Hacking Team's UEFI rootkit could enable persistent infections

— 12:45 PM on July 15, 2015

If remote execution of code via Flash or Java vulnerabilities isn't irritating enough, the Hacking Team leaks could have opened the door to more persistent pwnage, too. Trend Micro warns of a UEFI rootkit developed by the gray-hat devs that's designed to make life miserable for victims with unsecured motherboards. Once it's flashed to the system's firmware, the rootkit ensures that Hacking Team's Remote Control System malware remains installed on the target machine by checking for its presence in Windows before the OS even boots. If the user somehow manages to purge the malware, the compromised firmware reinstalls it before allowing Windows to load.

Since the exploit resides in firmware, reformatting or even replacing the boot volume is not sufficient action to clean the infection. It's not clear whether flashing a clean firmware to the system would purge the infection.

According to Trend Micro, the attack itself requires physical access to the target system, but the company doesn't rule out remote installation as a possibility. One could easily imagine variations of the attack where a phisher calling from "Microsoft support" could remotely flash the firmware of unsuspecting users.

To protect yourself and your PCs, the company recommends enabling UEFI SecureFlash, updating motherboard firmware whenever such an update contains a security patch, and setting up a BIOS or UEFI password.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.