UEFI Rootkit "Lojax"

[sp331yi]

Since UEFI rootkit is not properly signed, users can protect themselves against LoJax infection by enabling the Secure Boot mechanism, which makes sure that each and every component loaded by the system firmware is properly signed with a valid certificate.

If you are already infected with such malware, the only way to remove the rootkit is to reflash the SPI flash memory with a clean firmware image specific to the motherboard, which is a very delicate process that must be performed manually and carefully.

Disabling your Secure Boot?

 

[jglen490]

Yes. Where did the quote come from?

 

[sp331yi]

just click on quote/link -- thehackernews

 

[jglen490]

I never click on unknown links

You know, security stuff and everything ...

 

[sp331yi]

Never?

LOL!

 

[Condobloke]

Update, 9 October 2018: The remediation section of the white paper contained inaccurate information. Secure Boot doesn’t protect against the UEFI rootkit described in this research. We advise that you keep your UEFI firmware up-to-date and, if possible, have a processor with a hardware root of trust as is the case with Intel processors supporting Intel Boot Guard (from the Haswell family of Intel processors onwards).

LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

ESET researchers have discovered the first in-the-wild UEFI rootkit. Dubbed LoJax, the research team has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe.

www.welivesecurity.com

(welivesecurity is a current activity of ESET RESEARCH)

 

[sp331yi]

@Condobloke & @jglen490

Does not affect me, personally. Was just passing it on for the benefit of affected LO Members.

 

[jglen490]

Doesn't affect me either, just wondering. Black Hat had some info on that, too. LoJack was the Lenovo theft protection "feature", and that went sideways, but nothing I can see on that subject since about 2017, or so.

 

[Condobloke]

Methinks if the rotten thing had any 'legs' at all, it would be spread worldwide by now.

The fact that it is not is fair indication that it has either been died a natural death or has been shoved into the background by updates via all OS's registry systems/bios etc etc etc

 

[jglen490]

Firmware is software. When it is broken, or attacked it can be repaired. So, yes, it has likely been overcome by now. There will likely be others, but for now ... move on to other subjects

 

[Condobloke]

Amen.

 

[Vrai]

As a Linux user I find it easiest to just not run any anti-virus, anti-malware, or anti-rootkit programs.
What I don't know can't worry me and make me lose sleep!

(Not really)