Stealthy Nemesis financial malware loads before the operating system, avoids detection

Invisible manHackers targeting payment card data are deploying sophisticated malware that executes before the operating system has started booting, according to newly-released report.

Through this method, the attackers are not only making the financial malware very hard for security software to detect - but also, difficult to remove.

FireEye researchers have identified that a financially-motivated hacking gang known as FIN1 is using a utility dubbed 'BOOTRASH' to hijack the system boot process in order to begin loading components of the Nemesis bootkit.

FireEye says that it discovered the malware during an investigation at an unnamed financial organization.

In order to boot up normally, a computer reads the Master Boot Record (MBR), where it learns about the hard drive partitions as well as the primary partitions that it needs to load. It learns more details about these partitions in the Volume Boot Record (VBR), including how to correctly start the boot process.

Figure 1

It's here that BOOTRASH seeks to hijack a boot session.

"The goal is to maintain persistence on the target systems. The malware is unique because it has a component that loads in the Volume Boot Record, making it hard to detect and remove," Wayne Crowder, director of threat intelligence at RiskAnalytics told SC Magazine.

According to a post on FireEye's blog, the hijack begins when BOOTRASH gathers information about the system.

BOOTRASH can execute on a 32- or 64-bit machine, but certain conditions - including the presence of a MBR boot partition, a prior installation of Microsoft's .NET 3.5 framework, and no discernible BOOTRASH installer - must be met.

It next uses Windows Management Interface to create a virtual file system where it can store the components of Nemesis, a malware ecosystem that includes a keylogger, file transfer, screen capture, and process manipulation, reports Threatpost.

After saving an encoded backup copy of the VBR, BOOTRASH decodes a new bootstrap code from one of its embedded resources, effectively hijacking the boot process. It then loads up three components, vbr.bin, vbs.bin, and bootldr.sys, which are responsible for installing and loading the Nemesis bootkit.

At this juncture, installation is complete, with infection soon to follow.

FireEye explains:

"During the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software."

Figure 2

At the same time, the bootkit intercepts several services, including the BIOS interrupt process, which could be used for system services and patches.

Malware that compromises the MBR or VBR to achieve boot persistence is unusual, but not entirely unknown. For instance, back in 2001 researchers at ESET detailed the activities of the Olmarik and Rovnix bootkits, and the following year they published a technical analysis of the Win32/Gapz bootkit describing it as "one of the most interesting and difficult to detect bootkits seen in the wild."

John Leyden of The Register is right to observe that because bootkits infect systems at a low level, they are difficult to detect to remove.

Indeed, when it comes to Nemesis, the bootkit executes before Windows has had a chance to fully load, meaning that anti-virus solutions will not detect it. This means that to even detect a bootkit, we need to install a special tool or utility that provides raw disk access and that can essentially analyze changes made to the VBR.

As for removing a bootkit, reinstalling the operating system will not work.

In this case, as PC World points out, only a complete physical wipe of the entire hard drive will do the trick.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. SteveVDC

    December 10, 2015 at 2:21 pm #

    Can't Secure Boot for UEFI prevent this sort of boot hijack?

Leave a Reply