New Russian Malware Can Embed Itself in PC Firmware

The new malware is called LoJax because it infiltrates a computer’s firmware in a manner similar to the popular LoJack security software.

FancyBear.hackers

Researchers at security company ESET say that they have found a new type of malware that embeds itself into a computer’s firmware, where it eludes discovery and from where removal is very difficult. The firmware can withstand all normal methods of discovery, it can’t be removed by anti-malware products, and it will survive the reinstallation of an operating system or even the replacement of the computer’s hard disk.

Once it’s in the computer, the malware can do pretty much whatever its creators want it to do. It can funnel information to a remote location, it can install ransomware or it can install other types of malware that if they’re removed can simply be installed again by the LoJax malware.

The malware gets its name from the LoJack anti-theft security software. LoJack, from Absolute Software, also installs itself into the computer’s firmware so that if the computer is stolen, it’s difficult to prevent it from working. With LoJack installed, a stolen computer can report its position back to its owner so that it can be recovered.

LoJax Tied to Russian Fancy Bear Hacking Group

The LoJax software, developed by Russian hacking group Fancy Bear, which has been tied to the Russian intelligence organization, works by using a series of tools developed by the Russians that first examine the code running in the victim computer’s UEFI (the uniform extensible firmware interface), to determine if it can be infiltrated. If it can, then the malware loader copies the code, adds its own malware and then flashes the computer’s firmware to embed the code.

The report from ESET doesn’t say specifically how the LoJax sample managed to infect the computer where it was found, nor does it provide a location beyond saying that it was part of an attack in Africa and Eastern Europe. However, it does provide specific characteristics of the computers that are subject to being attacked and recommendations for avoiding and removing an attack.

First, the LoJax malware is unable to attack recent versions of computer firmware, meaning that if you keep your firmware updated, you’re unlikely to be a victim. Considering that many computer and system board manufacturers have released firmware updates to help protect against other problems including the recent Spectre and Meltdown vulnerabilities, the firmware in many computers may already be updated.

Needs Older Chipsets With Vulnerabilities

Second, the malware requires older chipsets with unpatched vulnerabilities. If you’ve also recently updated your chipset firmware, you may be protected.

In addition, the malware isn’t signed, which means that if you’re running Secure Boot on your machines, it’ll detect the malware. This is because when SecureBoot runs, it examines the firmware in detail for signs of tampering, and if it finds evidence of tampering, it won’t load the firmware. ESET strongly recommends implementing SecureBoot on all of your systems.

Once the malware is discovered, the ESET folks have three suggestions about eliminating it. The first is to reflash the firmware. The second is to replace the system board, and the third is to simply replace the computer. As noted earlier, simply installing a new operating system or a new hard drive won’t solve the problem.

“The other part of firmware security is in the hands of UEFI/BIOS vendors. The security mechanisms provided by the platform need to be properly configured by the system firmware to actually protect it,” the ESET team said in its recommendations. “Thus, firmware must be built with security in mind from the ground up. Fortunately, more and more security researchers are looking at firmware security thus contributing to improve this field and raise awareness of firmware vendors.”

A Threat to Be Taken Seriously

Most fairly modern computers are in fact built with security in mind, making the current LoJax malware less of a threat than it might be. But that does not mean that LoJax isn’t a threat to be taken seriously. The creators of the malware may find a way around current firmware security. In addition, there’s no guarantee that all system boards are built with such security.

Fortunately, one of the concerns put out by the ESET team is less of a problem than it once was. These days, reflashing your firmware isn’t particularly arduous, and it’s mostly automated. The way you accomplish it by visiting the website of your computer or system board manufacturer, downloading the new version of the firmware and then running the self-installer.

Most such firmware comes in a package that, once downloaded, self-extracts, then runs. When it runs, it sets up the install, it checks the current version of the firmware, and then it starts the flashing process. All you have to do is watch and not turn off the computer. The whole process takes less than 10 minutes.

On the other hand, the current LoJax malware is only the beginning. Now that the Fancy Bear team knows it can infect computers in the wild, it can attempt to do more. This means that once the Russians figure out how to infect specific computers as needed, the risk grows enormously. And right now, finding this malware—much less fighting it—is also just at the beginning stages.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...