MartinPe 10 Posted September 28, 2018 Posted September 28, 2018 Found this one on the news Neowin article about ESET finding UEFI Rootkit. Does ESET already block this or I still have to activate Secure Boot?
ESET Moderators Peter Randziak 1,182 Posted September 28, 2018 ESET Moderators Posted September 28, 2018 Hello @MartinPe we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ ESET is able to detect it in the system and in the UEFI update file as well. The cleaning is not possible as it resides in the UEFI. Regards, P.R.
itman 1,804 Posted September 28, 2018 Posted September 28, 2018 (edited) 12 hours ago, MartinPe said: I still have to activate Secure Boot? This is the best way to prevent it from infecting the UEFI/BIOS. Note that all your drivers including app drivers must be Microsoft driver code signed or secure boot will prevent the OS from booting. There also might be issues using secure boot if you own a laptop and a legit version of CompuTrace was factory installed by the vendor. You will have to verify that its driver has been Microsoft code signed which is doubtful if it predates Win 8.1/10 product delivery dates. Even if this is the case, the driver needs to be verified to be Microsoft driver code signed. Edited September 28, 2018 by itman
itman 1,804 Posted September 28, 2018 Posted September 28, 2018 12 hours ago, Peter Randziak said: Hello @MartinPe we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ ESET is able to detect it in the system and in the UEFI update file as well. The cleaning is not possible as it resides in the UEFI. Regards, P.R. Peter, what would be helpful here is if Eset could post the RWEverything driver,rwdrv.sys, certificate as a .cer file. This way one could import into the Win untrusted certificate store.
Clark T 3 Posted September 30, 2018 Posted September 30, 2018 (edited) On 9/28/2018 at 7:54 AM, Peter Randziak said: Hello @MartinPe we have an article covering it on WeLiveSecurity https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ ESET is able to detect it in the system and in the UEFI update file as well. The cleaning is not possible as it resides in the UEFI. Regards, P.R. You say that the cleaning is not possible as it resides in the UEFI. So your UEFI scanner can only detect this new virus but not remove it. You think, that you find a way to clean this virus or other future virus that use the same technic? Maybe find a way with ESET SysRescue Live? Edited September 30, 2018 by Clark T
itman 1,804 Posted September 30, 2018 Posted September 30, 2018 (edited) 43 minutes ago, Clark T said: You say that the cleaning is not possible as it resides in the UEFI. So your UEFI scanner can only detect this new virus but not remove it. You think, that you find a way to clean this virus or other future virus that use the same technic? The problem is that the malware resides in the motherboard firmware. The only thing that has access to the firmware is the BIOS. In most cases, the only access to the BIOS is via low level system access that will "flash" the BIOS/UEFI totally replacing its contents. There is BIOS modification software that exists that allows for: 1. Copying the BIOS contents. 2. Using the equivalent of a hex editor to modify the copy. 2. Replace the existing BIOS firmware contents with the modified copy using existing flashing methods. There are multiple BIOS manufacturers. Also there are multiple versions of a BIOS by a manufacturer. As such, it would be impossible to develop a "cleaning" utility that would be applicable to all BIOS's and their versions. Additionally, as little as a one bit misplaced revision could render the PC totally inoperable. Some motherboard manufactures have dual BIOS/UEFI capability. This allows you to use a backup copy of a BIOS/UEFI that is corrupted via malware or otherwise to replace the primary BIOS/UEFI used for system booting. Additionally, most motherboard manufacturer flash utilities allow for copying the BIOS/UEFI to external media for backup and recovery purposes. Something that should be done on every new PC or when the BIOS/UEFI is updated. Edited September 30, 2018 by itman
itman 1,804 Posted October 1, 2018 Posted October 1, 2018 For anyone wanting to take a "deep dive" into UEFI protection mechanisms is the following reference: UEFI Firmware Rootkits: Myths and Realityhttps://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf Since the publication is long and quite technically detailed, you can scroll down to the section titled, "UEFI Firmware Mitigations." Of note in regards to Intel motherboards are the following mitigations: 1. Intel Boot Guard. 2. Intel BIOS Guard. Microsoft has additionally created a mitigation for latter Win 10 versions that is available to OEMs, Windows SMM Security Mitigation Table (WSMT). You can read about this here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi-wsmt .
banialuka 0 Posted October 4, 2018 Posted October 4, 2018 Hi, my ESET ES 7 found somethink like that: warning -> EFI/CompuTrace.A Question, is that new UEFI virus LoJax ? I found on the eset website information, thah viurs name should be EFI/LoJax.A Is it the same ?
ESET Moderators foneil 342 Posted October 4, 2018 ESET Moderators Posted October 4, 2018 2 hours ago, banialuka said: Hi, my ESET ES 7 found somethink like that: warning -> EFI/CompuTrace.A Question, is that new UEFI virus LoJax ? I found on the eset website information, thah viurs name should be EFI/LoJax.A Is it the same ? See the other thread on the CompuTrace topic:
Recommended Posts