back to article Windows' Nemesis: Pre-boot malware pwns payment processors

Cybercrooks targeting payment card data have developed a sophisticated malware that executes before the operating system boots. Security researchers at FireEye / Mandiant came across the rarely seen so-called bootkit technique during a recent investigation at an organisation in the financial transaction processing industry. …

  1. TheVogon Silver badge

    Using Secure Boot + Bit Locker + a TPM will defeat this sort of malware crap.

    1. Anonymous Coward
      Anonymous Coward

      Secure Boot

      Don't be fooled by it's name.

      (clue: it does boot)

      1. Havin_it

        Re: Secure Boot

        Are there known flaws in Secure Boot, AC? I hadn't heard this, could you elaborate please? (Really; I'm interested)

        I mean there's the ability to turn it off for one (so far...) but that's not a vuln per se. And as the implementation is in the UEFI layer no doubt there may be vendor-specific implementation quirks, but you make it sound more as though the standard (or howsoever one might term the implementation requirements for Windows certification, whatever they are exactly ... not my area) itself is flawed. If so, how so?

        1. Anonymous Coward
          Anonymous Coward

          Re: Secure Boot

          Google "intel x86 considered harmful"

          1. dogged
            Trollface

            Re: Secure Boot

            Obviously the solution is to switch everything to linux* immediately because everything runs on linux and if it doesn't then everything runs perfectly on WINE and linux doesn't get viruses or trojans and linux is (somehow) immune to pre-boot malware.

            Everybody knows that. This is clearly a Winblows problem, and I expected it's related to Microslurp stealing all your data. The headline makes that much clear.

            *Mint, of course. You have to recommend Mint because it's a Reg Forum Bylaw.

            1. Anonymous Coward
              Anonymous Coward

              Re: Secure Boot

              Couldn't you make it to the end of the first sentence in the article?

              1. dogged

                Re: Secure Boot

                > Couldn't you make it to the end of the first sentence in the article?

                I did but the article was tripe. A bootkit doesn't care what OS you're running (SecureBoot and TPM aside). The specific malware in this instance may be a Win32 variant but it could just as easily be anything else - it's use of the vector that's important. In fact, the prevalence of SecureBoot and TPM is likely to make this vector more an issue for systems which do not make use of those.

                Please note that most popular linux distros can be SecureBoot enabled very easily.

                It would benefit most users if commentards ceased to scream about how "unfair" SecureBoot is and instead pointed people toward this helpful article.

                (Many) Other articles are available.

            2. David Roberts
              Coat

              Re: Secure Boot - Mint

              But not the Polo distribution.

              I understand that there is at leat one hole in it.

          2. Roo
            Windows

            Re: Secure Boot

            It is rather peculiar that you attracted a ton of downvotes by pointing people at a useful article showing the long chains of trust inherent in the x86 boot-time security model and references to SMM exploits that undermine it. It would be interesting to know *why* the downvoters chose to make the mark, even if it is something as simple as wanting to bury bad news.

            Have an up-vote from me anyway.

        2. Panopticon

          Re: Secure Boot

          Re: Flaw's in secure Boot (Really, I'm Interested)

          It's secure - we've heard that before, Sony say's the same thing about it's EEPROM boot-loader on the PS4 and then a load of Brazilian gamers figure out that with a Raspberry Pi you can rewrite the EEPROM to have any damn boot-loader (JAISPI). Any implementation of Windows itself is flawed because Windows embraces broken Web standards like HTML 5 and bundles it into it's PRISM based internet exploding browser whilst other people desperately work there hand at trying to patch there huge fuck-up's and try to remove there shit. They screwed the implementation of Kerberos then they screwed implementation of Bit-locker in Windows 10 and it's worthy of note that no version of Windows actually ships with OpenSSL that's something you the end users are expected to add-on, this is the off-spring of Caldera still eating it's own children and destroying the web in the name of better advertising and marketing along with it's chums at Google who quote Steve Jobs as being a great visionary when Steve Jobs was last quoted as having said and I quote "Android and G-Docs is Shit!" Exploits against Kerberos, against SSL & SSH, against etc, etc, etc where have we heard all that before.. Oh that whistle-blowing guy who told everybody to go use Debian, then when everybody start's using Linux, suddenly Linux falls on the scum-bag trading list as malware that supports terrorism and suddenly System-D and other such horse-shit that allows crime ware and Trojans in Linux suddenly spreads it's affluence with effluence and projects that try to mitigate the crap with sane Libs like uLibC and Musl with grSecurity instead of SELinux and MAC get hosed.

          These guys at the NSA & GCHQ with there friends at Google coming out with horse-shit like "Ubuntu LTS" is the most "secure" distribution ever, are really starting to piss everybody including the Securities Exchange Commission off quite badly. Definition of "Secure" distribution, one that doesn't have your enlarged spying testicles in it or maybe one that hasn't had you deliberately hose the crypto_API with NSA_Key.dll and bundle Javashit into the desktop. I can think of numerous alternatives such as Flex, Pascal and Russian copies of a Windows Clone. (ReactOS FTW) just bundle it with Kerberos version 3.2.2 and CoreForce firewall and viola, you've got Unisys Stealth Core (TM) technology. With a firm two fingers to most major browser vendors including Google!

          1. TheVogon Silver badge

            Re: Secure Boot

            "Any implementation of Windows itself is flawed because Windows embraces broken Web standards like HTML 5 and bundles it into it's PRISM based internet exploding browser whilst other people desperately work there hand at trying to patch there huge fuck-up's and try to remove there shit. "

            English, do you speak it? http://www.howtospell.co.uk/homophonesquiz.php

            "it's worthy of note that no version of Windows actually ships with OpenSSL "

            Thank you god.

            "They screwed the implementation of Kerberos"

            Nope. Kerberos works just fine on Windows and is fully standards compliant. It has features like say constrained delegation that Linux desperately needs out of the box..

            "then they screwed implementation of Bit-locker in Windows 10"

            There is a bug disabling it in certain circumstances when you also have hardware disk encryption.. The implementation of it is otherwise just fine.

          2. dogged

            Re: Secure Boot

            @Panopticon - do you go into supermarkets and shout at the cheese?

            (everyone back away slowly, there are clearly some issues here).

      2. dogged
        Stop

        Re: Secure Boot

        > (clue: it does boot)

        As per our test data here with altered Windows executables, no, it doesn't.

        That's enough FUD, thank you.

  2. heyrick Silver badge

    Given the number of random things we're expected to put our cards into

    The banks really ought to devise some sort of method to verify not only that the device is secure (how? that's their problem to figure out) and to assure clients that the device is a real payment device - perhaps by displaying a code word known only to the cardholder and the bank?

    1. TechnicalBen Silver badge

      Re: Given the number of random things we're expected to put our cards into

      When the user is involved, these are not the cheapest, quickest and easiest. Which always win out over the "right" or "best" option.

      When the company is involved, well, lots can and does go wrong.

  3. Arctic fox
    Trollface

    "Cybercrooks targeting payment card data have developed a sophisticated malware...........

    ....................that executes before the operating system boots."

    They have clearly taken a leaf out of Lenovo's, Dell's and Toshiba's playbook.

  4. Joe User

    I've seen its like before

    One of my co-workers was afflicted with similar malware a few years ago. It checked the hard drive, found a few megs of unallocated space, and created a partition of an unknown type to hold the code. The malware set its partition to "bootable" and loaded before Windows. To remove it, I had to:

    - Boot from a GParted Live disc

    - Delete the rogue partition

    - Expand the Windows partition to occupy that space (you won't pull that trick twice)

    - Boot from a Windows installation disc

    - Run Windows repair and fix the boot configuration

    - Boot into Windows

    - Run several anti-malware programs to "delouse" the PC

    Never a dull moment around here....

    1. A Non e-mouse Silver badge

      Re: I've seen its like before

      How much longer before it's cheaper to throw the computer away and buy a new one, rather than pay a techie hours to disinfect it?

      1. channel extended
        Coat

        Re: I've seen its like before

        I eagerly await the new marketing program that offers a customized win-10 thats is, meh, secure and turns off the automatic slurp.

        No thanks to Lenovo, Toshiba, and maybe Sony. And it's at that point, almost, now.

        Mine has the Android PDA in the pocket.

        1. dogged
          Meh

          Re: I've seen its like before

          > Mine has the Android PDA in the pocket.

          Because obviously, Android is secure and doesn't slurp your data.

      2. phuzz Silver badge
        Boffin

        Re: I've seen its like before

        $time = Time to disinfect (hrs)

        $rate = Hourly rate of techie (£/hr)

        $cost = Cost of new device (£)

        So it's worth chucking the device and getting a new one when:

        $cost < $time * $rate

        Given that the procedure that Joe User followed probably took about five hours, it's not worth buying a new device unless it's very cheap, or your techie is very expensive. Personally I charge friends "one meal" for this sort of thing, they shouldn't need to buy a new device unless they can find one for less than the cost of a meal.

        What do you mean it was a rhetorical question?

        1. Joe User

          Re: I've seen its like before

          phuzz: "Given that the procedure that Joe User followed probably took about five hours"

          Actually, it was under an hour-and-a-half. The full-disk malware scans took the most time.

  5. Tanner

    This seems to be the work of the NSA, not Russian hackers since the expertise required to write the malware code goes beyond what it's accessible to hackers. Also, the infamous "Equation Group" credited with sophisticated hacking and malware creation was identified and documented as part of the NSA's covert army. Also, let's not forget that Stuxnet and its variants were also identified as an American-Israeli creation due to the resources required to write such piece of malware. So stop bashing the Russians!!!! "Could be Russians"????? Come on....Inuendos and guessing is what it's being projected and pushed here. Always blame the Ruskies....

    1. Panopticon

      @Tanner

      Of course, you see the One dollar bill, look at the Eyeball and now draw another triangle onto it in reverse and there's your American-Isreali connection spelled out in black and white with the words MASON. Of which the last 13 presidents all where members. It's a delight to listen to them prattle on about innovation and technological achievement. After all what has america achieved with there technology over the last 50 years?? Ah yes, a technocracy where most of there technology is a huge monumental fuck-up.

      None of it actually work's, instead there busy doing what they've always done, what with being american-jewish and sacrificing there children to "Moloch" worshipping a flying GNU Bull which is something Mohammed slammed them all over in the middle ages.

      Look at the wonder's of Unix BSD & Linux.. Neither of them work!

      Never have done and probably never will. Very innovative, you have to admit the rest of the world must be marvelling at there technological advancement and achievement and in other news special agent Chan of the peoples republic of China has her hip's firmly wrapped around her husband Mr Zuckerburgs waist. Lets all just "Marvel" at the love-int going on. Facebook has no secrets from her, especially when she writes home in Mandarin cipher to her Relatives in the communist party!

      1. dogged

        Re: @Tanner

        not sure if trolling or actually mental

        1. Anonymous Coward
          Anonymous Coward

          Re: @Tanner

          Take a look fool..

          http://web.mit.edu/dryfoo/Masonry/Essays/friday13.html <-- MIT

          http://freemasonrywatch.org/pics/skullandbones.crossedlegs.jpg <-- George Bush

          http://theforbiddenknowledge.com/wtc/index02.htm

          http://www.theforbiddenknowledge.com/hardtruth/13_33_freemason_sig.htm

          The number nine was consecrated to the Spheres and the Muses. It is the sign of every circumference; because a circle or 360 degrees is equal to nine, that is to say, 3+6+0=9. Nevertheless, the ancients regarded this number with a sort of terror; they considered it a bad presage; as the symbol of versatility, of change, and the emblem of the frailty of human affairs. Wherefore they avoided all numbers where nine appears, and chiefly 81, the produce of nine multiplied by itself, and the addition whereof, 8+1, again presents the number nine. As the figure of the number six was the symbol of the terrestrial globe, animated by a Divine Spirit, the figure of the number nine symbolized the earth, under the influence of the Evil Principle; and thence the terror it inspired. ("Do No Evil")

          http://longmontmasons.com/wp-content/uploads/2010/01/george-washington-freemason.jpg

          http://plan9.bell-labs.com/plan9/index.html <--- AT&T Most secure Unix version IX (9) otherwise called NSA Net!

      2. Anonymous Coward
        Anonymous Coward

        Re: @Tanner

        Like Mr. Vogon suggested, please learn to write legibly before trying to join in the grownups' conversation.

        "American-Isreali" I'll put that down to finger-trouble

        "presidents all where members" where?

        "america" A

        "achieved with there technology" their

        "most of there technology" their

        "None of it actually work's" works

        "instead there busy" they're

        "american-jewish" A-J

        "sacrificing there children" their

        "Look at the wonder's" wonders

        "Never have done and probably never will." Not a sentence and a clueless start to a paragraph.

        "marvelling at there technological advancement" their

        "peoples republic of China" People's Republic

        "has her hip's" hips

        "Mr Zuckerburgs waist" 's

        "Lets all" Let's

        ""Marvel"" marvel

        "Relatives " relatives

        "communist party" C P

        Ok, I call Poe. That's before even laughing at the ideas.

        ...

  6. TheVogon Silver badge

    "not sure if trolling or actually mental"

    American imo. Probably watches Fox News all day for the source of the material above...

    "Like Mr. Vogon suggested, please learn to write legibly before trying to join in the grownups' conversation."

    I couldn't be bothered to give more than a hint! But +1 for effort.

    I would be slightly sympathetic if it was clear that English was not the first language, but unfortunately I think the problem is more educational in nature...

  7. Panopticon

    ISIS

    Isis, is very much there baby, it's indicative of the 9 https://en.wikipedia.org/wiki/Ennead of ancient Egypt.

    Eric Holder - Mason

    James Clapper - Mason

    Barrak Obama - Mason

    George W. Bush - Mason

    Clinton - Mason

    Eric J. Schmidt - Mason

    So you can bet, the next president of the United States is going to be a Mason.

    Ha and people thought Muslims where fanatical...

    1. Afernie

      Re: ISIS

      "So you can bet, the next president of the United States is going to be a Mason."

      Yeah.. so... if Freemasons secretly control the world how come my mate Dave doesn't have a better job?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020