Hacking Team spyware survives on target systems with help of UEFI BIOS rootkit
How did Hacking Team make sure that its Remote Control System (RCS) spyware will remain on targets’ computers even if they reinstall their OS, format their hard drives or install a new hard disk? The answer is: by using a UEFI BIOS rootkit.
In the last year or so, a number of researchers have been pointing out vulnerabilities that affect the BIOS and UEFI firmware interfaces and which could be exploited to install rootkits on a computer system.
According to a slideshow presentation included in the massive Hacking Team leak, in order to install the rootkit the attacker needs to have physical access to the system.
“An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system,” Trend Micro researchers explained, but added that it’s also possible that they found a way to do this remotely.
The slideshow also shows that the rootkit is written for Insyde BIOS – UEFI BIOS firmware that is deployed on popular laptops and desktops by HP, Lenovo, and other manufacturers – but the researchers say that it likely also works on AMI BIOS as well.
“In installation, three modules are first copied from an external source (this might be from a USB key with UEFI shell) to a file volume (FV) in the modified UEFI BIOS,” the researchers explained.
“Ntfs.mod allows UEFI BIOS to read/write NTFS file. Rkloader.mod then hooks the UEFI event and calls the dropper function when the system boots. The file dropper.mod contains the actual agents, which have the file name scout.exe and soldier.exe.”
In order to protect themselves against this particular threat, Trend Micro advises users to update their BIOS as soon as a new patch is released, to set up a BIOS or UEFI password, and to enable UEFI SecureFlash.
“Admins managing servers can also opt to buy a server with physical BIOS write-protection, wherein the user will need to put a jumper or turn on a dip switch in order to update the BIOS,” they concluded.