I was waiting for this one Doc. Saw the article but was unable to completely read it. Thanks for the heads up.

preventive measures for home PC users?

Thanks for the post.

The article you've linked has another article linked within it that is certainly worth the read as well.  The link is subtle, it's at the end of the next to last paragraph "Source:fireeye.com".  It's well worth the read as well and goes into more detail regarding the behavior and characteristics of the bootkit:

https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

Let's hope home users don't get targeted. There's always something... sigh.

None as of yet...

Looks like DBAN and OS re-install would be an option.  Perhaps the only one at present.

Such a purveyor of Holiday Cheer you are, Doc.

surely things like those linux based cd/dvd scans can find it?

Surely they don't...they implement during boot BEFORE you security software.

Apparently a new addition to the NEMESIS malware suite called Bootrash, at present the only solution is to completely wipe the hard disk then reload the OS.

Hopefully the AV software companies like FireEye can get on top of this very quickly. Incidentally this is only one of a line of several previous Bootkit virus attacks, fortunately (or unfortunately) aimed mainly at financial institutions.

Booting to DVD is implemented at BIOS level...before the HD boot record is accessed...so it 'should' precede a 'bootkit' ...

i would have thought booting to linux via cd/dvd shouldn't be reading off the hdd/mounting them until after the os is loaded?

(obviously... whether the scans will then find the rootkit, etc depends on the signature/heuristics of the scans)

Couple points:

- It doesn't work on disks using GPT. Which most newer systems should be using (it's required if you have UEFI and aren't running it in BIOS compatibility mode).

- I'd be surprised if booting to the repair console (via windows install disc) and running /fixmbr (assuming it still exists in newer versions of windows) didn't take care of it, since it rewrites the MBR.

- Booting from an optical disc will most definitely bypass it.

- It's only an extension of an APT ecosystem targeted at a specific bank. You won't be seeing it on your desktop, though of course someone else could come out with a bootkit malware targeted at consumers. They aren't a novel technique, and will still rely on some other malware, vulnerability, or social engineering to get themselves installed.

... oddly my boot ssd uses mbr not gpt. no idea why (maybe i selected the wrong thing during install ). clean win10 install on it. (new machine with uefi)

also read that it doesn't matter performance wise due to small size (256 gb)... so not going to be bothered about that.

Probably running in BIOS mode.

wonder why... i did have problems (before installing anything) to get video to display anything at all until that fixed itself eventually somehow. (after a few reboots... only empty drives and win10 dvd connected)

.. guess i'll fiddle with that when i have to wipe everything and clean install... hopefully not for years!