720-891-1663

Return to the list of client alerts

Super-Evil Root Kit Survives Even Swapping Out the Disk Drive

Root kits (see definition) is a type of malware that masks its appearance and is typically very hard to detect and remove.

Enter an entirely new type of rootkit which is not only very hard to detect but, for all intents, impossible to remove.

Not too surprising, this rootkit was launched by the Russian spy agency GRU.

But again not too surprising, it was invented by us  (the CIA) and got out into the wild when the Vault 7 leaks happened.

Why is this rootkit more evil than other rootkits?

Because it survives reformatting the disk.

It survives reinstalling the OS from a known good copy.

It even survives replacing the hard disk.

How is this possible?  It is because it compromises the UEFI (the replacement for the computer BIOS) and lives there.

The ONLY way to get rid of it is to reprogram (knowing as “flashing”) the UEFI chips, if that is even possible or replacing the system board.

Importantly, NO anti virus software will detect it (that is a common characteristic of a rootkit).

Realistically, the only way to detect it is to watch for what it is doing, such as network traffic to or from unexpected web sites.

For most people the only way to get rid of it will be to replace the computer.

Now that this UEFI ROOTKIT called LOJAX is in the wild, others will copy what the GRU and CIA have done.

So what do you do?

For newer motherboards, you can configure the UEFI to secure it and not allow software to update it until you unlock it.  Only some systems support this.

Also, look for software that will allow you to detect malware in the UEFI.  Likely, it will be software that you have to boot from, so that can’t intercept it.  

Finally, user anti-phishing training is critical and you have to do it in a sophisticated manner and frequently.  KnowBe4, the company who wrote the piece this is based on and for whom we are a reseller, has a great and affordable product in this area.

Source: KB4 Blog