ESET discovers first LoJax UEFI rootkit malware by Sednit group

Page 2 of 6 FirstFirst 1234 ... LastLast

  1. Posts : 31,459
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       #10

    Penny K said:
    Also, did you notice that MS Firmware update driver is dated 2006 .... That doesn't inspire confidence in me....
    This is deliberate, it ensures an MS driver won't replace a more up to date custom OEM driver in error....

    The dates on all Windows drivers are set to June 21, 2006. The version number increases over time, but the timestamp stays put... "It's an awesome example of something that seems stupid and insignificant turning out to have a profound purpose."
    Why are all Windows drivers dated June 21, 2006? Don The Old New Thing
      My Computers


  2. Posts : 16,325
    W10Prox64
       #11

    https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf

    LoJax // First UEFI rootkit found in the wild, courtesy of the Sednit group

    While the small agent rpcnetp.exe can be dropped by the UEFI rootkit, it is probable that most instances we saw of a trojanized LoJack small agent did not use this component . It is likely that they were opportunistic and installed the UEFI rootkit only when possible and in organizations of high importance.

    Throughout our investigation, we were able to uncover different LoJax small agent versions . The IOC section lists their hashes and the associated malicious domains/IPs . As discussed previously, all LoJax small agent samples we were able to recover were a trojanized version of the same old Computrace small agent compiled in 2008 .

    While we never witnessed LoJax agent download and install additional modules, we do know that this functionality exists . As LoJax’s best quality is to be stealthy and persistent, it could definitely be used to help ensure that access to key resources is maintained .

    6. PREVENTION AND REMEDIATION
    How could such an attack have been prevented? This involves a complex ecosystem composed of multiple actors. The first security mechanism that could have blocked such an attack is Secure Boot . When Secure Boot is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware . We strongly suggest that you enable it. This is the base defense against attacks targeting UEFI firmware .

    As is the case for software, the UEFI firmware should always be kept up-to-date . Visit your motherboard website to make sure that you have the latest version available .

    You should also make sure that all of your systems have modern chipsets with Platform Controller Hub (starting from Intel Series 5 chipsets onwards) . This will ensure that the security mechanism against the race condition vulnerability we mentioned [18] is available on the platform .

    The other part of firmware security is in the hands of UEFI/BIOS vendors . The security mechanisms provided by the platform need to be properly configured by the system firmware to actually protect it . Thus, firmware must be built with security in mind from the ground up . Fortunately, more and more security researchers are looking at firmware security thus contributing to improve this field and raise awareness of firmware vendors . It is also worth mentioning CHIPSEC [16] , an open source framework to perform low-level security assessments, which is very helpful to determine if your platform is properly configured .

    Remediation of a UEFI firmware-based compromise is a hard problem . There are no easy ways of cleaning the system from such threat nor are there any security products that can save the day . In the case we described in this paper, the SPI flash memory needs to be reflashed to remove the rootkit . This is not a trivial task and that definitely is not a recommended procedure for the average computer owner. Upgrading the UEFI firmware may remove the rootkit given that the update rewrites the whole BIOS region of the SPI flash memory . If reflashing the UEFI firmware is not an option for you, the only alternative is to change the motherboard of the infected system.
    So, enable Secure Boot in your BIOS wherever possible, and keep copies of your old firmware downloads offline somewhere.
      My Computer


  3. xTL
    Posts : 396
    Windows 10 Pro 64-Bit
       #12

    simrick said:
    https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf

    So, enable Secure Boot in your BIOS wherever possible, and keep copies of your old firmware downloads offline somewhere.
    Correct,
    Also make sure this string in regedit isn't changed from this.

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autochk *

    To this

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autoche *
      My Computer


  4. Posts : 7,871
    Windows 11 Pro 64 bit
       #13

    xTL said:
    Correct,
    Also make sure this string in regedit isn't changed from this.

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autochk *

    To this

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager > BootExecute > autocheck autoche *
    I don't have a Boot Execute field. I assume this is quite normal?
      My Computers


  5. xTL
    Posts : 396
    Windows 10 Pro 64-Bit
       #14

    Steve C said:
    I don't have a Boot Execute field. I assume this is quite normal?
    Hi steve, you should have Boot Execute
    mine is located here :)

    ESET discovers first LoJax UEFI rootkit malware by Sednit group-boot-exec.png
      My Computer


  6. Posts : 69
    W10 1809
       #15

    Run your PC from a USER Account ... Not Admin.
    Install updates directly from the source, not cleaner/performance apps.
    Windows Defender is good, others are better.
    Do not use pirated software.
    Once a year do a system audit/analysis at MBAM or SpyBot.
    Malwarebytes Forums
    Safer-Networking Forums
      My Computers


  7. Posts : 3,453
       #16

    I agree with your points... but what is "Install updates directly from the source, not cleaner/performance apps." ?

    BTW Linux is not impervious to rootkit exe's...AFAIK
      My Computer


  8. Posts : 69
    W10 1809
       #17

    Superfly said:
    I agree with your points... but what is "Install updates directly from the source, not cleaner/performance apps." ?

    BTW Linux is not impervious to rootkit exe's...AFAIK
    Don't update VLC from The Pirate Bay or KickAss Torrents ... Go to VLC ..... Geeesh.

    This S#!T, and many more like them most likely will dump redirects, toolbars, advertising and other garbage onto your browser and pc.
    10 Free Software Updater Programs (October 2018)
      My Computers


  9. xTL
    Posts : 396
    Windows 10 Pro 64-Bit
       #18

    Penny K said:
    Run your PC from a USER Account ... Not Admin.
    What ?

    Penny K said:
    Install updates directly from the source, not cleaner/performance apps.
    Agreed!

    Penny K said:
    Windows Defender is good, others are better.
    Agreed!

    Penny K said:
    Do not use pirated software.
    Agreed!
    Penny K said:
    Once a year do a system audit/analysis at MBAM or SpyBot.
    Better to scan once a month or when / if you happen to visit shady sites / accidentally press a link you shouldn't have.


    Superfly said:
    BTW Linux is not impervious to rootkit exe's...AFAIK
    This is true, if rootkits have infected ur hardware even a linux OS would have problems.
      My Computer


  10. Posts : 3,453
       #19

    What's up with the condescension? Your post was not clear.. neither your reply - still not sure what "cleaner/performance" apps are ..
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:19.
Find Us




Windows 10 Forums