New “Bootkit” malware that loads even before Windows can open

‘Bootkit’ Malware that gets installed at a partition of booting drive which allows the malware to load even before the OS itself.

You must have heard about rootkits, and if you haven’t here is the definition “A rootkit is a malware that allows the authoring attacker to get administrator access on victim’s machine”.

Now, since the world of hacking is changing everyday with emerging threats and patches to recent ones, it is wise to expect something big to come at anytime. That has happened, a new kind of malware that is a part of the Nemesis malware suite loads as soon you boot your computer. Hence an antivirus program will have a hard time dealing with that.

The issue is that since a bootkit can load in malware programs before Windows itself loads, Windows processes have a hard time identifying malicious activity, and an even harder time removing it. Completely reinstalling the OS won’t do it — this is rather like the NSA attacks that can resist even a total format of the drive, but so far as we know those mostly at least require hardware infiltration of the target. In this case, this purely software virus can install itself behind your computers eyes, and thus never be seen.

Your HDD consists of many “partitions”, and a primary partition is something from where the Windows(and every other OS) loads itself. Dubbed BOOTRASH by security researchers, the malware works by infecting the Master Boot Record (MBR), which contains basic information about the partitions on an HDD, and some basic code about how to initialize the primary partition. Nemesis is installed on the empty space between partitions, and BOOTRASH injects it into the still-loading Windows processes when it runs on system startup.

The only way to go about digging a bootkit out of your computer with a virus scanner would be to bulk scan of the raw disk content, rather than scanning activity as it occurs. That’s an incredibly taxing thing, especially for large networked servers that might have enormous amounts of storage in which to hide, and doing the search itself takes resources and computing time away from your core business. Most virus scanning software doesn’t generally check the Windows registry or the virtual file system created by BOOTRASH to store itself — these attacks require a whole new approach to digital countermeasures.

Intriguingly, the creators of Nemesis seem to have built in an uninstall option that will restore the original boot process. It won’t remove the Nemesis code or undo the odd little file system home it makes for itself on your allegedly unused disk space, but it will stop Nemesis from actually coming into action upon boot. Why attackers might want the option to ease off like this is anybody’s guess — but the ability to roll out so-called “ransomware” is one real possibility. Obviously, if the attacker successfully infects the MBR of a system that handles a large organisation, there will be a chance to get high amounts.

Remember that bootkits need not to limited to targeting banks and credit card transactions. Bootkits are basically just more technically advanced versions of rootkits, which have of course been used by everyone from Sony to (probably) the US government. Bootkits offer far more durability for the attacker, but they also destroy any ability to claim innocence — you could maybe claim that a rootkit was installed in good faith, but a bootkit is very specifically designed to fool the user. Any non-criminal enterprise installing a bootkit is running a big financial risk if found out.

Still, it’s worth pointing out that a computer can’t be harmed by a malware it never encounters. These might be super-advanced cyber super-bugs, but they still almost certainly got onto the target systems with the same techniques as all the malware that’s come before: basic research and personal trickery in the form of spear-phishing personal messages over email or social media. It’s essential that the security industry invent newer and better technologies to counteract those of the criminals — but investment in education and good online practices could be a better idea for corporations.

Abhishek Awasthi
Abhishek Awasthi
Continuous improvement is better than delayed perfection -Mark Twain.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Read More

Suggested Post