Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hacking Team's malware uses UEFI rootkit to survive OS reinstalls

Lucian Constantin | July 15, 2015
Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

hackingback

Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

The company developed a tool that can be used to modify a computer's UEFI (Unified Extensible Firmware Interface) so that it silently reinstalls its surveillance tool even if the hard drive is wiped clean or replaced.

UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. But there are multiple companies that develop UEFI firmware, and there can be significant differences between the implementations used by PC manufactures.

Hacking Team developed a method for infecting the UEFI firmware developed by Insyde Software, a Taiwanese company that counts Hewlett-Packard, Dell, Lenovo, Acer and Toshiba among its customers, according to security researchers from antivirus vendor Trend Micro.

"However, the code can very likely work on AMI BIOS as well," the Trend Micro researchers said in a blog post. AMI BIOS refers to firmware developed by American Megatrends, a long-time BIOS market leader.

Trend Micro found details about the UEFI rootkit in the more than 400GB worth of files and emails that were leaked recently from Milan-based Hacking Team by a hacker. For the past week, security researchers and journalists have been sifting through the data uncovering malware source code, client lists, exploits for unpatched vulnerabilities and more information.

A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can't be ruled out, the Trend Micro researchers said.

Gaining temporary physical access to some computers wouldn't be a big problem for government agencies, because many countries have laws that allow the inspection of laptops and other devices at their borders.

Hacking Team refers to its surveillance software as "the hacking suite for governmental interception" and claims to sell it only to government agencies. Even so, most antivirus vendors detect the highly intrusive software, which is known as Remote Control System (RCS) or Galileo, as malware.

To install the RCS UEFI rootkit, an attacker must reboot the system into the UEFI shell, extract the firmware, write the rootkit to the dumped image and then flash it back to the system, the Trend Micro researchers said.

The rootkit itself has three modules: one for reading and writing to NTFS file systems; one for hooking the OS boot process; and one that checks if RCS is present on the system.

The rootkit checks for the existence of two software agents called scout.exe and soldier.exe every time the system is rebooted. If they don't exist, it installs scout.exe at a predefined location inside the OS, the Trend Micro researchers said.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.