis bootkit has largely affected financial organizations in order to gather data and siphon funds away. Their use doesn’t surprise Intel senior technical marketing engineer, Brian Richardson, who notes “MBR bootkits & rootkits have been a virus attack vector since the days of “Insert Disk in A: and Press ENTER to Continue.” He went onto explain that while Nemesis is undoubtedly a massively dangerous piece of malware, it may not affect your home system so readily.

UEFI vs BIOS

Windows systems created in the last few years will have likely been formatted using a GUID Partition Table, with the underlying firmware based on UEFI. The BOOTRASH virtual file system creation portion of the malware relies on a legacy disk interrupt that won’t exist on systems booting with UEFI, while the UEFI Secure Boot signature check would block a bootkit during the boot process.

So those newer systems pre-installed with Windows 8 or Windows 10 may well be absolved of this threat, for now at least. However, it does illustrate a major issue with large companies failing to update their IT hardware. Those companies still using Windows 7, and in many places still using Windows XP, are exposing themselves and their customers to a major financial and data threat.

The Poison, The Remedy

Rootkits are tricky operators. Masters of obfuscation, they are designed to control a system for as long as possible, harvesting as much information as possible throughout that time. Antivirus and antimalware companies have taken note and a number of rootkit removal applications are now available to users:

Even with the chance of a successful removal on offer, many security experts agree that the only way to be 99% sure of a clean system is a complete drive format – so make sure to keep your system backed-up!

Have you experienced a rootkit, or even a bootkit? How did you clean your system up? Let us know below!

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Stay Incognito On The Web
Stay Incognito On The Web
940 Members
Windows Tips
Windows Tips
540 Members
Online Security Tips
Online Security Tips
409 Members
Hacktivist Talk
Hacktivist Talk
308 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
288 Members
New Security Breaches
New Security Breaches
197 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In