“Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica

8/18/2019 “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica

1/4

12/22/2015 “Nemesis” malware hijacks PC’s boot process to gain stealth, persistence | Ars Technica

http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/ 1/4

WORLD’S FIRST(KNOWN) BOOTKITFOR OS X CANPERMANENTLYBACKDOOR MACSThunderstrike allows anyone with even

brief access to install stealthy malware.

FURTHER READING

“Nemesis” malware hijack s PC’s boot process to

gain stealth, persistenceBootkit targeting banks and payment card processors hard to detect and remove.

Malware targeting banks, payment card processors, and other financial services has found an effective

way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks

the computer's boot-up routine in a way that allows highly intrusive code to run even before the

Windows operating system loads.

The so-called bootkit has been in operation since early this

ear and is part of "Nemesis," a suite of malware that

includes programs for transferring files, capturing screens

logging keystrokes, injecting processes, and carrying out

other malicious actions on an infected computer. Its ability to

modify the legitimate volume boot record makes it possible

for the Nemesis components to load before Windows starts.

That makes the malware hard to detect and remove using

traditional security approaches. Because the infection lives in

such a low-level portion of a hard drive, it can also survive

when the operating system is completely reinstalled.

"The use of malware that persists outside of the operating

system requires a different approach to detection and

eradication," researchers from security firm FireEye's

Mandiant Consulting wrote in a blog post published Monday. "Malware with bootkit functionality can

by Dan Goodin - Dec 7, 2015 11:51pm IST 79

http://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.htmlhttp://arstechnica.com/author/dan-goodin/http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1https://twitter.com/share?text=%E2%80%9CNemesis%E2%80%9D%20malware%20hijacks%20PC%E2%80%99s%20boot%20process%20to%20gain%20stealth%2C%20persistence&url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2015%2F12%2Fnemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence%2Fhttps://www.facebook.com/sharer.php?u=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2015%2F12%2Fnemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence%2Fhttp://arstechnica.com/author/dan-goodin/http://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.htmlhttps://en.wikipedia.org/wiki/Volume_boot_recordhttp://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/


2/4



Enlarge

FireEye

be installed and executed almost completely independent of the Windows operating system. As a

result, incident responders will need tools that can access and search raw disks at scale for evidence of

bootkits."

Nemesis is by no means the first malware to hijack a computer's normal boot process to gain

persistence and stealth. TDL, a Windows rootkit that also goes by the name Alureon, has been doing

the same thing for more than five years. Early this year, a security researcher created a proof-of-

concept attack for Macs that covertly replaced the firmware that boots up most modern OS Xmachines. (Apple has since patched the weakness.) Still, the adoption of the technique by Nemesis is

an indication it is becoming more viable in real-world computer attacks, particularly those targeting

financial institutions.

The volume boot record is a small piece of code specific to an operating system that's located in the

first sector in an individual partition. It contains instructions for the OS code to begin the boot

process. The process typically looks like this:

Nemesis hijacks the normal sequence using an installer dubbed "BOOTRASH." It invokes a multi-

step process that involves the creation of a virtual file system that stores malicious components in

unallocated space between partitions. In Monday's post the researchers wrote:

Prior to installation, the BOOTRASH installer gathers statistics about the system, including the

operating system version and architecture. The installer is capable of deploying 32-bit or 64-bit

versions of the Nemesis components depending on the system’s processor architecture. The

installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the

specific type of hard drive. However, if the partition uses the GUID Partition Table disk

architecture, as opposed to the MBR partitioning scheme, the malware will not continue with

the installation process.

The malware checks to make sure a copy of the BOOTRASH installer is not already running on

the system. It also checks to see if the Microsoft .NET 3.5 framework is installed on the system- a prerequisite for the malware. If the installer is already running or the .NET framework is not

installed, the malware will quit.

http://arstechnica.com/security/2015/01/apple-readies-fix-for-thunderstrike-bootkit-exploit-in-next-os-x-release/http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/http://m.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/http://www.fireeye.com/content/dam/fireeye-www/blog/images/BOOTRASH/bootrashfig1.jpghttp://cdn.arstechnica.net/wp-content/uploads/2015/12/bootrashfig1.jpg


3/4



Enlarge

The researchers went on to write:

The bootkit intercepts several system interrupts to assist with the injection of the primary

Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt[6]

responsible for miscellaneous system services and patches the associated Interrupt Vector Table

entry so it can intercept memory queries once the operating system loader gains control. The

bootkit then passes control to the original VBR to allow the boot process to continue. While the

operating system is being loaded, the bootkit also intercepts the interrupt and scans the

operating system loader memory for a specific instruction that transfers the CPU from real

mode to protected mode.[7] This allows the bootkit to patch the Interrupt Descriptor Table each

time the CPU changes from real mode to protected mode. This patch involves a modified

interrupt handler that redirects control to the bootkit every time a specific address is executed.

This is what allows the bootkit to detect and intercept specific points of the operating system

loader execution and inject Nemesis components as part of the normal kernel loading.

The malware code is stored either in the virtual file system or in the Windows registry, making it

largely invisible to normal antivirus programs. That leaves live memory as one of the only places

where the malware can be detected. What's more, unless the bootkit and virtual file components are

removed, the malware will execute and load every time the system starts even if the operating system

partition has been wiped and the OS is reinstalled. To eradicate the malware, system administratorsmust perform a physical wipe and then reload the operating system. Significantly, Nemisis won't

install itself on computers that use GUID partitions which were introduced as part of the Extensible

Firmware Interface initiative and are an alternative to the older master boot record. At least for now,

use of this newer technology is a key way financial services firms can protect themselves from this

threat.

Post updated in the last paragraph to add details about GUID partitioning.

PROMOTED COMMENTS

sprockkets wrote:

jump to postmicrolith Ars Tribunus Militum

http://arstechnica.com/civis/memberlist.php?mode=viewprofile&u=8217http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248993#comment-30248993http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248953https://support.microsoft.com/en-us/kb/302873http://cdn.arstechnica.net/wp-content/uploads/2015/12/bootrashfig21.jpg


4/4



InfernoBlade wrote:

Haven't most Windows systems shipped since Windows 7 or so came out used UEFI + GPT-formatted disks

by default? It's a nov el trick and all, hijack ing the system that way, b ut it seems l ike someth ing from 10

years ago, not something that'd be in active use today given the percentage of UEFI-based systems has

been going up stead ily .

True, but i've never seen a win7 use uefi for one reason or another. Started with win8 iirc.

Correct, the Win8 OEM guidelines required UEFI + Secure Boot support. And even if Win7 were booting UEFI, it

doesn't support secure boot so it could be trivially intercepted.

That said, this attack is against a population with a penchant for running ancient, decrepit systems so they may be

vulnerable for some time going forward. Inexcusable, really, but they'll react only after losing enough money.

2220 posts | registered Aug 2, 1999

Secure Boot is a security standard developed by members of the PC industry to help make sure that your

PC boots using only software that is trusted by the PC manufacturer.

When the PC starts, the firmware checks the signature of each piece of boot software, including firmware

drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the

firmware gives control to the operating system.

Windows Secure Boot Sequence:

1) After the PC is turned on, the signature databases are each checked against the platform key.

2) If the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted

firmware.

3) If there is a problem with Windows Boot Manager, the firmware will attempt to boot a backup copy of

Windows Boot Manager. If this also fails, the firmware must initiate OEM-specific remediation.

4) After Windows Boot Manager has started running, if there is a problem with the drivers or NTOS kernel,

Windows Recovery Environment (Windows RE) is loaded so that these drivers or the kernel image can be

recovered.

5) Windows loads antimalware software.

6) Windows loads other kernel drivers and initializes the user mode processes.

So, if you use Secure Boot (which uses UEFI) this kind of attack is mitigated.

jump to postmr_nobody Smack-Fu Master, in training
http://arstechnica.com/civis/memberlist.php?mode=viewprofile&u=395259http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30249361#comment-30249361http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248937

“Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica

Documents

Transcript of “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica