Jump to content

(UEFI) rootkit LoJax.


MartinPe

Recommended Posts

  • ESET Moderators

Hello @MartinPe

we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ 

ESET is able to detect it in the system and in the UEFI update file as well.

The cleaning is not possible as it resides in the UEFI.

Regards, P.R.

Link to comment
Share on other sites

12 hours ago, MartinPe said:

I still have to activate Secure Boot?

This is the best way to prevent it from infecting the UEFI/BIOS. Note that all your drivers including app drivers must be Microsoft driver code signed or secure boot will prevent the OS from booting.

There also might be issues using secure boot if you own a laptop and a legit version of CompuTrace was factory installed by the vendor. You will have to verify that its driver has been Microsoft code signed which is doubtful if it predates Win 8.1/10 product delivery dates. Even if this is the case, the driver needs to be verified to be Microsoft driver code signed.

Edited by itman
Link to comment
Share on other sites

12 hours ago, Peter Randziak said:

Hello @MartinPe

we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ 

ESET is able to detect it in the system and in the UEFI update file as well.

The cleaning is not possible as it resides in the UEFI.

Regards, P.R.

Peter, what would be helpful here is if Eset could post the RWEverything driver,rwdrv.sys, certificate as a .cer file. This way one could import into the Win untrusted certificate store.

Link to comment
Share on other sites

On 9/28/2018 at 7:54 AM, Peter Randziak said:

Hello @MartinPe

we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ 

ESET is able to detect it in the system and in the UEFI update file as well.

The cleaning is not possible as it resides in the UEFI.

Regards, P.R.

You say that the cleaning is not possible as it resides in the UEFI. So your UEFI scanner can only detect this new virus but not remove it. You think, that you find a way to clean this virus or other future virus that use the same technic? Maybe find a way with ESET SysRescue Live?

Edited by Clark T
Link to comment
Share on other sites

43 minutes ago, Clark T said:

You say that the cleaning is not possible as it resides in the UEFI. So your UEFI scanner can only detect this new virus but not remove it. You think, that you find a way to clean this virus or other future virus that use the same technic?

The problem is that the malware resides in the motherboard firmware. The only thing that has access to the firmware is the BIOS. In most cases, the only access to the BIOS is via low level system access that will "flash" the BIOS/UEFI totally replacing its contents.

There is BIOS modification software that exists that allows for:

1. Copying the BIOS contents.

2. Using the equivalent of a hex editor to modify the copy.

2. Replace the existing BIOS firmware contents with the modified copy using existing flashing methods.

There are multiple BIOS manufacturers. Also there are multiple versions of a BIOS by a manufacturer. As such, it would be impossible to develop a "cleaning" utility that would be applicable to all BIOS's and their versions. Additionally, as little as a one bit misplaced revision could render the PC totally inoperable. 

Some motherboard manufactures have dual BIOS/UEFI capability. This allows you to use a backup copy of a BIOS/UEFI that is corrupted via malware or otherwise to replace the primary BIOS/UEFI used for system booting. Additionally, most motherboard manufacturer flash utilities allow for copying the BIOS/UEFI to external media for backup and recovery purposes. Something that should be done on every new PC or when the BIOS/UEFI is updated.

Edited by itman
Link to comment
Share on other sites

For anyone wanting to take a "deep dive" into UEFI protection mechanisms is the following reference:

UEFI Firmware Rootkits: Myths and Reality
https://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf

Since the publication is long and quite technically detailed, you can scroll down to the section titled, "UEFI Firmware Mitigations."

Of note in regards to Intel motherboards are the following mitigations:

1. Intel Boot Guard.

2. Intel BIOS Guard.

Microsoft has additionally created a mitigation for latter Win 10 versions that is available to OEMs, Windows SMM Security Mitigation Table (WSMT). You can read about this here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi-wsmt . 

Link to comment
Share on other sites

Hi, my ESET ES 7 found somethink like that:
warning -> EFI/CompuTrace.A 

Question, is that new UEFI virus LoJax ?
I found on the eset website information, thah viurs name should be EFI/LoJax.A 
Is it the same ?

Link to comment
Share on other sites

  • ESET Moderators
2 hours ago, banialuka said:

Hi, my ESET ES 7 found somethink like that:
warning -> EFI/CompuTrace.A 

Question, is that new UEFI virus LoJax ?
I found on the eset website information, thah viurs name should be EFI/LoJax.A 
Is it the same ?

See the other thread on the CompuTrace topic:

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...