back to article UEFI malware rears ugly head again: Kaspersky uncovers campaign with whiff of China

Russian antivirus maker Kaspersky has said it uncovered "rogue UEFI firmware images" seemingly developed by black hats with links to China. The rogue images had been "modified from their benign counterpart to incorporate several malicious modules", according to a post on Kaspersky's Securelist blog, which named the attack …

  1. IGotOut Silver badge

    Can someone clarify something?

    It seems to be hidden in SPI flash storage soldered to the MB...it seems to be targeting charities and diplomats.

    So am I missing something, e.g. these are being shipped pre-hacked knowing their destination? Or is it a scatter gun approach it just hopes it gets to these?

    Or is it simply some mb company has a dodgy firmware image?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Can someone clarify something?

      Kaspersky says it doesn't know: "Unfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware."

      So it could have been injected at the factory, in transit, by a rogue insider, by some other admin-level malware, etc.

      C.

    2. eldakka Silver badge

      Re: Can someone clarify something?

      In adddition to @diodesign's comments, when they say "SPI flash storage soldered onto the MB", they mean the flashable UEFI firmware that can be updated via a user-initiated flashing process, but it happens to be in embedded NVRAM on the motherboard rather than addon components such as HDD, SSD, etc. Therefore injecting this hacked firmware can be done same as updating vendor downloaded firmware from the vendors' website. That is, a bootable USB thumbdrive with the firmware, minimal O/S and the flashing software, or even with something like ASUS's 'flashback' functionality that can flash from a powered off (but plugged into power) PC with just the firmware on the USB stick, no booting to even a minimal O/S required.

      So it could have been done in the factory, in transit, someone with a couple minutes physical access and a USB stick after delivery, or even remotely since these days firmware can be updated from a live, running computers multi-user O/S such as windows or Linux etc.

      1. DanceMan

        Does this mean that flashing the bios with a clean updated bios would remove the hack? If so it's a good argument for updating bios.

        1. Jonathan Richards 1 Silver badge

          Two things

          I'd have thought that a hack of this sophistication would have protected itself against being overwritten: the BIOS update routine must be written in the BIOS code itself, I suppose. Second thing is how careful one is going to have to be to get a certified gold-plated known good benign BIOS to re-flash.

          1. JCitizen Bronze badge
            Coffee/keyboard

            Re: Two things

            With the old BIOS system, all I had to do is flash the bios with an update - only problem was I occasionally got messages refusing to do it, saying it was an old update, and only a new one was acceptable. What would prevent a modified UEFI firmware from doing the same thing?

            I don't remember how I solved it - too many years ago; but I also discovered the malware that did it was hiding on disc sectors marked as damaged by Windows error checking, these sectors were not actually damaged, of course - the only way to destroy them was to run an OEM disc diagnostic routine that stomped on all disc space during the test. This killed anything that wasn't actually damaged. Apparently the malware was able to flag sectors as damaged much the way the disc check program did. Malware scanners didn't bother to scan those areas. Clean installing the OS didn't solve it either, for the same reason.

  2. amanfromMars 1 Silver badge

    A Greater Computerised System Interface with Practically Invisible and Intangible Virtual Leverage*

    "Unfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware," it said.

    And one is none the wiser, and the infection vector is considerably expanded and scattered, whenever one realises the Unified Extensible Firmware Interface (UEFI) firmware effected/infected/attacked is that which is popularly and eponymously known as the Internet ..... you know, that great Global Operating Device thing which is being both used and/or abused and misused by everyone anywhere for everything and/or anything they want delivered/supplied/realised by a humanised race of robotic entities?

    * To know full well what one can easily do with that type of overwhelming advantage, very quickly has one experimenting almightily with that and those proving itself and themselves to be currently untouchable ...... which is all anyone/anything needs in order for such to be available forever rather than fearing it be just a present facility rather than realising it is a future utility with surprising alien abilities ...... and an as yet to be classified COSMIC Sourced Force?

    And you know, .... also available for AIMODification into one of those new fangled and entangling new era weapons apparently needed by Defence Staff Chiefs ....... and they be a Universally Attractive Export/Import worth more than one can possibly imagine and put a huge figure upon. And it is also a spooky fact, that such can be worth just as much to those able to develop such systems further but take a decision to halt production and limit future proprietary intellectual property transfers ........ however that sort of rewarding dichotomy is not at all unusual in the field of enriching weapons systems. Indeed, many would tell you it is the norm, and a nice little Invisible Intangible Export Earner for a carefully chosen few too.

    1. amanfromMars 1 Silver badge

      Re: A Greater Computerised System... with Practically Invisible and Intangible Virtual Leverage*

      And all of that opens up another front of possible, and therefore probable concern well enough highlighted in this tragic strategic comedy of errors skit ....... Sir Humphrey Appleby on the Proper Function of Government ........ for nothing exists in a vacuum of exclusive executive command and control nowadays, does it?

  3. David Roberts Silver badge
    Paris Hilton

    Checksum? Hash?

    A quick look suggests that it is easy to find the version number of your UEFI and also to install an update.

    I haven't yet located a tool to get a checksum or hash from the manufacturer to confirm that the firmware has not been corrupted or modified.

    Should this not be part of any regular virus scan?

    Perhaps it is and I haven't noticed.

    1. David Shaw

      Re: Checksum? Hash?

      "part of any regular virus scan"

      the regular ongoing 'spam-cannon' related virus flinging that is done to my systems, some of the links, documents etc can be detected to have a virus , or come from a domain which is heavily virally active previously.

      However when typically I check something 'very dodgy' with virustotal.com, now owned by google, some actual malware are only discovered by a single one of the fifty/sixty/seventy virtual environments.

      (When my mac was hit by a javascript virus embedded in an email, only a single AV system detected it, 8 years later) how can this happen, why doesn't a regular scan detect these attacks

      Well, the cyberattack pros have rooms with fifty/sixty/seventy PCs each running the latest AV engine, and tweak their code until no-one gets it; and/or some AV services (owned by google, say, or yandex) might be rather partial in their effectiveness - I see no ships!

      I still have a few scanners, run them alternately, and VirusTotal.com (owned by slurp) is still just about working

      1. phuzz Silver badge

        Re: Checksum? Hash?

        "why doesn't a regular scan detect these attacks"

        Most virus scanners start off by just comparing the hash of a file to a list of known viruses/malware, which means that all it takes is some padding, and a virus won't be detected.

        More modern antivirus software can do some more in depth analysis, as well as monitoring for activity which might indicate a virus (eg, trying to modify which programs are launched at startup), but at the end of the day, most antivirus is helpless against a targeted attack.

  4. YARR

    DualBIOS

    Would be helpful to know if DualBIOS offers an easy fix for these infections?

    e.g. short a motherboard jumper to reset to the factory firware for an easy fix. Then make this a standard for all motherboards.

  5. Anonymous Coward
    Anonymous Coward

    Is it bigger than a bread box?

    It's common practice for PRC to required spyware on all phones, I doubt they would over look computers.

    if it shipped from china, who says that is not exactly how it was built, by the millions. With the only the ones being found have been activated. While the rest just wait for that Email/webpage/update, that will trigger the spyware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021