“Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
Transcript of “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
-
8/18/2019 “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
1/4
12/22/2015 “Nemesis” malware hijacks PC’s boot process to gain stealth, persistence | Ars Technica
http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/ 1/4
WORLD’S FIRST(KNOWN) BOOTKITFOR OS X CANPERMANENTLYBACKDOOR MACSThunderstrike allows anyone with even
brief access to install stealthy malware.
FURTHER READING
“Nemesis” malware hijack s PC’s boot process to
gain stealth, persistenceBootkit targeting banks and payment card processors hard to detect and remove.
Malware targeting banks, payment card processors, and other financial services has found an effective
way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks
the computer's boot-up routine in a way that allows highly intrusive code to run even before the
Windows operating system loads.
The so-called bootkit has been in operation since early this
ear and is part of "Nemesis," a suite of malware that
includes programs for transferring files, capturing screens
logging keystrokes, injecting processes, and carrying out
other malicious actions on an infected computer. Its ability to
modify the legitimate volume boot record makes it possible
for the Nemesis components to load before Windows starts.
That makes the malware hard to detect and remove using
traditional security approaches. Because the infection lives in
such a low-level portion of a hard drive, it can also survive
when the operating system is completely reinstalled.
"The use of malware that persists outside of the operating
system requires a different approach to detection and
eradication," researchers from security firm FireEye's
Mandiant Consulting wrote in a blog post published Monday. "Malware with bootkit functionality can
by Dan Goodin - Dec 7, 2015 11:51pm IST 79
http://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.htmlhttp://arstechnica.com/author/dan-goodin/http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1https://twitter.com/share?text=%E2%80%9CNemesis%E2%80%9D%20malware%20hijacks%20PC%E2%80%99s%20boot%20process%20to%20gain%20stealth%2C%20persistence&url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2015%2F12%2Fnemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence%2Fhttps://www.facebook.com/sharer.php?u=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2015%2F12%2Fnemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence%2Fhttp://arstechnica.com/author/dan-goodin/http://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.htmlhttps://en.wikipedia.org/wiki/Volume_boot_recordhttp://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/
-
8/18/2019 “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
2/4
12/22/2015 “Nemesis” malware hijacks PC’s boot process to gain stealth, persistence | Ars Technica
http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/ 2/4
Enlarge
FireEye
be installed and executed almost completely independent of the Windows operating system. As a
result, incident responders will need tools that can access and search raw disks at scale for evidence of
bootkits."
Nemesis is by no means the first malware to hijack a computer's normal boot process to gain
persistence and stealth. TDL, a Windows rootkit that also goes by the name Alureon, has been doing
the same thing for more than five years. Early this year, a security researcher created a proof-of-
concept attack for Macs that covertly replaced the firmware that boots up most modern OS Xmachines. (Apple has since patched the weakness.) Still, the adoption of the technique by Nemesis is
an indication it is becoming more viable in real-world computer attacks, particularly those targeting
financial institutions.
The volume boot record is a small piece of code specific to an operating system that's located in the
first sector in an individual partition. It contains instructions for the OS code to begin the boot
process. The process typically looks like this:
Nemesis hijacks the normal sequence using an installer dubbed "BOOTRASH." It invokes a multi-
step process that involves the creation of a virtual file system that stores malicious components in
unallocated space between partitions. In Monday's post the researchers wrote:
Prior to installation, the BOOTRASH installer gathers statistics about the system, including the
operating system version and architecture. The installer is capable of deploying 32-bit or 64-bit
versions of the Nemesis components depending on the system’s processor architecture. The
installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the
specific type of hard drive. However, if the partition uses the GUID Partition Table disk
architecture, as opposed to the MBR partitioning scheme, the malware will not continue with
the installation process.
The malware checks to make sure a copy of the BOOTRASH installer is not already running on
the system. It also checks to see if the Microsoft .NET 3.5 framework is installed on the system- a prerequisite for the malware. If the installer is already running or the .NET framework is not
installed, the malware will quit.
http://arstechnica.com/security/2015/01/apple-readies-fix-for-thunderstrike-bootkit-exploit-in-next-os-x-release/http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/http://m.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/http://www.fireeye.com/content/dam/fireeye-www/blog/images/BOOTRASH/bootrashfig1.jpghttp://cdn.arstechnica.net/wp-content/uploads/2015/12/bootrashfig1.jpg
-
8/18/2019 “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
3/4
12/22/2015 “Nemesis” malware hijacks PC’s boot process to gain stealth, persistence | Ars Technica
http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/ 3/4
Enlarge
The researchers went on to write:
The bootkit intercepts several system interrupts to assist with the injection of the primary
Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt[6]
responsible for miscellaneous system services and patches the associated Interrupt Vector Table
entry so it can intercept memory queries once the operating system loader gains control. The
bootkit then passes control to the original VBR to allow the boot process to continue. While the
operating system is being loaded, the bootkit also intercepts the interrupt and scans the
operating system loader memory for a specific instruction that transfers the CPU from real
mode to protected mode.[7] This allows the bootkit to patch the Interrupt Descriptor Table each
time the CPU changes from real mode to protected mode. This patch involves a modified
interrupt handler that redirects control to the bootkit every time a specific address is executed.
This is what allows the bootkit to detect and intercept specific points of the operating system
loader execution and inject Nemesis components as part of the normal kernel loading.
The malware code is stored either in the virtual file system or in the Windows registry, making it
largely invisible to normal antivirus programs. That leaves live memory as one of the only places
where the malware can be detected. What's more, unless the bootkit and virtual file components are
removed, the malware will execute and load every time the system starts even if the operating system
partition has been wiped and the OS is reinstalled. To eradicate the malware, system administratorsmust perform a physical wipe and then reload the operating system. Significantly, Nemisis won't
install itself on computers that use GUID partitions which were introduced as part of the Extensible
Firmware Interface initiative and are an alternative to the older master boot record. At least for now,
use of this newer technology is a key way financial services firms can protect themselves from this
threat.
Post updated in the last paragraph to add details about GUID partitioning.
PROMOTED COMMENTS
sprockkets wrote:
jump to postmicrolith Ars Tribunus Militum
http://arstechnica.com/civis/memberlist.php?mode=viewprofile&u=8217http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248993#comment-30248993http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248953https://support.microsoft.com/en-us/kb/302873http://cdn.arstechnica.net/wp-content/uploads/2015/12/bootrashfig21.jpg
-
8/18/2019 “Nemesis” Malware Hijacks PC’s Boot Process to Gain Stealth, Persistence _ Ars Technica
4/4
12/22/2015 “Nemesis” malware hijacks PC’s boot process to gain stealth, persistence | Ars Technica
http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/ 4/4
InfernoBlade wrote:
Haven't most Windows systems shipped since Windows 7 or so came out used UEFI + GPT-formatted disks
by default? It's a nov el trick and all, hijack ing the system that way, b ut it seems l ike someth ing from 10
years ago, not something that'd be in active use today given the percentage of UEFI-based systems has
been going up stead ily .
True, but i've never seen a win7 use uefi for one reason or another. Started with win8 iirc.
Correct, the Win8 OEM guidelines required UEFI + Secure Boot support. And even if Win7 were booting UEFI, it
doesn't support secure boot so it could be trivially intercepted.
That said, this attack is against a population with a penchant for running ancient, decrepit systems so they may be
vulnerable for some time going forward. Inexcusable, really, but they'll react only after losing enough money.
2220 posts | registered Aug 2, 1999
Secure Boot is a security standard developed by members of the PC industry to help make sure that your
PC boots using only software that is trusted by the PC manufacturer.
When the PC starts, the firmware checks the signature of each piece of boot software, including firmware
drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the
firmware gives control to the operating system.
Windows Secure Boot Sequence:
1) After the PC is turned on, the signature databases are each checked against the platform key.
2) If the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted
firmware.
3) If there is a problem with Windows Boot Manager, the firmware will attempt to boot a backup copy of
Windows Boot Manager. If this also fails, the firmware must initiate OEM-specific remediation.
4) After Windows Boot Manager has started running, if there is a problem with the drivers or NTOS kernel,
Windows Recovery Environment (Windows RE) is loaded so that these drivers or the kernel image can be
recovered.
5) Windows loads antimalware software.
6) Windows loads other kernel drivers and initializes the user mode processes.
So, if you use Secure Boot (which uses UEFI) this kind of attack is mitigated.
jump to postmr_nobody Smack-Fu Master, in training
http://arstechnica.com/civis/memberlist.php?mode=viewprofile&u=395259http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30249361#comment-30249361http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/?comments=1&post=30248937