The company ESET, based in Slovakia, has announced finding the first-ever UEFI rootkit in the wild. Once infected with the malware the only option is to reflash the SPI firmware or else replace the whole motherboard.
First spotted in early 2017, LoJax is a trojaned version of a popular legitimate LoJack laptop anti-theft software from Absolute Software, which installs its agent into the system's BIOS to survive OS re-installation or drive replacement and notifies device owner of its location in case the laptop gets stolen.
According to researchers, the hackers slightly modified the LoJack software to gain its ability to overwrite UEFI module and changed the background process that communicates with Absolute Software's server to report to Fancy Bear's C&C servers.
UEFI is an overly complex replacement for BIOS, and is often conflated with one of its payloads, Restricted Boot aka Secure Boot.
(Score: 5, Interesting) by jmorris on Saturday September 29 2018, @03:09AM
Actually there are several 'root' problems here.
1. UEFI runs at ring -1 while your OS runs, it runs ACPI and other runtime services and, as this exploit demonstrates, leaves hooks open for arbitrary 3rd party code to also run in ring -1 along with it.
2. Worse still, if infection is to occur the idiots leave a door open to inject code from a running system.
3. Systems are not designed to make it easy to manually reflash them or manually verify the code in the flash chip.
The solution would be a minor rethink and retool. Standardize ACPI and get it the hell out of ring -1, either allow the OS to manage things itself or if we still don't trust Windows not to bake the chip, move to a microcontroller with limited access to anything other than power management things. Communicate with the CPU over a standard interface, serial, i2c or SPI. Don't put enough resources in the micro to permit it to host complicated malware even if somebody manages to find a way to get it in. Yes this would complicate things for software like LoJack. Time to decide which threat is more dangerous.
Then rework the BIOS. Implement two segments, a small r/w for settings and a larger one for the firmware. Give that a one way gate, once a command is sent it becomes hardware locked to read only until a power cycle. UEFI always flips the switch before passing control to an operating system. To update the firmware would then require a cold boot with a USB stick, manually entering the setup program and selecting update. Vendors prefer the ease of offering a Windows executable to update but that can never be secured. A lojack type program could still be loaded this way, but the user (or admin / OEM) would have to explicitly do it from the firmware console and combined with the fix above it would only live until control passed to the OS, still leaving a moment to ping a central server and check in.
Finally, mandate a standardized AVR/Arduino 2x3 header near the firmware. Programmers to mate with that port are widely available and would permit easy verification and reprogramming of the flash. Get really wild and add a jumper to allow power to the flash to come from the programmer so an unpowered system could be worked with.