The Rise of UEFI Malware
he Unified Extensible Firmware Interface (UEFI for short) is a replacement for the old BIOS, an interface layer for operating systems to talk to platform hardware and firmware. It is an evolution of the original Extensible Firmware Interface (EFI) specification which is now deprecated and was used early on by manufacturers such as Sun Microsystems and Apple, among others.
UEFI provides remote management and diagnostics of computer systems without the help of and dependency on any operating system; in fact it can be used without any OS installation at all. Its design criteria includes extensibility - in other words, provide a platform for others to build on. This is in stark contrast to the old BIOS firmwares, which were handcrafted and tailored to a specific mainboard and its included components.
This flexibility is much loved by manufacturers as it eases their supply chain and ability to ship firmware upgrades which cover any imaginable hardware combinations. If their UEFI doesn't have support for a given expansion card or interface board, it is up to that board's manufacturers to ship a module with their hardware. This module then is easily installed along with the board.
Security Implications
This concept has two main implications:
- the UEFI storage area must be writeable by an install program shipped by a hardware manufacturer
- the UEFI is somewhat of a general purpose computing platform that executes before the actual operating system and with full access to the system hardware, including network interfaces
The latter point is the main bearer of criticism towards UEFI. Security experts take a grim view of a pre-execution environment which has not been secured anywhere as well as today's operating systems. Even after UEFI starts the operating system, any security controls that may be present are necessarily tainted by the fact that in-memory components of a compromised UEFI module may continue to operate. Operating system vendors are countering this merely with the concept of secure boot, a mechanism that should ensure only binaries signed with known-good signatures are allowed to be loaded into the kernel. The protection offered by this is near zero, what with a history of malware falsifying such signatures and executing anyway.
End of Theory
So far, few rootkits exploiting UEFI's shortcomings had been spotted in the wild. In late September 2018, however, the Lojax rootkit changed this with a vengance. Itself based on Absolute LoJack, a legitimate device recovery and management software which executes as a UEFI module, it infects and hides in UEFI. It taints the Windows boot process by injecting a malicious driver with falsified signature that executes with kernel privileges.
When running it behaves a lot like normal malware, in that it contacts command-and-control servers on the Internet which appear to be run by Russian criminals (or intelligence - hard to tell the difference). It differs from normal malware in that a cleanup within the operating system doesn't help because the still-resident UEFI module will re-infect the system on next boot. There is no way to clean the trojan other than by cleaning up the computer's UEFI SPI flash storage by re-flashing it. It is also quite difficult to spot an infection in the UEFI as not many tools are available for the purpose.
Even though the rootkit itself persists independent of Windows (they are sometimes called "bootkits" because of tbhis independence), its payload still is uniquely tailored towards executing in Windows. Not running Windows this specific piece of software is of little concern to us, but of course the same persistence mechanism can be used to deliver a MacOS or Linux payload. The fact that many Linux users turn off Secure Boot doesn't help, although it's not much of a security barrier to surmount for miscreants either.
It is assumed that a good percentage of government trojans will or already do make use of the UEFI as well. The problem will only become bigger as time passes.