Don't go burning your motherboards but do be aware of this UEFI rootkit

Subject: General Tech | July 15, 2015 - 12:43 PM |
Tagged: uefi, security

Yet another revelation has come from the Hacking Team leak, a UEFI based rootkit which can infect computers and will survive AV scans and even a drive replacement.  The rootkit is designed specifically for the BIOS designed by Insyde which are found primarily in laptops; Dell and HP for example.  TrendMicro suggested to The Register that this rootkit could also infect AMIBIOS designed UEFI, the type you are familiar with from desktop motherboards but that has not been confirmed.  As well Trend Micro intimates that the rootkit could be installed remotely but so far the evidence suggests physical access is required ... as flashing a BIOS tends to do.  Using UEFI SecureFlash, or even flashing to the newest version will also remove the kit, although depending on the solution your motherboard uses you may see error messages about updating an unexpected or corrupt previous version.  Keep safe out there and maybe keep the Flash to your BIOS for now.

View Full Size

"Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬"

Here is some more Tech News from around the web:

Tech Talk


Source: The Register

Video News

July 15, 2015 | 08:09 PM - Posted by Heavy (not verified)

yeah....i think everyone saw this coming from a long time ago the more features we get on motherboards uefi the higher the chances are their will be more exploits

July 15, 2015 | 08:38 PM - Posted by Anonymous (not verified)

Now there will have to be 2 UEFI chips, one you can write to/update, and the other a default UEFI ROM, so if you suspect that the writable UEFI may be harboring a rootkit/malware then you can boot off of the read only UEFI/BIOS, and reimage/reset(nuke from orbit) the UEFI rewritable flash memory. And then get a secure UEFI update from the device's OEM, or your corporate IT department. This should help keep the system cleaned of any troubles, and could go along with reimaging the system drive with an un-modifiable system ISO for any users, especially the corporate users who go overseas to some very insecure locations. Oh for the days when a dip switch, or jumper needed to be enabled to flash the BIOS/UEFI. All that extensibility can lead to an extensive threat that can not be erased with a simple disk wipe and reimage!

July 16, 2015 | 03:23 AM - Posted by Hakuren

UEFI biggest fraud in the PC history. Created only to accommodate OS manufacturers (excluding GPL). It solved not one of old BIOS problems but added whole bag of new ones. And unauthorized access to that software is million times easier than accessing good old BIOS.

Yes I too sometimes miss jumpers to block any tampering with the BIOS. Analog is not always worse than digital. Casing point with UEFI.

July 17, 2015 | 09:10 AM - Posted by Anonymous (not verified)

"Analog is not always worse than digital. Casing point with UEFI."

I would suggest that in place of ranting about BIOS and UEFI, some reading may be in order.

July 17, 2015 | 09:16 AM - Posted by Anonymous (not verified)

"Various precautions to guard against this sort of attack are possible including enabling UEFI SecureFlash, updating the BIOS whenever there is a security patch and setting up a BIOS or UEFI password, As Trend Micro explains."

So, this is kind of a non-story: attacker X has physical access to a machine with no password protection and no key signing (UEFI SecureFlash), attacker X can do Stuff. You can do the exact same thing with BIOS, or any EFI implementation!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.