Malware in firmware: how to exploit a false sense of security

Discussion in 'malware problems & news' started by Minimalist, Oct 19, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,376
    Location:
    Slovenia
    https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    :thumb:
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,376
    Location:
    Slovenia
    Do you know how they do it and which component is responsible for it?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    I posted an inquiry on the Eset Forum web site. When I get a response, I'll copy it in this thread.
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,615
    Location:
    Europe then Asia
    The chance of getting hit by a bioskit is quite low especially when the malware has to be "compatible" with the BIOS to exploit it, not the everyday malware.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    Eset responded that the feature will be available in the upcoming ver. 11 which hasn't been released yet. So will have to wait till it is released for further operational details.

    I suspect it will be part of the realtime scanner startup scan that runs by default at boot time. Also, Eset has Device protection that scans any external device upon connection. So it might be included within that module. Eset's Device protection has some elaborate configuration options which allow the device to be completely locked down if so desired.

    Another possibility is to force load its device driver prior to any other driver that loads at boot time and use that driver to scan the BIOS and other drivers as they load.
     
    Last edited: Oct 20, 2017
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,376
    Location:
    Slovenia
    Thnx for update. Will wait for more information as v.11 gets released.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    Suspect Eset will be interfacing with Window SMM Security Mitigation Table aka WSMT which was implemented in Win 10 1607. Interesting read on WSMT here: http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,044
    I am closely following this thread and have what is likely a pervasive question for others as well. I/we would all love to secure the code if we could derive a way to run it independently of ESET. A free standing script-program-code that could accurately examine the firmware on our machine for any invasion or malware. I have always been concerned with "things" messing with my start up as a way to sneak aboard. This is one reason I mount all my linux systems with a removable /boot flash drive. Then I extract the flash before heading to any internet or workspace. The firmware would be one step back even from /boot files. [popcorn - with butter]
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    I have been trying to learn of a way to do that for years, I thought it was not possible.
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    571
    Location:
    Member state of European Union
    I think that if somebody wants to be 100% sure there is legitimate firmware inside his motherboard, he/she should reprogram hardware with spi flash programmer or something similar. I didn't do that, though.
    Diagnosing firmware being on the ring 0 or ring 3 level is just a cat-and-mouse game and attackers are going to be usually one step ahead in this game.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    Kaspersky has a product that has been in existence for a few years: https://www.kaspersky.com/about/pre...s-world-s-first-anti-malware-product-for-uefi and https://usa.kaspersky.com/antivirus-for-uefi .

    As far as I am aware of, it is a ROM chip based solution Kaspersky licenses to its OEM partners. Primarily designed for security sensitive corp. environments. Eset is the first to offer UEFI BIOS protection as a software solution integrated in its retail and endpoint products.

    -EDIT- With reference to the Kaspersky "red herring" thread if I wanted an undetectable intelligence hack, this is where I would go. Since OEM's are actually "burning" the code to the ROM chip, nothing to stop them from adding other assorted spying goodies at the same time.
     
    Last edited: Oct 23, 2017
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
    Eset v11 English ver. has been release and I just recently installed it.

    Eset tech details on it still don't exist and in reality may never be published. Eset is "tight lipped" on its proprietary technology. For example, very few details exist on its botnet protection. There is some info here that shows the alert you will receive if UEFI malware is detected: https://support.eset.com/kb6564/#UEFIScanner . Notable is it is a scanner only and will not remove any UEFI BIOS malware.

    I also found that Intel Security aka now McAfee again, developed a UEFI BIOS scanner that they released as open source on GitHub as part of Chipsec: https://github.com/chipsec/chipsec . This utility will compare a saved ver. of your UEFI BIOS to the current ver..
     
  15. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    571
    Location:
    Member state of European Union
    It's worth to distinguish between bootkit and firmware implants. Given that UEFI is standard (not to mention that most commercial implementations share the same parts of open-source reference UEFI implementation) bootkits can be not so victim-specific.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,549
    Location:
    U.S.A.
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    I wouldn't be so sure, there are not that many motherboard manufacturers, I think their BIOS versions span entire product lines.
    Anyone capable enough could modify the downloadable flash bios updates from all of them.
    The attack could consist of an initial malware infection that first compromises the system, then queries that system for its motherboard and bios info then downloads the appropriate poison bios version from the malware creators server and installs it.
    A nation state actor would have the resources to develop such an attack.
     
  18. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,615
    Location:
    Europe then Asia
    In theory you are right but in practice, i don't believe you or i would be a target worth of the cost developing such malware.
     
  19. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    No, we wouldn't, but once it had been developed, to be used on who or what was considered to be a high value target, the cost of using it thereafter on others would be minimal.
     
  20. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    571
    Location:
    Member state of European Union
    I don't know how it worked when BIOS was around, but actually UEFI can refuse to update because there could be some issues with digital signature of update. Infected UEFI could use that to justify not to update itself with legitimate UEFI provided by manufacturer.
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,630
    Location:
    UK
    Given the lack of trust and asymmetry in the costs that are borne, this is a huge problem - automated attack tools based on grotty selectors and minimal oversight.

    Even worse, there's a lifetime to these things where their unique/NOBUS value becomes degraded (maybe 6 months now?) - and from there it progresses to other nation states, nasty attack tool vendors, to virtual open hacker source.
     
  22. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    571
    Location:
    Member state of European Union
    Google is trying to replace some of it's firmware inside servers with more trusted open source components.
    Slides from Embedded European Linux Conference:
    https://schd.ws/hosted_files/osseu17/84/Replace UEFI with Linux.pdf
    Page 12:
     
    Last edited by a moderator: Oct 31, 2017
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.