Nemesis Bootkit Hijacks Payment Processors Before Booting OS

If you thought Malware only attacks personal computers, you are wrong! Malware attacks any computer system whether it is a private computer or company server. There is a new Malware that attacks banks, payment card processors and other financial services.  This bootkit has been in operation since early this year and it is a deadly one – dubbed Nemesis.

What is Nemesis?

This is a suite of Malware that includes tools for taking screenshots, delivering files, processes injection, keystroke logging and carrying out many other malicious actions on the infected computer.  It allows hackers to copy all customer’s financial details and history and use it for phishing. This malware family has been seen in the past targeting banks, payment processors and other financial institutions.

How does it work?

This is not like any other Malware as it has the ability to start doing its evil work even before the computer boots up. Before your power is on you could already be at risk of being phished. Nemesis has the ability to modify legitimate boot record which makes it possible for the malware components to load before window starts. This means that before you see the Windows logo, the malware could already be running waiting for a prey. Unfortunately traditional antivirus only detects malware after Windows has started running. When your system is infected, the infection lives in a lower layer of the hard drive which makes it harder and allows to survive detection even when a new operating system is reinstalled.

For this specific Malware, formatting your computer and reinstalling Windows does not help. Nemesis has been tweaked to include a tool named BOOTRASH which has the ability to modify an infected computer’s boot process.

How to protect yourself from Nemesis

A malware that resides outside the operating system is difficult to prevent, detect and even cure. Traditional security systems won’t cut it as Nemesis requires a different approach to be detected and removed. Since formatting the system will not work, the only solution is to use special software tools. These software tools should have the ability to access and scan raw disks at the scale of evidence of Bootkits. Alternatively, one can physically wipe the disks before reinstalling Windows operating system.  Those are the only two possible solutions at the moment.

This is not the first malware of this type to hijack the computers at the stage of system boot up. In the past there were threats such as Rovnix, Necurs, Carberp and TDL4 that were also deadly. Perhaps Researchers should look at the solutions that were used to eradicate those threats. This could be a huge relieve to all banks, payment processors and financial institutions.  Phishing is a cancer for information security and the earlier it is detected and eradicated the better!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.