Monday, December 14, 2015

What is Nemesis Bootkit ?

Since early 2015 a new malware started targeting banks, payment card processors or other financial services, stealing sensitive information from them. It infects a computer and plucks sensitive data out of computer memory. It is called Nemesis Bootkit.

Nemesis Bootkit is a part of Nemesis malware, which includes programs for transferring files, capturing screens, logging keystrokes, injecting processes or do other malicious activities.

The difference which makes Nemesis Bootkit much more harmful than most other malware programs is that it changes Master Boot Record and can survive through re-installation of Operating Systems. It is much harder to detect and once detected, much harder to remove.

How does Nemesis Bootkit infect a computer

In Windows Systems, MBR or Master Boot Record stores information about the disk, including number and layout of partitions. This MBR is critical to boot process. It stores a small amount of code, which searches for primary active partition and transfers the control to the Volume Boot Record or VBR of the partition.

This VBR resides on the first sector of individual partition. It contains a small machine code specific to the Operating System and instructs the Operating System to begin the boot process.

Nemesis Bootkit hijacks the boot process of the computer. It first uses a multi-step process to create a custom virtual file system and stores the Nemesis components in the unallocated space between the partitions.

It then replaces the VBR code with its own malicious code, so that it can intercept certain boot process functions and inject Nemesis components to Windows Kernel.

And once infecting a computer, it starts it malicious activities to steal sensitive data from the targeted banks, payment card processors or other financial services.

Countermeasures of Nemesis Bootkit

As discussed earlier, Nemesis Bootkit is much harder to detect and remove. Because of the way it infects a computer, simple re-installation cannot get rid of it completely.

But, there is a valid solution to remove it, though the practicality of the solution is questionable. If someone wipes the disks completely and then re-installs the Operating System, this malware can be removed.

Please note that, Nemesis Bootkit does not install itself on computers that use GUID partitions, which were introduced as part of Extensible Firmware Interface initiative and are an alternative for old Master Boot Record. So, use of this newer technology also can help the financial services from this threat.

This was an introductory article to give you some information about Nemesis Bootkit. Hope it helped.

No comments:

Post a Comment