Malware Hijacks Windows Boot Process
A blog post at the FireEye/Mandiant Consulting website reports on a powerful feature of the Nemesis malware tool that allows the attacker to load malicious code as part of the boot process – before the operating system has even started. The attack affects Windows systems that use the .NET 3.5 framework.
Nemesis employs an installer referred to as BOOTRASH to take control of the boot process and load malware components into the Windows registry or a virtual filesystem, where they are virtually undetectable. When the system boots, the Master Boot Record (MBR) passes control to the Volume Boot Record (VBR), which loads the operating system. Nemesis creates a virtual filesystem in unallocated space to load the malicious code, then executes the code in the VBR phase – before the operating system starts. The attackers are said to target payment card processors, banks, and other financial institutions.
The MBR boot system is deprecated and is gradually being replaced by the safer GUID Partition Table system, although many MBR computers are still operating in the wild. GUID boot systems are apparently immune from the attack. Unfortunately, many payment card processing systems run embedded versions of old Windows systems that make them susceptible to the bootkit.
The difficulty in detecting this attack means you probably won't see it popping up on your malware scanner anytime soon. The best defense is to upgrade to a GUID Partition Table system – and stop using out-of-date versions of .NET.