Windows Pre-Boot Malware Puts Financial Industry At Risk

[Lucian Armasu]

FireEye security experts discovered the Windows Nemesis bootkit on enterprise machines from a financial transactions customer.

Windows Pre-Boot Malware Puts Financial Industry At Risk : Read more

 

[10tacle]

"FireEye suggested that re-installing the operating system is no longer a sufficient method of getting rid of certain types of malware. The solution against this type of threat is to use tools that can access and search raw disks at scale for evidence of bootkits, or the disks should be physically wiped before installing the operating system."

Who would ever just reinstall the OS thinking that would take care of any virus, especially one buried deep in the MBR? Paying money for a good anti-virus and anti-malware program is worth it for we users who care about our personal data protection.

Of course, the corporate bean counters do not see the budget of their IT departments as high priority. Used to drive me nuts when I worked in one. Talk about having a hand tied behind your back when employees would constantly complain about slow computers and whatnot.

 

[firefoxx04]

As annoying as secure boot can be, I guess it pays off.

 

[Alec Mowat]

Who would ever just reinstall the OS thinking that would take care of any virus, especially one buried deep in the MBR? Paying money for a good anti-virus and anti-malware program is worth it for we users who care about our personal data protection.

Most people.

Most people won't even update their Windows from 7 to 10 because they're afraid it's not compatible with ancient software programs.

 

[kenjitamura]

I thought it was common sense for people to use DBAN or Killdisk between OS installs. I do it even when re-installing the same OS.

 

[DrakeFS]

Most people.

Most people won't even update their Windows from 7 to 10 because they're afraid it's not compatible with ancient software programs.

This is more about enterprise PCs and not personal PCs. I could care less if family member, friend, random stranger, etc.. got this virus. However, I would like to know what finical company does not have a wipe apart of the image process... that way I know what finical company to avoid.

 

[mrjhh]

I doubt that the GPT limitation will last long. Secure boot isn't a panacea, the firmware can also be replaced with interesting code in the ACPI code running at the highest trust level, whether it's UEFI or BIOS. While UEFI is required for secure boot, there isn't much to prevent bad firmware from being installed with just Secure boot. A TPM can provide more security, but almost nothing has a TPM installed. But even that requires external verification of TPM signatures, and that external verification becomes the next weak link in the chain. But, a TPM doesn't prevent installation of buggy firmware or OS, it only verifies that the expected firmware/OS is installed. When new firmware/OS is approved and installed, the old signatures have to be removed to prevent the old/buggy firmware/OS from being allowed.

 

[warezme]

Most people.

Most people won't even update their Windows from 7 to 10 because they're afraid it's not compatible with ancient software programs.

That's where you would be mistaken. Up until a week or so ago Enterprise version of Symantec antivirus suite was not compatible with Windows 10. Some specialty educational very necessary programs like Examsoft took a long time to become compatible, causing students who updated right away or buy a new laptop to have to blue-book early exams. These are all examples of current software and I'm sure there are many such examples in the corporate world.

Sure if all people do is internet and facebook then sure Windows 10 is no problem.

 

[jimmysmitty]

"FireEye suggested that re-installing the operating system is no longer a sufficient method of getting rid of certain types of malware. The solution against this type of threat is to use tools that can access and search raw disks at scale for evidence of bootkits, or the disks should be physically wiped before installing the operating system."

Who would ever just reinstall the OS thinking that would take care of any virus, especially one buried deep in the MBR? Paying money for a good anti-virus and anti-malware program is worth it for we users who care about our personal data protection.

Of course, the corporate bean counters do not see the budget of their IT departments as high priority. Used to drive me nuts when I worked in one. Talk about having a hand tied behind your back when employees would constantly complain about slow computers and whatnot.

A proper reinstall deletes the old MBR and re-partitions the HDD anyways. That is how I do my "clean" installs. Any other way is not a "clean" install.

 

[corbeau]

I thought it was common sense for people to use DBAN or Killdisk between OS installs. I do it even when re-installing the same OS.

Not on an SSD you don't.

 

[turkey3_scratch]

So wouldn't formatting fix this?

 

[Alex Atkin UK]

So wouldn't formatting fix this?

Possibly not, because formatting would not necessarily wipe out the MBR or the hidden partition the malware has created.

If course of you wiped the whole drive and switched to a GPT partition scheme, that would wipe it and prevent reinfection. Not sure how easy that is to do from Windows installer though, I always use a Linux LiveCD/USB for partitioning.

 

[Quixit]

So wouldn't formatting fix this?

Possibly not, because formatting would not necessarily wipe out the MBR or the hidden partition the malware has created.

If course of you wiped the whole drive and switched to a GPT partition scheme, that would wipe it and prevent reinfection. Not sure how easy that is to do from Windows installer though, I always use a Linux LiveCD/USB for partitioning.

Yes, formatting doesn't touch the MBR. The current Windows installer has full featured partitioning, including resizing existing partitions and changing partition tables to GPT so that wouldn't be a problem.

 

[turkey3_scratch]

How can a partition be "hidden"?