ESET discovers first LoJax UEFI rootkit malware by Sednit group

Page 2 of 6 FirstFirst 1234 ... LastLast
  1. Bree's Avatar
    Posts : 9,648
    10 Home x64 (1809) (10 Pro on 2nd pc)
       28 Sep 2018 #10

    Penny K said: View Post
    Also, did you notice that MS Firmware update driver is dated 2006 .... That doesn't inspire confidence in me....
    This is deliberate, it ensures an MS driver won't replace a more up to date custom OEM driver in error....

    The dates on all Windows drivers are set to June 21, 2006. The version number increases over time, but the timestamp stays put... "It's an awesome example of something that seems stupid and insignificant turning out to have a profound purpose."
    Why are all Windows drivers dated June 21, 2006? Don The Old New Thing
      My ComputersSystem Spec

  2.    08 Oct 2018 #11

    https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf

    LoJax // First UEFI rootkit found in the wild, courtesy of the Sednit group

    While the small agent rpcnetp.exe can be dropped by the UEFI rootkit, it is probable that most instances we saw of a trojanized LoJack small agent did not use this component . It is likely that they were opportunistic and installed the UEFI rootkit only when possible and in organizations of high importance.

    Throughout our investigation, we were able to uncover different LoJax small agent versions . The IOC section lists their hashes and the associated malicious domains/IPs . As discussed previously, all LoJax small agent samples we were able to recover were a trojanized version of the same old Computrace small agent compiled in 2008 .

    While we never witnessed LoJax agent download and install additional modules, we do know that this functionality exists . As LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained .

    6. PREVENTION AND REMEDIATION
    How could such an attack have been prevented? This involves a complex ecosystem composed of multiple actors. The first security mechanism that could have blocked such an attack is Secure Boot . When Secure Boot is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware . We strongly suggest that you enable it. This is the base defense against attacks targeting UEFI firmware .

    As is the case for software, the UEFI firmware should always be kept up-to-date . Visit your motherboard website to make sure that you have the latest version available .

    You should also make sure that all of your systems have modern chipsets with Platform Controller Hub (starting from Intel Series 5 chipsets onwards) . This will ensure that the security mechanism against the race condition vulnerability we mentioned [18] is available on the platform .

    The other part of firmware security is in the hands of UEFI/BIOS vendors . The security mechanisms provided by the platform need to be properly configured by the system firmware to actually protect it . Thus, firmware must be built with security in mind from the ground up . Fortunately, more and more security researchers are looking at firmware security thus contributing to improve this field and raise awareness of firmware vendors . It is also worth mentioning CHIPSEC [16] , an open source framework to perform low-level security assessments, which is very helpful to determine if your platform is properly configured .

    Remediation of a UEFI firmware-based compromise is a hard problem . There are no easy ways of cleaning the system from such threat nor are there any security products that can save the day . In the case we described in this paper, the SPI flash memory needs to be reflashed to remove the rootkit . This is not a trivial task and that definitely is not a recommended procedure for the average computer owner. Upgrading the UEFI firmware may remove the rootkit given that the update rewrites the whole BIOS region of the SPI flash memory . If reflashing the UEFI firmware is not an option for you, the only alternative is to change the motherboard of the infected system.
    So, enable Secure Boot in your BIOS wherever possible, and keep copies of your old firmware downloads offline somewhere.
      My ComputerSystem Spec

  3. xTL's Avatar
    Posts : 269
    Windows 10 Pro 64-Bit (1809) 17763.1
       08 Oct 2018 #12

    simrick said: View Post
    https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf

    So, enable Secure Boot in your BIOS wherever possible, and keep copies of your old firmware downloads offline somewhere.
    Correct,
    Also make sure this string in regedit isn't changed from this.

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autochk *

    To this

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autoche *
      My ComputerSystem Spec

  4.    09 Oct 2018 #13

    xTL said: View Post
    Correct,
    Also make sure this string in regedit isn't changed from this.

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autochk *

    To this

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autoche *
    I don't have a Boot Execute field. I assume this is quite normal?
      My ComputersSystem Spec

  5. xTL's Avatar
    Posts : 269
    Windows 10 Pro 64-Bit (1809) 17763.1
       09 Oct 2018 #14

    Steve C said: View Post
    I don't have a Boot Execute field. I assume this is quite normal?
    Hi steve, you should have Boot Execute
    mine is located here :)

    Click image for larger version. 

Name:	boot exec.png 
Views:	1 
Size:	54.1 KB 
ID:	207579
      My ComputerSystem Spec

  6.    10 Oct 2018 #15

    Run your PC from a USER Account ... Not Admin.
    Install updates directly from the source, not cleaner/performance apps.
    Windows Defender is good, others are better.
    Do not use pirated software.
    Once a year do a system audit/analysis at MBAM or SpyBot.
    Malwarebytes Forums
    Safer-Networking Forums
      My ComputersSystem Spec

  7.    10 Oct 2018 #16

    I agree with your points... but what is "Install updates directly from the source, not cleaner/performance apps." ?

    BTW Linux is not impervious to rootkit exe's...AFAIK
      My ComputerSystem Spec

  8.    10 Oct 2018 #17

    Superfly said: View Post
    I agree with your points... but what is "Install updates directly from the source, not cleaner/performance apps." ?

    BTW Linux is not impervious to rootkit exe's...AFAIK
    Don't update VLC from The Pirate Bay or KickAss Torrents ... Go to VLC ..... Geeesh.

    This S#!T, and many more like them most likely will dump redirects, toolbars, advertising and other garbage onto your browser and pc.
    10 Free Software Updater Programs (October 2018)
      My ComputersSystem Spec

  9. xTL's Avatar
    Posts : 269
    Windows 10 Pro 64-Bit (1809) 17763.1
       10 Oct 2018 #18

    Penny K said: View Post
    Run your PC from a USER Account ... Not Admin.
    What ?

    Penny K said: View Post
    Install updates directly from the source, not cleaner/performance apps.
    Agreed!

    Penny K said: View Post
    Windows Defender is good, others are better.
    Agreed!

    Penny K said: View Post
    Do not use pirated software.
    Agreed!
    Penny K said: View Post
    Once a year do a system audit/analysis at MBAM or SpyBot.
    Better to scan once a month or when / if you happen to visit shady sites / accidentally press a link you shouldn't have.


    Superfly said: View Post
    BTW Linux is not impervious to rootkit exe's...AFAIK
    This is true, if rootkits have infected ur hardware even a linux OS would have problems.
      My ComputerSystem Spec

  10.    10 Oct 2018 #19

    What's up with the condescension? Your post was not clear.. neither your reply - still not sure what "cleaner/performance" apps are ..
      My ComputerSystem Spec


 
Page 2 of 6 FirstFirst 1234 ... LastLast

Related Threads
Hi everyone absolute newbie here So just this day i was working on my thesis and i had to use a friend's flash drive cause our files were in there, so i scanned it thoroughly first with Malwarebytes and Avast, and it showed no viruses. But...
Every...i mean every anti malware blocked by unknown malware/virus in AntiVirus, Firewalls and System Security
i have looked up this issue and apparently this must be a new one since there is no solution what so ever, even the hidden admin account is defenseless, here is what's going on 1. the PC got infected on windows defenders watch, the infection...
ESET Internet Security® 10 and ESET® NOD32® Antivirus 10 - 2017 Edition Beta 83163 83164 Source and Beta download: http://www.eset.com/int/beta/edition2017/
Malware/eset in AntiVirus, Firewalls and System Security
Has any body have this happen ? Windows 10 Pro,eset and malwarebytes paid.I was on the internet looking at sites with Pictures of Tv Stars. Close my browser (firefox). Got a popup that defender needs to scan you computer (i'm using eset. Checked...

Tags for this Thread

Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:21.
Find Us