Tag Archive for: bootkit

New ESPecter UEFI Bootkit Discovered

/in


Researchers have uncovered a new UEFI bootkit that has the capability to infect Windows machines from Windows 7 up through 10 and remain persistent on the EFI System Partition by installing a malicious Windows Boot Manager.

The new malware is called ESPecter and is somewhat similar, but unrelated to, another UEFI bootkit named FinSpy that Kaspersky disclosed last week. Its origins stretch back to at least 2012 and it has a number of interesting capabilities, including the ability to bypass the Windows Driver Signature Enforcement to load a malicious driver as part of its infection process. ESPecter’s initial infection vector isn’t clear at this point, but researchers at ESET, who discovered the malware, believe it is mainly used for information stealing and espionage and said it may have Chinese authors.

UEFI is the successor to the older BIOS and is designed to be the first thing that runs on boot up. UEFI bootkits are rare and most of the ones that have been identified in the wild have been SPI flash implants rather than ESP implants. The purpose of both types of UEFI malware is to gain control of the lowest level of the machine’s boot process and remain hidden and persistent without any obvious signs of compromise. In the case of ESPecter, this is achieved by patching the Windows Boot Manager, which controls the boot process from the time the machine is started up.

“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup,” Martin Smolár and Anton Cherepanov of ESET wrote in their analysis of the malware.

“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process.”

“This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.”

One of…

Source…

World’s first (known) bootkit for OS X can permanently backdoor Macs

/in

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it’s independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac’s Thunderbolt interface. When plugged into a Mac that’s in the process of booting up, the device injects what’s known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac’s system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can’t easily be removed by anyone who doesn’t have the new key.

Read 9 remaining paragraphs | Comments


Ars Technica » Technology Lab