Fighting persistent malware with a UEFI scanner

Share this…

The short answer to the headline’s question is that a UEFI scanner is all about helping you protect your computer against people who seek to take it over by abusing its Unified Extensible Firmware Interface (UEFI). A successful attack on a system’s UEFI can give the attacker complete control of that system, including persistence: the ability to secretly maintain unauthorized access to the machine despite rebooting and/or reformatting of the hard drive.

As you can imagine, this form of persistence is not a virtue and can prolong the pain and inconvenience of a malicious code infection. If your security software only scan drives and memory, without scanning UEFI, it is possible to think you have a clean machine when you don’t, that’s why we recommend a security solution that scans it, like ESET.

Why does my device have a UEFI?

UEFI scanner

Computing devices work by executing code: the instructions that we call software and which make the hardware – such as a laptop or smartphone – do something useful. Code can be fed to the device in several ways. For example, it can be read from storage on a disk, held in memory, or delivered via a network connection. But when you power on a digital device it has to start somewhere (bootstrap), and that first piece of code is typically stored in a chip on the device. This code, referred to as firmware, may include a “power-on self-test” or POST to make sure things are working correctly, followed by the loading into memory of the basic instructions for handling input and output.

If you’ve been into computers for a while you might recognize this chip-based code as BIOS or Basic Input Output System. In fact, BIOS technology dates back to the 1970s and so it is not surprising that it would eventually struggle to meet the demands of today’s computers, a point made by my colleague, Cameron Camp, in this excellent article on UEFI scanning. As Cameron details, UEFI technology has evolved to replace BIOS, although some devices still refer to it as BIOS. (I’m tempted to say “Meet the new BIOS, same as the old BIOS” but UEFI is signifcanty different, and besides, this article already has a headline that exploits a classic lyric: “What’s it all about, Alfie?”)

“FOR MOST PEOPLE, THIS IS THE RIGHT QUESTION TO BE ASKING, AND THE RIGHT ANSWER WILL DEPEND ON WHO YOU ARE”

Technically, UEFI is a specification, maintained by the Unified Extensible Firmware Interface Forum (uefi.org). According to the forum, the specification defines a new model for the interface between personal computer operating systems and platform firmware, and it “consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its boot loader.” Without going into greater technical detail, UEFI added a great deal of functionality to the boot process, including some serious security measures (these are discussed in the  ESET white paper referenced by this article).

Unfortunately, the illicit benefits of devising code that can surreptitiously take over a system early in the boot process – generically referred to as a bootkit – are a powerful motivator to the folks who specialize in unauthorized access to digital devices. Such folks could be: cybercriminals; domestic and foreign agencies like NSA and CIA; and private companies that sell “surveillance tools” to governments.

For more details, check out the excellent article by my ESET colleague Cassius Puodzius that discusses these “threat actors” and their interest in UEFI. The broader topic of bootkit evolution from early days through 2012 is ably covered by ESET Senior Research Fellow, David Harley, in this article. You might also check out the paper “Bootkits, Past, Present, and Future”, presented at Virus Bulletin 2014. And of course there are plenty of technical papers on the UEFI Forum site.

So what’s my UEFI risk?

For most people, this is the right question to be asking, and the right answer will depend on who you are. For example, are you someone whose computer might be of interest to the NSA or CIA or other government entity that has the resources to invest in code that abuses UEFI, either its own code or a commercial surveillance product purchased from a commercial vendor? Are you using your computer to develop, review, or otherwise handle intellectual property worth stealing? If you answered either of those questions in the affirmative, then I would say you have an above average risk of encountering UEFI malware.

Currently, I am not aware of any large-scale, broadly-targeted criminal malware campaigns that exploit UEFI to attack the general public’s computer systems (if you know of any, please share the knowledge). However, even if you are not in a high risk category, I strongly suggest you still need security software with UEFI scanning capability. Why? Remember those three letter agencies that have been developing UEFI attacks? Well, they don’t have a stellar reputation for keeping their tools secret. In fact, the biggest news in malware so far this year has been WannaCryptor a.k.a. WannaCry, and one reason that particular ransomware spread so fast was because it used a “top secret” exploit developed by the NSA, an agency known to have dabbled in UEFI compromise.

In other words, we just don’t know when a new malware campaign that abuses UEFI to maintain persistence on compromised systems will appear in the wild. What I can say is that folks who are performing UEFI scans on a regular basis will be better prepared to protect their systems from future malware than people who are not. And that is what UEFI scanning is all about.

Source:https://www.welivesecurity.com/2017/11/10/uefi-scanner-fighting-persistent-malware/