Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday December 29 2018, @11:40PM   Printer-friendly
from the secure-brick dept.

LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said.

The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Each time the system restarts, the code executes on boot, before the OS loads and before the system's antivirus software is launched. That means that even if the device's hard drive is replaced, the LoJack software will still operate.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Bot on Sunday December 30 2018, @12:11AM (2 children)

    by Bot (3902) on Sunday December 30 2018, @12:11AM (#779855) Journal

    so, you have UEFI with:
    - a mandated government backdoor whom you can't talk about (a government instituting secret trials is definitely not above that, and all the talk about encryption and security being inherently evil confirm that)
    - some intel remote management engine
    - some chinese rootkit (they take all the effort to build the electronics, should they pass the occasion)
    - the lojack anti thief mechanism
    - finally, the official rootkit

    This is why the BIOS was insufficient, you need a proper multitasking OS to manage all the mess.

    Meanwhile, mafia dons employ RFC666666, chat over scraps of paper ("pizzini") and are still at large.

    --
    Account abandoned.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=3, Interesting=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by epitaxial on Sunday December 30 2018, @03:25AM (1 child)

    by epitaxial (3165) on Sunday December 30 2018, @03:25AM (#779888)

    UEFI has nothing to do with management engines. Also can you point me towards any documents or legislation showing this mandate?

    • (Score: 3, Insightful) by Bot on Sunday December 30 2018, @02:40PM

      by Bot (3902) on Sunday December 30 2018, @02:40PM (#779962) Journal

      > Also can you point me towards any documents or legislation showing this mandate?

      Troll level> expert

      --
      Account abandoned.