Researchers Discover UEFI Boot Kit Active Since 2012

Yesterday, researchers revealed the details of a Boot Kit – a piece of malware that sits under the operating system and which is undetectable by normal anti-malware software and which is unremovable short of replacing the hard drive.

Code named ESPecter, it sits in the EFI system partition and can bypass Microsoft’s driver signature verification. It uses that foothold to load unsigned drivers that steal documents, log keystrokes and captures what is on the screen. And, likely, anything else the hackers want to do.

If the system is running in legacy boot mode, it just modifies the master boot record.

This is the fourth case of someone developing an attack like this. At least that has been discovered.

In theory, UEFI Secure Boot should stop this attack, but the security company who announced the malware said that they had seen various UEFI firmware vulnerabilities that allow disabling or bypassing Secure Boot.

This just proves that securing a computer – any computer, any operating system – is hard to do.

There is no known fix for this.

Using tools to detect unusual activity, including at the network edge, might be the only way to detect this, but even that is pretty dicey. Credit The Hacker News