Researchers Found Windows’ Malware Similar To The One Used by NSA

[Batu69]

 

NSA’s one of the known snooping tactics is installing a malware into hard drive’s firmware which makes the deletion of the malware nearly impossible even the malware can avoid formatting of the hard drive.

 

Nemesis is a malware that can be used for similar purposes as it can avoid clean-up software and can even avoid reinstalling of windows altogether by hiding behind boot records, according to FireEye.

 

What’s the malware about?

 

Nemesis is a dangerous malware that is designed for carrying out multiple functions like transferring files, injecting processes, capturing screenshots and keystrokes. It can even steal the financial data from a system. It can even bypass banking systems and can transfer all the financial data to the developers.

 

What makes it lethal is the fact that it is very difficult to detect by any detection programs. Basically, the malware’s feature of hiding behind the boot records allows it to remain anonymous for any security program even the virus check on the start-up is avoided through this feature.

 

How to avoid it?

 

So, what should users do if they are are infected with this malware? Well, according to the FireEye research team if this ever happens to a user they will be required to replace his hard drive altogether, otherwise there is no chance with normal detection systems, the malware will always remain there no matter what you do.

 

But, this may not be feasible big businesses or enterprises that run a single hard drive on many computers and a replacement could be real daunting as it would take the time to backup all the data on the systems and then start fresh.

 

Modern operating system secured

 

Though, modern operating systems like windows 8 and 10 might not be affected by this malware as they utilize secure boot which prevents a replacement of the window bootkit.

 

Bootkit usually targets enterprise and financial systems which are usually not that updated and have an older operating system in place. So, there is a need for updated financial and enterprise systems, otherwise they could face the worse.

In August this year, a security researcher created a proof-of-concept attack for Macs that covertly replaced the firmware that boots up most modern OS X machines. (Apple has fixed the flaw). SourceFireEye

Article source

[Holmes]

Secure Boot requires a TPM mmodule (Trusted Platform Module) and you cant simply go out and buy one at a store you have to order one online You cant do that unless the motherboard has a TPM module slot my motherboard does and I keep meaning to buy a TPM module I keep forgetting.  Some computers have one when you buy it.  I tried to buy one for my MSI motherboard MSI website sold out.  I got one at amazon Im going to be ordering early next year.  You want a UEFI (Unified Extensible Firmware Interface) to that is a BIOS replacement.  These components are necessary to use secure boot.

 

You must realize if you got malware in your hardware's firmware its not totally dead you can reflash with firmware thats not infected on some malware not all.

[straycat19]

There seems to be some confusion here.  Nemesis does not install itself in the firmware. It installs itself in the bootstrap of the MBR of windows so that the malware starts before windows begins its boot process.  For this reason secure boot cannot guard against it. This is the Ring 0 area of your hardrive.  If you use a hex editor the bootstrap is at +000h (hexadecimal).  It does not get removed if you do a normal format and reinstall of windows.  In order to remove it you have to do a low level format or a complete physical wipe of the hard drive.

[Holmes]

I just read the article I didnt look at the source.  I know all about the bootstrap and ring zero Im musing about what is worse nemisis or TDLFour I am predicting nemisis its newer I think.  This is interesting:

 

https://technet.microsoft.com/en-us/windows/dn168167.aspx

 

This says secure boot can stop nemesis you said it cant.

[vibranium]

13 hours ago, straycat19 said:

If you use a hex editor the bootstrap is at +000h (hexadecimal).  It does not get removed if you do a normal format and reinstall of windows.  In order to remove it you have to do a low level format or a complete physical wipe of the hard drive.

 

Correct. Overwriting sector 0 is sufficient.

 

I read somewhere about true firmware injections, but that has to be limited to very specific models AND firmware revisions of hard drives. This kind of exploit is so difficult and the target area so small, I can't imagine hackers actively developing it.