New UEFI Rootkit

Kaspersky is reporting on a new UEFI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Both links have lots of technical details; the second contains a list of previously discovered UEFI rootkits. Also relevant are the NSA’s capabilities—now a decade old—in this area.

Tags: implants, Kaspersky, malware, reports, rootkits

Posted on July 28, 2022 at 6:16 AM • 38 Comments

Comments

Thomas • July 28, 2022 6:58 AM

Nitpick: it’s UEFI not UFEI.

Leon Theremin • July 28, 2022 7:29 AM

How many 4G/5G cell transmitters use UEFI based systems? Are Telecoms proactive in detecting firmware rootkits in their ‘SDR one hack away from becoming a microwave weapon ‘?

RapidGeek • July 28, 2022 9:12 AM

UFEI… Unified Firmware Exploit Interface…

Seems to me this is another “it’s turtles all the way down”. Have to secure everything or nothing is secure.

Shoal Creek • July 28, 2022 9:39 AM

Wasn’t UEFI implemented partly as a way of allowing an operating system to verify the hardware it is running on as an authorized and licensed hardware? It seems like this is a “fine sand in the hand” type of problem–the tighter one squeezes trying to control the sand, the more sand runs out between the fingers. Under BIOS, the worst rootkits/viruses corrupted the bootloader. Now, under UEFI, they corrupt the very thing that loads the bootloader.

Clive Robinson • July 28, 2022 11:29 AM

@ Bruce, ALL,

“Also relevant are the NSA’s capabilities—now a decade old—in this area.”

Also relevant, as @RapidGeek, and @Shoal Creek allude to, is that there is a gaping great hole in the whole “hard reset to loaded OS” process that has been in personal computers of most flavours since the 1970’s…

It’s still there, and not going anywhere any time soon, because it is one of the most usefull features IBM’s “Skunk works” stole from Apple in the 1980’s.

Apple realised that to be usefull and not a cul-de-sac / dead end a computer needed to be able to expand that is to do two basic things,

1, Have interchangable and upgradable software.
2, Have interchangable and upgradable hardware.

However they also realised there was a “Gordian Knot” issue that any hardware upgrade required a software upgrade, especially boot time storage devices.

The solution, put a basic I/O driver on the hardware device, and have it appear in the computers memory map, at a place assigned by the hardware slot it was pluged into.

So Apple asigned two kilo-bytes of space to each card slot and had a magic number in the first two bytes that identified a driver was present.

As for the OS rather than run directly from ROM it ran in part from RAM which was initialised by the “boot-up” process.

The result of both these was great flexability to expand in almost any way you could reasonably conceive.

However… That “driver code” that was run as part of the bootup, had to stay untill the OS was fully loaded so it could still be used.

Back then in the 1970’s there was no notion of security on a personal computer and especially not any idea about code signing. So even though it was a gaping security hole, it was not realised as such.

IBM for their PC did almost exactly the same only in a larger memory map the 8088/6 allowed for. Only by the 1980’s people were starting to understand that it was a security threat…

Thus this “security hole” became embedded in all IBM PC OS’s of the time and crossed a tipping point where it became a “legacy issue” that could not be reversed.

Worse every hardware slot upgrade carried the hole forward. Even UEFI still carries the security hole forwards in the name of backwards compatability.

This hole has had two majorly visable exploits,

1, BadBIOS and all that followed.
2, Lenovo consumer PC’s having un removable malware embedded in the BIOS chip.

But these were by no means the first exploits of this security hole. Many hardware designers who developed very early PC2PC communications looked at using either the PC speaker or an IR LED. We knew how to do not just the IO hole, but how to use it with another security hole which was “track zero” malware that would easily spread on floppy disks via “sneaker-net”.

So when in late 2013 Dragos Ruiu’s story about magic malware that could not be erased came out we already knew exactly how to do it, though the consense was Dragos had “flipped his lid” or was “barking at the moon”.

The first place you will find this correctly discussed was on this blog, and the “not possible” commenters came out in droves. Even though @RobertT and myself gave quite precice details of how to do it we were likewise apparently “lid flippers”. Then two universiry students took a couple of laptops into a corridor and effectively “followed the recipe” and published a paper and suddenly the whole world were believers, and lots and lots of malware quickly followed and it’s still around in various forms today.

Whilst @RobertT and myself were the first to detail it publicly, the techniques from the early to mid 1980’s behind it must have been known to hundreds of hardware engineers in the last couple of decades of the 1900’s.

So I would be more suprised than not if the NSA were not aware of this gaping security hole that by the mid 1980’s was effectively on every personal computer, mini-computers and big-iron computers.

About the only computers it was not on were microcontroller embedded systems (though it’s on many these days including just about every IoT device running a *nix clone).

For some unacountable reason the ICT industry, especially the ICTsec sub industry, apparently never learns from it’s history. Even it’s history of less than a decade ago…

As the old saying has it,

“Go figure…”

Andy • July 28, 2022 1:55 PM

Couldn’t manufacturers either assume this can occur and incorporate a solution into each bios update/release – a reflash of last good bios would fix on next reboot even if MB no longer supported. Vendors should also provide a hash value to allow verification ,to be fair Asus has started doing this with each router FW release. Or alternatively, provide a separate SPI utility that checks against known good hashes and reflashes if infected?

Many such write vulnerabilities seem almost as if there ‘by design,’ I mean who flashes USB pendrive’s FW? Or just the result of putting convenience before sensible security measures. A small two pin jumper could prevent such unauthorised writes.

Ted • July 28, 2022 2:47 PM

Very interesting.

One of the commenters on the Ars article thought that the malicious internet traffic would be detectable in a well run corporate environment.

And it makes me wonder who would be willing to sacrifice exposure for this type of bootkit-rootkit. Are you all also reading that this variant was last active in 2020?

The detected victims were also curious: private individuals using Kaspersky’s free version in China, Vietnam, Iran, and Russia. Will any product manufacturers be addressing this, noting that this rootkit was found in the firmware images of Gigabyte and ASUS motherboards, all related to designs using the H81 chipset?

As Kaspersky also remarks, the fact that the C2 server domains were only up for a limited timeframe is interesting considering the nature of CosmicStrand’s ultra-persistent capabilities.

Clive Robinson • July 28, 2022 5:26 PM

@ Andy, ALL,

Re : root of trust.

Couldn’t manufacturers either assume this can occur and incorporate a solution into each bios update/release – a reflash of last good bios would fix on next reboot even if MB no longer supported.

The $64,000 question is,

“How would the BIOS know it needs to be reflashed?”

If you as an attacker can change the Flash ROM then you can change any “root of trust” in it to match as well…

SpaceLifeForm • July 28, 2022 7:42 PM

@ Ted, Clive, ALL

re: well run corporate environment

Few and far between IMO.

As I have mentioned before, if you really, really want to defend against an APT, you must double firewall and DPI OUTBOUND Traffic in order to detect.

That is just to detect.

It is not simple, costs money, and requires some intelligent, well paid technical folk paying attention and reviewing logs in real time, so they can spot anomalies. It is not easy.

You can see that it is very likely to never occur. Because money.

It is cheaper to not become a target of an APT, and keep your kit offline that really has no reason to be exposed to the internet in the first place.

Some day we may get Rounds Duet.

‘https://www.politico.com/news/2022/07/28/justice-department-data-breach-federal-court-system-00048485

The Justice Department is investigating a data breach of the U.S. federal courts system dating to early 2020, a top official testified on Capitol Hill Thursday.

. . .

Asked for further details on the breach, Wyden said that he “can’t get into that” for fear of “running afoul of the classification system”

Arclight • July 28, 2022 8:30 PM

Also, will a normal BIOS reflash utility from the manufacturer remove this or doe sit basic require a JTAG debugger? Can hardware makers build in a read-only bootloader to ensure recovery is possible?

Anonymous • July 28, 2022 9:50 PM

@ ALL, Bruce, Clive, -, Moderator

Note the numbers. There has not been 75 new Articles that Bruce put up in the last 20 days.

There is a problem in the system.

I can see the comment_id bumping up, but for the post_id to jump by 75 in 20 days makes no sense because Bruce never puts up 3 articles every day. Maybe 1 or 2.

Bruce has not averaged over 3 new articles per day for the last 20 days, which would still not get get you to 75.

Someone is inside of the DataBase, cloning articles, and shadow banning comments.

‘https://www.schneier.com/comment-thankyou/?post_id=65600&comment_id=408288

‘https://www.schneier.com/blog/archives/2022/07/friday-squid-blogging-fishing-for-squid.html

‘https://www.schneier.com/blog/archives/2022/07/?post_id=65600

‘https://www.schneier.com/blog/archives/2022/07/friday-squid-blogging-bathyteuthis-berryi-holding-eggs.html#comments

‘https://www.schneier.com/?post_id=65600&comment_id=408288

‘https://www.schneier.com/comment-thankyou/?post_id=65675&comment_id=408291

If I go to the above link now, after some time, it now tells me held for moderation.

When I first posted it, it did not.

I’m not losing my mind here. I have them both visible in separate tabs.

Clive Robinson • July 29, 2022 3:06 AM

@ SpaceLifeForm, Ted, ALL,

Re: Corporate environment

“to defend against an APT, you must double firewall and DPI OUTBOUND Traffic in order to detect.”

As I’ve mentioned in the past I have the “Garden Path” approach where you use two firewalls in series from unrelated manufacturers, between the up-stream Internet router and your Intranet DMZ-LZ. So Front-“Gate” and Front-“Door” with the “Hallway” being the DMZ Landing Zone, from which internal firewalls are connected to make the Organisational Intranet.

You then using “Read Only Tap” Data Diodes[1] instrument the Internet side of Gate, which is the equivalent of the “Road”, the Gate to Door link which is the Garden-“Path” and the DMZ-LZ “Hallway”. In addition on the Road side of Gate there is “Drawbridge” which is the equivalent of an electromechanical-relay[2] acting as a circuit breaker mechanical switch, that “pulls the plug” on the Internet connection. This is controled from the instrumentation.

You watch both “In”-bound and “Out”-bound traffic and log it all for the three data diode tap points.

Which covers the physical arrangement. I won’t go into how the instrumentation works –as I’m not writing a book or chapter for a book,– but it logs, analyses, and if it detects certain types of attack automatically pulls the plug via the drawbridge line issolator switch. Hopefully stopping attacks aimed at the Gate and Door firewalls.

Obviously all of this is expensive in hardware and time, as well as potentially adding a DoS opportunity if the rules for opening the Drawbridge are too liberal. Because in effect your instrumentation is modeled on the “Honeynet” instrumentation that was designed to detect capture and analyse zero-day attacks.

In many organisations as far as “managment” would be concerned, this would in effect be concidered a “money pit” with no returns. This is more down to the poor risk analysis and very short term thinking prevalent these days than anything else.

Oddly though the same “managment” are happy to have every computer in the organisation connected with no protection to the internet because there might be some very small plus side…

Hence my oft asked first question of,

“What is the business case for having external communications connected to this computer?”

Mostly the real answer is “none” just a bunch of MBA style “arm wavery” about business potential. Often based on the “Connectivity is good” mantra.

Which is why as you know I tend to favour “Issolation and hard Segregation” as the starting points for both the Internet (WAN) and Intranet (LAN). Based on “No hard business case, no connectivity”…

[1] Once known as “Vampire taps” these take the line TX and RX pairs and analog buffer / issolate them from two instrumentation RX pairs. That is there is no physical TX path from the instrumentation back to the line so an attacker can not see it. At one time configuring a network card to only have the RX pair was relatively trivial, these days it can be rather more challenging.

[2] Whilst electromechanical relay/switch line issolator works for “copper” cables, it does not work for “optical” fiber. Hence you need the optical equivalent, which are still considered “specialist” equipment.

Dave • July 29, 2022 4:03 AM

But UEFI is secure by executive fiat! Didn’t the rootkit authors get the memo on that? How could they just go ahead and compromise something that’s been defined to be secure!

Dave • July 29, 2022 4:05 AM

@Ted: One of the commenters on the Ars article thought that the malicious internet traffic would be detectable in a well run corporate environment.

Yup. No true Scotsman would leave such a rootkit undetected.

Leon Theremin • July 29, 2022 5:56 AM

I’m not losing my mind here. I have them both visible in separate tabs.

I agree. I know who, what, how, why. This isn’t a problem specific to our host, affects our whole society. A solution will have to be found, but not without a fight. If you care enough, join me.

Ted • July 29, 2022 7:55 AM

@SpaceLifeForm, Clive, Dave

This was the full comment on the Ars’ article:

Btw in a well run corporate environment this particular kits method would stick out pretty loudly. Anything calling DNS servers outside of our DCs gets flagged very quickly. Of course today you could do DNS over HTTPS but again there you’d get flagged for doing it so low level since you wouldn’t be going through the corporate proxy which again gets flagged for security review.

Is flagging internet traffic my expertise? No. Still there were lots of interesting and speculative comments on the article. Without having a sample to analyze, I’m guessing people are trying to work through some of the details based on what was reported.

SpaceLifeForm • July 29, 2022 8:10 AM

@ Leon Theremin

We are on the same page. There is no doubt.

I agree, the problem is not specific to this blog. I’ve seen it elsewhere for over 20 years.

We know the flaws and how they can be attacked. We know where the attackers are and why they are doing it ($). We can not allow more cruft to be bolted-on to the current cruft because that is like trying to patch a hole in a screen door with jello.

We need new network protocols that are designed with security in mind from the ground up. There is no other way.

The only root of trust is each individual believing in themselves. You build up from there.

Hint: Every person is their own domain. You link up from there.

Andy • July 29, 2022 8:30 AM

@Clive Robinson

Maybe a return to socket extractors/external programmers to upgrade bios then? Vendors would reject implementing this because it’s a little too fiddly for the typical user of a gaming board. Vendors would view it in terms of how many would brick their boards/drop and lose the EPROM chip or bend its pins.

Having a bios that can only be reprogrammed with separate EPROM programmer post extraction would be great tho imo. EPROM Flash BIOS Adapters – socket extractors are nothing new either. The consumer DFI Lanparty boards used to allow for it, I had a DFI board, having a more industrial focused production background they took security more seriously. IIRC the Bios also used to be jumper write protected for addition security by default. Someone would need physical access. HW seems to be becoming less and less secure every decade, as sophisticated threat actors multiply.

Consumer gear vs industrial, consumer where convenience is everything, and convenience obviously ignores determined malicious actors who want to create thousands of botnets for DDoS’ing, or leverage machines for cryptomining, as appears to have been the case here.

SpaceLifeForm • July 29, 2022 9:13 AM

@ Ted, Clive, Dave

re: outbound proxy filtering

Unfortunately, it is not that simple.

Years ago, the proxy would be deny based. But that is whack-a-mole. There is no way to do that programmatically because attackers will just spin up new domains.

Long ago, some group set up a Cheap Internet Access proxy. Yep, free. I used it to read news from sites that were blocked for unknown reasons by the corporate proxy. The corporate proxy had not blocked the Cheap Internet Access proxy.

So, because of knowledge, I was able to double hop thru two proxies and get to any site I wanted to visit. The corporate proxy was useless.

Today, if you try the reverse idea with a corporate proxy, then you have to create an allow list of domains. Time consuming, resource intensive, and guaranteed to create problems on a daily basis.

It is no a no-win situation with an outbound proxy. You can try to block via domain, like blocking .ru or .cn but if the attackers can get an exploit into some other website that is not blocked, then they can use that hacked server as a C2. They would probably keep the hacked server functioning normally so no one notices, but carefully crafted traffic can still reach the C2 inside.

I think the only way to detect is to DPI OUTBOUND regardless of destination, and carefully look for suspicious traffic, especially during off hours.

The less traffic to inspect the better. Keep stuff offline as much as possible.

It is not simple.

JonKnowsNothing • July 29, 2022 9:30 AM

@Andy, @Clive @All

BHTM v3 p1

re:

Maybe a return to socket extractors/external programmers to upgrade bios then?
Vendors would reject implementing this because it’s a little too fiddly for the typical user of a gaming board.

I don’t agree with the conclusion. Vendors are not inclined to have replaceable anything because they have discovered the El Dorado of Soldered On Components.

JonKnowsNothing • July 29, 2022 9:35 AM

BHTM v5 p2

Gamers and Tech Enthusiasts of all types, techniques and utilization have been creating, replacing and upgrading components since The Beginning.

RL anecdote tl;dr

It took soldering 2 pins to upgrade an original gaming rig from 16k to 32k.

Why you might ask?

iirc(badly)

Because back in those days, the original system came with a crippled or broken memory chip. The chip was supposed to be 32k but only 16k would pass the memtest.

JonKnowsNothing • July 29, 2022 9:40 AM

BHTM rest of the comment gets Road Rash. 7 try fail.

SpaceLifeForm • July 29, 2022 10:00 AM

@ JonKnowsNothing

re: BHMT

Think Time is probably a factor.

Start your comment, but wait at least 5 minutes before submit.

9:48 now

tick, tick, etc (I’m waiting for Godot)

Sorry, but during my Think Time, I did not find a good link.

Now 10:00

JonKnowsNothing • July 29, 2022 10:09 AM

@SpaceLifeForm

re: BHMT

Think Time is probably a factor.

Start your comment, but wait at least 5 minutes before submit.

9:48 now

tick, tick, etc (I’m waiting for Godot)

Sorry, but during my Think Time, I did not find a good link.

Now 10:00

===

BHTM 8th try Time 10:07

Andy • July 29, 2022 10:19 AM

@JonKnowsNothing

Yes, most are now soldered. A bad bios flash means having to replace the MB.

The fact bios is reprogrammable via the OS maybe a convenient feature for updating, but it’s also potential security issue.

I had a programmer, and it could be quite fiddly, insomuch as pin 1 – marker/or half-moon had to identified and chips properly seated in the correct socket holes. Plus you obviously need another PC and programming software. But if this type of UEFI malware becomes more common, many would see such inconveniences as worth it, if only for peace of mind.

ReyBab • July 29, 2022 4:06 PM

Is it possible to remove it by installing the BIOS update? Will it overwrite malware?

Anonymous • July 29, 2022 6:41 PM

@ JonKnowsNothing, Leon, Clive, ALL

re: https://www.schneier.com/blog/archives/2022/07/new-ufei-rootkit.html/#comment-408319

I see 2 minute difference. With rounding, let’s say over 1 minute difference.

You posted your comment from your iPhone 7, right? Something about precision.

I know you did.

Reminder: Cellcos do not run NTP BY DESIGN.

Clock skew is a way to fingerprint.

If I can spot this, imagine how well that en ess eh can.

If I have this wrong, say so.

If I have this right, say so.

Feedback is important to debug.

Repeating: Feedback is important.

If you see something, say something.

We need the feedback to debug.

SpaceLifeForm • July 29, 2022 7:47 PM

@ RayBab, Leon, Clive, ALL

Is it possible to remove it by installing the BIOS update? Will it overwrite malware?

There is no way to un-install a BIOS/UEFI unless you have an older image that you can force load. And that you trust.

This really is all about Root of Trust.

You could use a bootable floppy and jumper.

Oh, wait. Modern UEFI won’t fit on a floppy, there is no jumper, there is no floppy on modern kit.

You could be stupid, and use windows and let it upgrade to the latest.

Which means, you could get the new and approved malware backdoor bootkit.

Can you spot the problem?

The Root of Trust is no longer you.

You can not steer the Silicon Turtle if you use windows on modern kit.

JonKnowsNothing • July 30, 2022 12:23 AM

@ Anonymous, @Leon, Clive, SpaceLifeForm, ALL

re: You posted your comment from your iPhone 7, right? Something about precision.

If you are referring to my posts, they were about precision as displayed on an iPhone in landscape or portrait mode layouts.

The post was written and submitted from a PC using FF.

Sometimes it works and sometimes it doesn’t. I have never found out exactly why it doesn’t. There are many theories: multiple sessions, independent processes, and restarts. Some things work part of the time but not all the time. Sometimes I think I’ve figured it out but more often I still haven’t a clue about backticking. Time is about the only constant to the condition.

Dave • July 30, 2022 2:43 AM

@Andy: Maybe a return to socket extractors/external programmers to upgrade bios then?

This only works if BIOS updates are maybe once in the lifetime of the device, and there’s someone to go round every single device in the company and fiddle with the hardware to reprogram it. In practice there’s a neverending stream of BIOS updates patching an equally neverending stream of vulnerabilities (it’s no surprise that UEFI rootkits are so viable given the insecurity of the UEFI software), so it has to be software-updatable in order to work. For example my work laptop, a Lenovo, gets new BIOS updates, patching multiple CVEs in each one, for every single Lenovo update cycle. And Lenovo are reasonably good in keeping up, for other vendors things just stay insecure with few to no updates issued.

Clive Robinson • July 30, 2022 4:04 AM

@ Dave, Andy, ALL,

“In practice there’s a neverending stream of BIOS updates patching an equally neverending stream of vulnerabilities”

And that will never stop due to the “Unknown Unknown” issue of “Classes and Instances” of vulnarabilities.

As you can not solve this you can only mitigate.

One mitigation is to make the BIOS not overwritable from software. But this only mitigates attacks that need to overwrite the BIOS. It does not stop all the other classes of attack.

After a while of going around the loop you realise that the only mitigation that works is to fully issolate / segregate the computer from all kinds of input…

Which kind of makes general purpose computers pointless.

The trick is to firstly split the users into three classes,

1, SysAdmin (insider)
2, Authorised user (insider)
3, Everyone else (insiders & outsiders).

By fully issolating and segregating –removing all comms paths puting in secure container– the computer whilst being vulnerable is secure from attack as attackers can not reach it.

To use it you need to bridge the issolation by providing “mandated communications” that is the insider user has everything they type checked by instrumentation to sanitize it before it gets sent to the issolated computer.

Whilst it’s not 100% it raises the bar to a sort of sweet spot where security and usability cross at an acceptably high security level.

And that’s about the best you can do, and we knew this back in the 1950’s and 60’s long before Personal Computing came over the horizon…

SpaceLifeForm • July 30, 2022 4:23 PM

@ JonKnowsNothing

re: Time is about the only constant to the condition.

Thanks for the feedback.

I made a bad assumption that you wrote the comment from an iPhone.

So, if you used a PC, are you running NTP?

It sure looks like your clock is behind by at least one minute.

It should not matter, but it may be a clue. As a test, you could bump your clock up by 2 minutes, and see if the behaviour changes.

Security Sam • July 30, 2022 5:26 PM

You’re damned if you do
You’re damned if you don’t
Now you think that you see it
And now you think that you don’t.