I was reading this article https://www.networksasia.net/article/uefi-101-and-why-you-need-it-scanned.1511162171 and it got me thinking it would not be a bad idea to add a UEFI anti-malware scanner to my security configuration. It looks like ESET has them built in to their products now, what other UEFI anti-malware scanners are available or are there?
It's worth to distinguish between bootkit and firmware implants. ESET provides tool for bootkit detection. You can't reliably scan firmware implants from some software running on top of infected motherboard. You just don't. You would have to use other computer and flash programmer to read firmware directly from motherboard storage and then scan it. This kind of penetration up to hardware level and resistance against detection is the whole point why would anyone bother with writing firmware implants.
By the same token, the bad guy would have to jump through similar hoops to infect the UEFI in the first place. The point being, the bad guy would need physical access to the computer either directly, or by somehow tricking the user into connecting compromised hardware to his computer, or perhaps through an inside hack-job at the chipset/UEFI/motherboard factory. Of course, anything is possible. The question becomes, how likely? And frankly, it is not very. So, sorry! But I think that researcher is blowing smoke. Did you notice he works for ESET? My advice is to stick with name brand motherboards (like Gigabyte, ASUS, and MSI). Buy new from a reputable dealer. Keep your OS fully updated. Use an anti-malware solution and keep it current. If possible, park your computers behind a NAT router. And of course, don't be "click-happy" on unsolicited downloads, links, attachments and popups.
No, he/she just needs skill and time to reverse-enginer UEFI firmware and write implant. A lot of low-level job, but can be done and this was done before. After infection disabling updates and security checks is the easiest part. Some say this is only for high-value targeted attack, but motherboard models are sold in hundreds of thousands or millions units. Once implant is written, can be leaked to other criminals. Not to mention commercially used UEFI is not written from scratch be each vendor, but have a lot of common code from open-source reference implementation.
No! I guess I wasn't clear enough for you are missing the point. I never said or implied "writing" the malicious code would be difficult. Everything I said, including the part you quoted, makes it clear the difficulty is to actually infect the targeted machine. The bad guy cannot sit at his computer at FIS HQ in Moscow, in China, North Korea or wherever and infect our UEFI systems over the Internet. There has to be some physical connection at some point to insert that code. As you correctly noted, "You would have to use other computer and flash programmer to read firmware directly from motherboard storage and then scan it." The bad guy would have to do the same to actually insert his [easily written] malicious code directly to the motherboard. Well sure! "After" I break into the bank and crack the safe, stealing the money is the easy part.
This can be done remotely. The most probable scenario: Firstly infect user's working account. Gain root/administrator privileges in this system. Then you can communicate with UEFI firmware. You can't directly write to motherboard memory yet, but you can communicate at this point. This communication is used for example for update process. Through vulnerability in this implementation in UEFI, update motherboard with malicious update. Malicious update would be locked to to prevent any further updates, but besides then it would try to behave in not suspicious way. Of course adversary could screw up and UEFI would indeed behave in suspicious way, but it would be really hard to detect that.
Not yet! Come on! You are not being realistic. First, break into the bank (without setting off any alarms). Then crack open the vault (without setting off the alarms or waking the security guard). Then replace all the money with bags of counterfeit money you somehow lugged into the bank without the security cameras, laser beams, motion and heat detectors noticing. Then sneak out of the bank, load up the van with the genuine money and get away - again without anyone noticing. Is it possible? Yes. I might win the lottery tonight too. This hype reminds me of all the scare tactics we used to see about BIOS viruses too. Were they out there and was it possible to infect BIOS firmware (which is MUCH LESS secure than UEFI)? Yes. But did it happen? In labs. BIOS malware affecting consumers (you and me) was so rare, it was not a concern. I am NOT saying this threat can be ignored. No threat can be ignored. And for sure, UEFI and motherboard makers and OS developers are not ignoring it either. Neither are anti-malware developers. For these reasons, we don't need any dedicated software to detect and prevent such infestations. What we need is what I've been saying all along. We need to keep our systems current, use a current anti-malware solution and don't be click-happy. It is important to remember the user is, was, and always will be the weakest link in security. If the user opens the door and lets the bad guy in, even the best security system in the world is quickly defeated.
I figured it would be as easy as downloading and installing a program and that had hidden malware and during the install process secretly sets up something to flash the bios at the next re-boot or opening a e-mail that installs something that does the same thing.
IF you don't use current anti-malware, IF you don't keep your OS current, IF and you don't download your programs from reliable sources, then sure, it would be that easy.
Each implementation of UEFI has much more lines of code than BIOS few years ago. It is also more powerful and interacts with OS more often than BIOS. It has more resources (memory at motherboard) at its disposal. PCs motherboards now are much less diversified. I mean a little time ago there were more chipsets manufacturers for example NVIDIA produced nForce chipsets. A lot of things on motherboard came from different manufacturers: built-in audio chips, network chips. So BIOS was smaller, but more diverse. Today Intel implements its all in its PCHs and processors. This all comes to conclusion that it is easier to write generic framework for creating firmware implants.
Again you miss the point - or just choose to turn a blind eye to it. You also assume OS and UEFI developers, as well motherboard manufacturers are not aware of the threats and are doing nothing about it. Writing code is the easy part. Getting the code past all the security measures and into the firmware components is nothing near as simple as you appear to believe and apparently want everyone else to believe. A bad guy can easily steal my computer. All he has to do is get past my security cameras, break through my locked and dead bolted doors, past my two dogs that can hear a leaf fall 100 yards away, and past my locked and loaded Glock 17. Piece of cake. If you want to load up your computer with even more and more layers of security you don't really need, go for it. But please don't try to convince every one else they do. Because they don't.
Problem with firmware it is abandoned by vendor much sooner than OSes (at least OSes for PC) than it's vendors and you can't update to newer version. It is also more low-level and thus it doesn't have protections such as ASLR, DEP (W^X). Not to mention security practices are much less commonly followed. Intel seemed to be exceptional, then vulnerability described by INTEL-SA-00075 became discovered. I am really much more confident in Microsoft and some Gnu/Linux distros (RHEL, Debian) to offerr me security updates rather than my laptop/motherboard manufacturer. Problem with that is OS vendors can only patch OS, not the firmware. I am closer to being software minimalist, than to load computer with a bunch of security software. I know that this threat for average person is not going to be as common as let's say banking trojans, but scary part of this is that it's really stealthy form of infection. In the past one could just wipe HDD with 500GB of data from /dev/zero, install new OS and be confident PC is not infected, at least for some time. Now even power users and professional administrators couldn't be confident.
No, but they are working together so again, the threat (for now) is nothing near what you make it out to be. So I say again, we do not need any additional security programs to protect us from this threat potential (though unlikely) threat.
All these IFs are quite common already, zero day malware is common that is not detected by signature based security software, malware able to infect updates OS is not uncommon, unwanted software caming bundled with legitimate software, social tricks, legit siftware sources beong infected are all well established scenarios. On top of that millions of firmware can be infected at factory level as well.
Not really. Not with modern Windows. It is more common with users who think they are smarter than Microsoft and who dink with the default settings. Otherwise, the OS stays current. Same with the security software. And no 1/2 way decent anti-malware program uses only signature based detection methods these days. So you are dredging up a 10-month dormant thread thumbd: ) in some attempt to use extreme exceptions to make your case. Exceptions don't make the rule. Unwanted software being bundled means nothing. Unwanted does not mean malicious. Yes it is. In fact, it is so rare, I am not aware of a single Windows update distributed by Microsoft that contained any malicious code. It is extremely rare for firmware to be infected at the factory too. So PLEASE do not dredge up dormant threads to post such inaccurate or extremely rare scenarios. Just because a meteor might fall on your head, that does not mean you stay inside.
In our forum we had a user "infected" with EFI/CompuTrace.A. kaldata.com/forums/topic/270396-%D0%B2%D1%8A%D0%B7%D0%BC%D0%BE%D0%B6%D0%B5%D0%BD-uefi-%D0%B2%D0%B8%D1%80%D1%83%D1%81/ He tried to disable the CompuTrace module in the BIOS but that didn't help. He flashed the BIOS with a version without CompuTrace and he installed the updates for the Intel ME firmware as well to fix the issue. But now Lojax appeared in the wild (based on the Lojack anti-thief software). welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group Make sure to enable the Secure Boot to harden the system against such attacks. docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process
Hi, We have a separate thread about Lojax: https://www.wilderssecurity.com/thr...the-wild-courtesy-of-the-sednit-group.408641/ As for CompuTrace : itman posted in that thread about it. Lets continue about Lojax in that thread, if you don't mind.
If zero day malware was not common AV industry might have been out of business already. Also I know the antimalware use much more techniques in addition to signatures but it is not new and still they fail with new malware. Regarding how common UEFI makes might become, only time will tell. I am not worried how common it can be, I am worried that it will be really stealthy. And regarding the dormant threads you can really let them, I really don't care about them.
It was not your thread to dredge up. If you wanted to make a new point, you should start your own new thread for your own discussion. That's just plain proper forum etiquette. Plus, you then get the dedicated attention you deserve too.
