Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hacking Team's malware uses UEFI rootkit to survive OS reinstalls

Lucian Constantin | July 15, 2015
Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

The possibility of installing rootkits into a computer's BIOS or UEFI firmware has been demonstrated by multiple researchers at security conferences over the past several years. However, known cases of such rootkits being used in the wild are extremely rare.

A search through the email communications leaked from Hacking Team reveals that the company's engineers have kept an eye out for every article and research paper on BIOS and UEFI hacking written since 2009. This includes blog posts on cracking BIOS passwords, papers on defeating signed BIOS enforcement and leaked documents about the U.S. National Security Agency's BIOS infecting capabilities.

The emails also show that the company's research and development team was working on the "persistent UEFI infection" feature since at least mid-2014. On September 9, a customer from INTECH-Solutions, a German vendor of "technology and solutions for law enforcement and intelligence agencies" had already inquired about a list of computers for which the persistent infection feature worked.

"We are sorry, we have not a list of Computer Models where the persistent UEFI infection works well," a Hacking Team employee responded. "We tested the last series of Acer with UEFI boot. We are working to support other models like Asus but at the moment we can't provide you a date of that release."

In December, Hacking Team's Operations Manager Daniele Milan asked a senior security engineer for clarifications on the feature in order to answer potential customer inquiries.

The engineer responded that the feature was tested successfully on Dell Latitude 6320, Dell Precision T1600, Asus X550C and Asus F550C. It also worked on Toshiba Satellite C50 and the Acer Aspire E1-570, but with a higher risk of failure.

In principle, the software works on all laptops, workstations and servers with 64-bit CPU architectures that support Windows 7 and Windows 8 Pro, the engineer said.

In a later email, he mentioned that the "chiavetta" also works on Dell servers. Chiavetta means key in Italian, but it's also widely used to refer to USB thumb drives, giving a hint about how the UEFI rootkit can be deployed.

To prevent such infections, Trend Micro advises users to enable the UEFI SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to its latest version so that it has the latest security patches. UEFI/BIOS updates are usually distributed by computer manufacturers through their support websites and some of them do fix issues identified by security researchers.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.