The issue is that since a bootkit can load in malware programs before Windows itself loads, Windows processes have a hard time identifying malicious activity, and an even harder time removing it. Completely reinstalling the OS won’t do it — this is rather like the NSA attacks that can resist even a total format of the drive, but so far as we know those mostly at least require hardware infiltration of the target. In this case, this purely software virus can install itself behind your computers eyes, and thus never be seen.A newly revealed malware that has been in use since at least the beginning of this year has been dubbed a “bootkit,” for its ability to infect a computer at the most fundamental level, running when the computer boots to actually load before the operating system itself. It’s part of the widespread “Nemesis” malware suite, and while it is currently aimed at financial institutions, the inclusion of bootkit functionality in a relatively “mass market” solution means the powerful form of cyber infiltration is coming to a much wider array of victims.
Dubbed BOOTRASH by security researchers, the malware works by infecting the Master Boot Record (MBR), which contains basic information about the partitions on an HDD, and some basic code about how to initialize the primary partition. Nemesis is installed on the empty space between partitions, and BOOTRASH injects it into the still-loading Windows processes when it runs on system startup. To a certain extent, Windows takes this starting collection of running code as the gospel — how could it already be bad, before the OS has even done anything, yet?
The only way to go about digging a bootkit out of your computer with a virus scanner would be to bulk scan of the raw disk content, rather than scanning activity as it occurs. That’s an incredibly taxing thing, especially for large networked servers that might have enormous amounts of storage in which to hide, and doing the search itself takes resources and computing time away from your core business. Most virus scanning software doesn’t generally check the Windows registry or the virtual file system created by BOOTRASH to store itself — these attacks require a whole new approach to digital countermeasures.
The Iranian nuclear centrifuges targeted by STUXNET.
Intriguingly, the creators of Nemesis seem to have built in an uninstall option that will restore the original boot process. It won’t remove the Nemesis code or undo the odd little file system home it makes for itself on your allegedly unused disk space, but it will stop Nemesis from actually coming into action upon boot. Why attackers might want the option to ease off like this is anybody’s guess — but the ability to roll out so-called “ransomware” is one real possibility.
Remember that bootkits need not to limited to targeting banks and credit card transactions. Bootkits are basically just more technically advanced versions of rootkits, which have of course been used by everyone from Sony to (probably) the US government. Bootkits offer far more durability for the attacker, but they also destroy any ability to claim innocence — you could maybe claim that a rootkit was installed in good faith, but a bootkit is very specifically designed to fool the user. Any non-criminal enterprise installing a bootkit is running a big financial risk if found out.
Still, it’s worth pointing out that a computer can’t be harmed by a malware it never encounters. These might be super-advanced cyber super-bugs, but they still almost certainly got onto the target systems with the same techniques as all the malware that’s come before: basic research and personal trickery in the form of spear-phishing personal messages over email or social media. It’s essential that the security industry invent newer and better technologies to counteract those of the criminals — but investment in education and good online practices could be a better idea for corporations, dollar for dollar.
