Nemesis malware gains bootkit ability
Nemesis malware is now clever enough to boot before Windows even starts up in order to steal your financial information iStock

A malware suspected to originate from Russia now has the capability to infect PCs by loading before Windows starts, making it virtually undetectable to users and almost impossible to remove. The danger is that this malware can steal payment data from just about anyone's computer, whereas before the malware was only targeting financial institutions and retailers.

The Bootrash malware is known as a "bootkit" because it gets into the core of the computer, according to security firm FireEye. It is part of the wider Nemesis malware suite which has been tied to a Russian cybercriminal gang nicknamed FIN1, which is suspected of targeting financial institutions, credit unions and ATM cash machine operators.

By adding Bootrash to the existing Nemesis malware suite, the new improved malware can now steal payment data from anyone's computer, not just those belonging to banks and retailers, as it can detect and record keystrokes to figure out online banking passwords and credit card numbers.

Malware hides between partitions

Computers contain a volume boot record that tells them to load the Windows operating system and then which software to load first once the computer starts up. The bootkit works by installing itself into the empty space between partitions in your hard drive and modifying the boot record to let certain components of the bootkit load before Windows starts, which makes it very difficult to detect.

It is also almost impossible to remove, because the malware hides outside the Windows file system and thus is not scanned by antivirus products, and Windows trusts that all its start-up processes are innocent and working properly, so even if you reinstall the operating system it won't be able to stop the malware.

The only way to get rid of this bootkit is to bulk scan every single file on your hard disc, which takes a long time, and most virus scanning software today doesn't check the Windows registry. You can get freeware like AdwCleaner that analyses your Windows registry, but you will need to supervise it and research what the registry entries are before deleting them, to make sure you don't accidentally get rid of an important Windows component or a software program you want to keep.

The FireEye researchers did find an uninstall option built into Bootrash by its creators but it is only designed to help the attackers. It will restore the original boot process on a user's computer but it won't delete the Nemesis malware sitting on your hard drive. The only way for systems administrators to completely get rid of the malware is to perform a complete physical wipe of any systems compromised with the bootkit and then reload the operating system.

Malware becoming popular attack method

Many point of sale (POS) payment terminals operated by retailers run on older Windows computers and they are increasingly becoming a target to cybercriminals – between 2013 to 2015, numerous US retailers have been affected by cyberattacks including Target, Home Depot, Supervalu, Neiman Marcus, Staples, Michaels Stores and Aaron Brothers.

Although the Target hack happened in December 2013, it is still one of the worst as cybercriminals used malware to capture 40m shoppers' credit card numbers as well as the personal details of 70m customers, and store them on a separate server operated by the hackers.

According to Bloomberg Business, research shows that when the data captured by the malware started flowing out of Target's servers to the hackers' servers on 2 December 2013, the hack was detected by Target's state-of-the-art security system (which was coincidentally by FireEye), but the company didn't act on the alert. Only 10 days later, when US federal investigators contacted Target about a massive data breach, did Target take action.