Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • PC Hardware

    New Russian Malware Can Embed Itself in PC Firmware

    By
    WAYNE RASH
    -
    September 28, 2018
    Share
    Facebook
    Twitter
    Linkedin
      FancyBear.hackers

      Researchers at security company ESET say that they have found a new type of malware that embeds itself into a computer’s firmware, where it eludes discovery and from where removal is very difficult. The firmware can withstand all normal methods of discovery, it can’t be removed by anti-malware products, and it will survive the reinstallation of an operating system or even the replacement of the computer’s hard disk.

      Once it’s in the computer, the malware can do pretty much whatever its creators want it to do. It can funnel information to a remote location, it can install ransomware or it can install other types of malware that if they’re removed can simply be installed again by the LoJax malware.

      The malware gets its name from the LoJack anti-theft security software. LoJack, from Absolute Software, also installs itself into the computer’s firmware so that if the computer is stolen, it’s difficult to prevent it from working. With LoJack installed, a stolen computer can report its position back to its owner so that it can be recovered.

      LoJax Tied to Russian Fancy Bear Hacking Group

      The LoJax software, developed by Russian hacking group Fancy Bear, which has been tied to the Russian intelligence organization, works by using a series of tools developed by the Russians that first examine the code running in the victim computer’s UEFI (the uniform extensible firmware interface), to determine if it can be infiltrated. If it can, then the malware loader copies the code, adds its own malware and then flashes the computer’s firmware to embed the code.

      The report from ESET doesn’t say specifically how the LoJax sample managed to infect the computer where it was found, nor does it provide a location beyond saying that it was part of an attack in Africa and Eastern Europe. However, it does provide specific characteristics of the computers that are subject to being attacked and recommendations for avoiding and removing an attack.

      First, the LoJax malware is unable to attack recent versions of computer firmware, meaning that if you keep your firmware updated, you’re unlikely to be a victim. Considering that many computer and system board manufacturers have released firmware updates to help protect against other problems including the recent Spectre and Meltdown vulnerabilities, the firmware in many computers may already be updated.

      Needs Older Chipsets With Vulnerabilities

      Second, the malware requires older chipsets with unpatched vulnerabilities. If you’ve also recently updated your chipset firmware, you may be protected.

      In addition, the malware isn’t signed, which means that if you’re running Secure Boot on your machines, it’ll detect the malware. This is because when SecureBoot runs, it examines the firmware in detail for signs of tampering, and if it finds evidence of tampering, it won’t load the firmware. ESET strongly recommends implementing SecureBoot on all of your systems.

      Once the malware is discovered, the ESET folks have three suggestions about eliminating it. The first is to reflash the firmware. The second is to replace the system board, and the third is to simply replace the computer. As noted earlier, simply installing a new operating system or a new hard drive won’t solve the problem.

      “The other part of firmware security is in the hands of UEFI/BIOS vendors. The security mechanisms provided by the platform need to be properly configured by the system firmware to actually protect it,” the ESET team said in its recommendations. “Thus, firmware must be built with security in mind from the ground up. Fortunately, more and more security researchers are looking at firmware security thus contributing to improve this field and raise awareness of firmware vendors.”

      A Threat to Be Taken Seriously

      Most fairly modern computers are in fact built with security in mind, making the current LoJax malware less of a threat than it might be. But that does not mean that LoJax isn’t a threat to be taken seriously. The creators of the malware may find a way around current firmware security. In addition, there’s no guarantee that all system boards are built with such security.

      Fortunately, one of the concerns put out by the ESET team is less of a problem than it once was. These days, reflashing your firmware isn’t particularly arduous, and it’s mostly automated. The way you accomplish it by visiting the website of your computer or system board manufacturer, downloading the new version of the firmware and then running the self-installer.

      Most such firmware comes in a package that, once downloaded, self-extracts, then runs. When it runs, it sets up the install, it checks the current version of the firmware, and then it starts the flashing process. All you have to do is watch and not turn off the computer. The whole process takes less than 10 minutes.

      On the other hand, the current LoJax malware is only the beginning. Now that the Fancy Bear team knows it can infect computers in the wild, it can attempt to do more. This means that once the Russians figure out how to infect specific computers as needed, the risk grows enormously. And right now, finding this malware—much less fighting it—is also just at the beginning stages.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×