Background Image

Blog Post

Oct 02

LoJax Malware Discovered On Laptop

The UEFI boot-loader, or Unified Extensible Firmware Interface is: An arguably superfluous step towards improving the layer of hardware abstraction recognized at boot... Which essentially means that non standard computer and rtos type systems with (strange arrays?) - might still have options for running/booting "software" in a manner consistent with ordinary boot-loaders, which are of course fairly standardized. PC hardware changes slowly enough for most operating systems engineers to write customized loading protocol within a system kernel for every target system with perhaps 2-3 exceptions for ordinary use.

It is not a surprise therefore that malware that has been theorized for over a decade should emerge in the wild - but... Lojax is still an interesting use case.

ARS Technica Excerpts

UEFI uh-oh

There have been a number of security concerns about UEFI’s potential as a hiding place for rootkits and other malware, including those raised by Dick Wilkins and Jim Mortensen of firmware developer Phoenix Technologies in a presentation at UEFI Plugfest last year. “Firmware is software and is therefore vulnerable to the same threats that typically target software,” they explained. UEFI is essentially a lightweight operating system in its own right, making it a handy place to put rootkits for those who can manage it.

(We invented plagarism?) <-- No I just can't help but admire this article and wanted to draw your attention to the wikileaks mention.

WikiLeaks’ Vault 7 files showed that the CIA apparently developed an implant for Apple's computers that used the Extensible Firmware Interface (the predecessor of UEFI) but required physical access to the targeted computer and a malicious Thunderbolt Ethernet adapter (called the “Sonic Screwdriver”). But LoJax is an entirely different animal—it was built to be deployed remotely, using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.

“Along with the LoJax agents,” ESET researchers noted, “tools with the ability to read systems’ UEFI firmware were found, and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory. This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured.”

Because of variations in the implementation of UEFI, those sorts of memory protection issues—the very sort of thing Wilkins and Mortensen warned of—have been entirely too common. And ESET researchers found at least one confirmed case of a successful deployment of LoJax.

So that is pretty normal these days right?

To make matters worse I'll link to the example info on NetScout which was the same article cited by Ars Technica because it's pretty darn good.

This part is all me though, below this line.

Prevent this in production environments by enabling legacy boot and using it where possible. Yes you can generally disable uefi  and no you don't "need to do this" but if you have serious concerns that you may have a malware infection related to UEFI just figure that you can and possibly should do this and reinstall an OS using legacy boot-loading.

Now a video about this:


Add Comment:
Please login or register to add your comment or get notified when a comment is added.
1 person will be notified when a comment is added.