What you need to know about UEFI malware

What else you need to know

UEFI rootkits – from theory to a real threat

UEFI rootkits, the hackers’ Holy Grail, were long feared but none were ever seen in the wild – until ESET discovered a campaign by the infamous Sednit APT group. Some UEFI rootkits have been presented at security conferences as proofs of concept; some are known to be at the disposal of governmental agencies. However, until August 2018, no UEFI rootkit was ever detected in a real cyberattack.

The above-mentioned Sednit campaign used a UEFI rootkit that ESET researchers named LoJax. ESET’s analysis of the campaign is described in detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. More information about UEFI-related security can be found at ESET’s security blog, WeLiveSecurity.

Security risks of firmware, UEFI, rootkits

The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (Unified Extensible Firmware Interface), which was preceded by a standard called BIOS. Firmware and UEFI are often linked together and called UEFI firmware.

A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.

A UEFI rootkit is a rootkit that hides in firmware, and there are two reasons these types of rootkits are extremely dangerous. First, they are very persistent: able to survive a computer’s reboot, re-installation of the operating system and even hard disk replacement. Second, they are hard to detect because the firmware is not usually inspected for code integrity. ESET security solutions are an exception. Learn more about UEFI scanning and why you need it.

Malicious UEFI firmware is a nightmare for anyone concerned with IT security, very damaging and difficult to detect

Jean-Ian Boutin, Senior Malware Researcher at ESET

How ESET protects from malicious UEFI firmware

ESET is the only major internet security provider to add a dedicated layer, ESET UEFI Scanner, that is designed to detect malicious components in the firmware.

ESET UEFI Scanner is a tool which makes firmware available for scanning. Subsequently, the firmware’s code gets scanned by malware detection technologies. ESET customers can scan their computer’s firmware regularly or on-demand. Most of the detections are labeled as Potentially Unsafe Applications – a code that has broad power over the system and therefore can be misused. The very same code may be completely legitimate if the user or an administrator know about its presence, or it may be malicious if it was installed without their knowledge and consent.

Naturally, since the discovery of the first cyberattack using a UEFI rootkit, ESET customers equipped with the ESET UEFI Scanner can also detect these malicious modifications.

As for remediation, it is out of the reach of a typical user. In principle, re-flashing the chip with a clean firmware always helps. If this is not possible, then the only remaining option is replacing the computer’s motherboard.

Looking for ESET's UEFI scanner?
Access it now with a free ESET 30-day trial.

For home

For business

Frequently asked questions

ESET is the only vendor among the Top 20 endpoint security solutions vendors (by revenue) that provides users with UEFI scanning technology implemented in its endpoint protection solutions. While some other vendors may have technologies with “UEFI” in their names, their purpose is different than what a true firmware scanner should do.

Being the only vendor offering UEFI scanning illustrates ESET’s approach to protection. UEFI firmware-facilitated attacks are sporadic, and up to now, they were mostly limited to physical tampering with the target computer.

However, such attacks have the potential to take over complete control of computers and networks. Any data (files, videos, microphones, etc.) on the computer or network it's connected to can be stolen or hijacked for the attacker's own use. So ESET decided to invest in the ability to protect its customers from UEFI firmware-facilitated attacks.

The recent discovery of LoJax, the first-ever UEFI rootkit detected in a real computer attack, shows that UEFI rootkits may become a regular part of advanced computer attacks.

Fortunately, thanks to the ESET UEFI Scanner, our customers are in an excellent position to spot such attacks.

In short, scanning the firmware is the only way to spot modifications in it. From the security point of view, the corrupted firmware is extremely dangerous as it is hard to detect and able to survive security measures such as operating system reinstallation, and even a hard disk replacement.

It is possible that firmware might get compromised at the stage of manufacturing of the computer or during its shipping, or via reflashing the firmware if the attacker gains physical access to the device. But as the recent ESET research shows, it could also be compromised via a sophisticated malware attack.

Usually, the firmware is not accessible to security solutions for scanning and as a result, security solutions are designed only to scan disk drives and memory. To access the firmware, a specialized tool (a scanner) is needed.

The UEFI scanner is a module in ESET security solutions whose sole function is to read the content of the UEFI firmware and make it accessible for inspection. The ESET UEFI Scanner makes it possible for ESET’s regular scanning engine to check and enforce the security of the pre-boot environment.

ESET security solutions with capabilities boosted by the UEFI scanning technology are designed to detect suspicious or malicious components in the firmware and report them to the user.

Once a suspicious or malicious component is detected in the firmware, the user is notified so that they can take the right steps.

Under one scenario, there is nothing wrong with the detections – the suspicious component may belong, for example, to an anti-theft solution designed for maximum possible persistency in the system.

Under another scenario, however, there is no legitimate reason for the discovered non-standard component’s presence in the firmware. In such a case, remediation actions must be taken.

Unfortunately, there are no easy ways of cleaning the system to remove such a threat. Typically, the firmware needs to be reflashed to remove the malicious component. If reflashing the UEFI is not an option, the only alternative is to change the motherboard of the infected system.

ESET’s discovery is described in full in a blog post and a white paper published at ESET’s security blog, WeLiveSecurity.

In short, the ESET researchers, led by Jean-Ian Boutin, ESET Senior Researcher, combined their in-depth knowledge of the Sednit APT group, telemetry data from ESET detection systems, and a previous discovery by their peers at Arbor Network. As a result, they discovered a whole new set of tools for cyberattacks, including the first in-the-wild UEFI rootkit.

Sednit, operating since at least 2004 and also known as APT28, STRONTIUM, Sofacy and Fancy Bear, is one of the most active APT (Advanced Persistent Threat) groups. Such groups are known to conduct cyber espionage and other cyberattacks on high profile targets.

The Democratic National Committee hack that affected the US 2016 elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.

This group has a diversified set of malware tools in its arsenal, several examples of which ESET researchers have documented in their previous white paper as well as in numerous blog posts on WeLiveSecurity. The discovery of the LoJax UEFI rootkit shows that the Sednit APT group is even more advanced and dangerous than was previously thought, according to Jean-Ian Boutin, the ESET senior malware researcher who led the research into the recent Sednit campaign.

As for attribution, ESET does not perform any geopolitical attribution. Performing attribution in a serious, scientific manner is a delicate task that is beyond the scope of our security researchers. What ESET researchers call “the Sednit group” is merely a set of software and the related network infrastructure, without any correlation with any specific organization.