One of the more interesting revelations about the snooping tactics employed by the NSA over the past few years was that the agency had managed to install malware into hard-drive firmware in order to get around deletion during formats. While not as complicated as that, Nemesis malware uses a similar system by hiding outside the reaches of normal clean-ups, dodging even operating system reinstalls by hiding in the boot-record.
IT professionals who don’t want the malware equivalent of the Nemesis character pictured above rampaging within the systems they manage will be on guard against this possibility.
Nemesis is in actuality a collection of programs and malware that is capable of doing lots of different things. It can transfer files around, capture screenshots and keystrokes, inject processes, and even capture financial data from a system. It’s designed to hide away on banking systems and siphon off funds and financially important information for the nefarious individuals behind its injection.
And by hiding itself within the boot-record of a system, it’s able to avoid traditional detection techniques, starting up before the OS has even thought about launching defensive countermeasures.
With that in mind, preventing an infection like this is the best way to avoid its associated issues, while clearing it out after it’s taken hold is much harder. It certainly requires a different approach than usual, as the team at FireEye discussed in their recent exposé (via Ars) on the malware bootkit. Any users who believes their systems are infected with such malware will need to do a complete drive wipe to make sure it’s cleared out.
This will be a process that’s a little more well known among SSD users, as a zeroing of the drive can often improve performance — even if the drive is TRIM enabled. However, it may be more daunting for enterprises or businesses that are more used to ghosting a drive from one system to another without ever starting from scratch.
This isn’t necessarily something that those running modern operating systems need to worry about though. Windows 8 and 10 both utilize Secure Boot, which prevents a replacement of the Windows bootkit from being launched.
That’s perhaps why the bootkit targets enterprise systems and financial services, which have a history of running older operating systems. Yet another good reason to stay up to date with your operating system, as well as with drivers and anti-malware software.