UEFI Bootkit Virtually Impossible to Remove
Bootkits are designed to be undetectable but typically you can reformat the hard drive and reinstall the operating system or, worst case, you can replace the hard drive to disinfect the computer.
But wait, there is more.
Security researchers from Kaspersky. the Russian cybersecurity company that we can never figure out who’s side they are on, disclosed a new bootkit, code name MoonBounce.
This bootkit does not hide anywhere on the hard drive like most bootkits do. That means that formatting the disk or even replacing hard drive WILL NOT get rid of the malware.
So, if it does not hide on the hard drive, where does it hide?
It infects flash memory called SPI memory on the motherboard by taking advantage of flaws.
There are only two ways to get rid of the malware. One is to reflash the SPI memory, an extremely complex task. The other is to replace the motherboard and destroy the old one. Neither is terribly attractive.
Worse yet, given where it lives in the SPI memory controller, there is no easy way to even detect that it is there.
UEFI was designed as a replacement for the old computer BIOS because the BIOS was not secure. The UEFI uses a number of techniques to secure a chain of trust during the boot process to try and stop malicious code from compromising that process. That all works until hackers find bugs in it.
Kaspersky is aware of three bootkits – this one plus LoJax and MosaicRegressor.
But other researchers have found several more including ESPectre, FinSpy’s UEFI bootkit and others.
Kaspersky says this means that what we once thought was impossible – compromising UEFI – is clearly far from that. Still extremely hard, but not impossible.
MoonBounce, Kaspersky says, is the product of China’s APT41.
I am sure that we will learn more about these very rare incursions over time, so stay tuned.
Credit: The Record