
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group - tcsl_armor
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
======
dplgk
> Computrace/Lo Jack is a legitimate application that is factory installed
> into the firmware of nearly every laptop in the world, of all varieties. The
> idea is that if your laptop gets stolen, you can find it, and/or wipe it
> remotely. This is obviously good, and useful.

How is this so? No one's ever mentioned this when talking about stolen
laptops. They talk about high level software like Prey or whatever Apple uses.
How would you use this to find your laptop? There's a central server that
almost every laptop on earth talks to? Seems highly doubtful.

~~~
ekianjo
[https://en.m.wikipedia.org/wiki/LoJack_for_Laptops](https://en.m.wikipedia.org/wiki/LoJack_for_Laptops)

~~~
josteink
> The software agent behaves like rootkit (bootkit), reinstalling a small
> installer agent into the Windows OS at boot time. This installer later
> downloads the full agent from Absolute's servers via the internet. This
> installer (small agent) is vulnerable to certain local attacks

And once again Linux is a solution.

~~~
SmellyGeekBoy
I'm a full time Linux user so I'm all for fanboying, but the belief that Linux
would be immune to this type of attack is naive at best.

~~~
AnIdiotOnTheNet
> I'm all for fanboying

You probably shouldn't be. All this "fanboying" annoys the hell out of people
because faboys are constantly trying to sell linux as the solution to all
problems, and then when people give them reasons why linux isn't a solution to
their problems they get really defensive and start using canned excuses like
"well it works for me", "you didn't pick the right distro", "normal users
don't need that", "you need to research your hardware", "you have the source
so you could fix it yourself", or even "Windows/MacOS have problems too!".

The community alone is enough reason to avoid linux.

note: in this instance, "linux" is being used as shorthad for "the GNU/Linux
Desktop".

~~~
vardump
> You probably shouldn't be. All this "fanboying" annoys the hell out of
> people because faboys are constantly trying to sell linux as the solution to
> all problems ...

This is true for nearly anything imaginable, not just Linux.

> The community alone is enough reason to avoid linux.

If you selectively pick the worst of any given (tech related) community, you'd
probably be using nothing.

~~~
AnIdiotOnTheNet
> This is true for nearly anything imaginable, not just Linux.

Yes, it is, but that doesn't mean you should be doing it if you actually care
about linux.

> If you selectively pick the worst of any given (tech related) community,
> you'd probably be using nothing.

I'm not selectively picking anything. This is the part of the community I am
constantly exposed to because it is the part that evangelizes.

~~~
inetknght
> I'm not selectively picking anything.

That's definitely why you're hanging out on a website built for armchair
intellectuals. There's definitely no bias on the selection of people who visit
and comment here. /s

~~~
AnIdiotOnTheNet
You're making the assumption I was referring only to encounters on HN.

------
bubblethink
The Lo Jack stuff is a red herring. The main attack vector is SPI write
protection bypass. I'm not sure what they used to get local root though. Once
you can write to the SPI flash, you can write whatever you want, lojack or
not. And this uses some old known vulnerabilities for SPI write bypass. There
have been some of those over the years. I had to use one myself to bypass wifi
whitelists in lenovo bioses. I don't think this would work on platforms with
boot-guard though.

~~~
samirm
that's correct, something like SecureBoot would have prevented this as the
signatures wouldn't have been able to be verified and therefore never
proceeded.

~~~
bubblethink
No secure boot doesn't prevent this directly. Secure boot checks for the
booting OS. Boot guard is what checks the booting BIOS.

------
xvilka
Using flashrom [1] you can dump the contents of your SPI flash for the
inspection and open the image with UEFITool [2]. Both tools are opensource and
developed for years. Some people recommend to use chipsec [3], but it can less
in terms of dumping and unpacking. The state of security in UEFI firmware is
horrible, thing is overengineered and poorly written (bad code practices). Not
to mention Intel ME/AMT/etc that also provide the easy way for attacker to
persist and hide itself once compromised. Projects like coreboot [4] and
vendors like Purism [5] allow the tighter control of your own hardware, but
thanks to Intel it still has a lot of blobs of a bad code. Apple realized they
can't trust Intel and other "BIOS" writers, so working on improving the
security and codebase. Thus the state of affairs is slightly better on
Macbooks. I believe x86 firmware world is beyond any hope to get any better
and everyone should focus on building better hardware/architectures from
scratch. Hopefully companies like Raptor Engineering [6] can shift the mindset
of consumers.

[1] [https://flashrom.org/Flashrom](https://flashrom.org/Flashrom)

[2]
[https://github.com/LongSoft/UEFITool](https://github.com/LongSoft/UEFITool)

[3] [https://github.com/chipsec/chipsec](https://github.com/chipsec/chipsec)

[4] [http://coreboot.org/](http://coreboot.org/)

[5] [https://puri.sm/](https://puri.sm/)

[6]
[https://www.raptorcs.com/content/base/products.html](https://www.raptorcs.com/content/base/products.html)

------
bcaa7f3a8bbc
> _Computrace /Lo Jack is a legitimate application that is factory installed
> into the firmware of nearly every laptop in the world, of all varieties. The
> idea is that if your laptop gets stolen, you can find it, and/or wipe it
> remotely. This is obviously good, and useful._

This is useful, but not obviously good. It's good only if it's securely
implemented, but as a user, I'm not sure. I've disabled Computrace on every
laptop I own, and now stopped worrying about it after installing coreboot.

------
Arbalest
Kind of a shame that security houses are doing legitimate research, but the
products they release just don't have the same effectiveness they used to. If
sales of antivirus is dropping, where will they get their funding from?
Perhaps there needs to be some new approaches to anti-virus. The old fire and
forget method doesn't work anymore, and lots of people/organisations don't
realise that yet. But it won't be like that forever.

~~~
sebcat
> the products they release just don't have the same effectiveness they used
> to. If sales of antivirus is dropping, where will they get their funding
> from?

Anti-virus software was very easy to circumvent in the past. Getting the
kernel32 address from the PEB, having your own PE loader and having most code
xored with the Mersenne twister output in the data segment for obfuscation, as
well as some runtime is_sandbox() heuristics and no AV would detect anything
malicious.

Don't know if it got better or worse, but AV software was not very good at
finding malicious code explicitly written to not run in plain sight in the
past.

~~~
dogma1138
AV isn’t good at finding malicious code that hasn’t been discovered and
classified but it’s also pretty unlikely that you’ll encounter one unless you
are a high value target which is being actively targeted.

Having Windows Defender on is sufficient for the casual threats most people
would encounter.

~~~
inetknght
> it’s also pretty unlikely that you’ll encounter [malicious code that hasn’t
> been discovered and classified] unless you are a high value target which is
> being actively targeted.

This sounds much like survivorship bias to me.

~~~
dogma1138
No this is simply what they are good at it's like a vaccine it won't help you
against mutations or something that was engineered but it's not a reason to
not vaccinate when it's does cover a large number of other infectious
diseases.

So unless you going to say that vaccination is survivorship bias because we
don't have them against some diseases I really don't see your point.

Windows Defender will block virtually every common infection these are what
most people get hit by, it will also block virtually all ransomware and you
can see just how much the ransomware "market" got hit once they implemented it
to see that it is effective.

Yes it won't protect you against NSA or some high end hacking group that
writes completely custom malware to target single individuals but you are also
not likely being the target of these.

But you are likely be target of the 1000's of known threats that are spread
through driveby attacks, infected media and pretty old stuff you'll be
surprised just how common 5 year old infections still are.

------
miles
Worth noting this important caveat mentioned in the article:

> "The tool described above is able to update the system’s firmware only if
> the SPI flash memory protections are vulnerable or misconfigured. Thus, you
> should make sure that you are using the latest available UEFI/BIOS available
> for your motherboard. Also, as the exploited vulnerability affects only
> older chipsets, make sure that critical systems have modern chipsets with
> the Platform Controller Hub (introduced with Intel Series 5 chipsets in
> 2008)."

~~~
Scoundreller
Is it a vulnerability in the SPI chip itself, or is the master allowing writes
that it shouldn’t ?

Does the SPI chip have a write protect line? Or could it be subbed with one
that does?

~~~
jlgaddis
FWIW, some BIOSes have a setting to disable "remote" firmware updates --
although I certainly cannot speak for how reliable that is (and, judging by
past experiences, it isn't very reliable at all).

------
auslander
I miss dearly bios write protect jumpers on motherboards.

~~~
xvilka
The root of the problem that old BIOSes wrote their configuration into the
CMOS memory, while all UEFI-based firmware storing configuration right in the
SPI flash itself. Changing the values of variables every boot, sometimes
performing "garbage collection" for compressing the size. Moreover, ME-like
systems also write into the flash, sometimes even logging events. Every single
boot, this is how it was designed.

------
RachelF
The Register has more details:

[https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/](https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/)

------
teddyh
This is very interesting, to be sure, and I commend everyone involved for
their work in exposing this stuff. But does anyone else get irked by the style
of writing? He’s alternating between implying complete assuredness and being
excessively vague:

> _(2) The perps are probably a Russian hacking group (military, KGB, FSB, or
> something similar), known by a bunch of names, but I call them Fancy Bear,
> for no particular reason other than it was the first name I knew them by,
> and it 's a neat name. These are the same guys that (probably) broke into a
> factory in Taiwan in Feb 2018, and modified firmware in a bunch of
> computers, headed for the German government._

How could he possibly be so sure (that he implies) that this is the same
group? Sure, he adds a couple of “probably”s, but the style is completely
undoubting.

Then, later:

> _(6) Interestingly, the modus operandi of the Lenovo rootkit and the
> modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence…
> or … maybe something else._

Maybe _what_? Why is he being cagey about what it _could_ be? It looks like he
wants the reader to feel like the “in”-group who knows what he means, but in
reality nobody does.

~~~
AlphaWeaver
I didn't get the impression that he was trying to imply anything beyond what
he wrote... I think it was very clear that such speculation had no backing and
was purely that- speculation.

------
guy98238710
I wish there was a reset button on the back of every computer that would
reliably erase all memory and bring the computer back to its initial state.

~~~
mixologic
You've never had to help a family member with their computer, have you? Maybe
a switch on the motherboard, buried inside the case.

~~~
guy98238710
You are probably talking about data loss. That's what online backup is for. My
recommendation to non-technical people is to do what I do: have one four-word
password that unlocks the computer, their password manager, and the online
backup. Typing the password every day to unlock the computer makes super sure
they won't forget it.

But yes, not letting people reset their computer by accident is just good user
interface.

------
rufugee
How can one determine if LoJack is present on their laptop (Linux user
here)...

------
fulafel
Link to original blog post: [https://www.welivesecurity.com/2018/09/27/lojax-
first-uefi-r...](https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-
rootkit-found-wild-courtesy-sednit-group/)

------
romed
These blogs are not very good. Here is the PDF about this vuln.

[https://www.welivesecurity.com/wp-
content/uploads/2018/09/ES...](https://www.welivesecurity.com/wp-
content/uploads/2018/09/ESET-LoJax.pdf)

I don’t know why security-conscious people would willingly load a PDF but
there you go.

~~~
jl6
Are you saying PDFs are a threat? More so than a web page?

~~~
applecrazy
Slightly OT, but you would be surprised at how much power PDFs have
(especially when opened in Adobe Acrobat/Reader). I recently came across this
monstrosity[1] on HN, and the author mentions this:

> Scripts can supposedly do things like make arbitrary database connections,
> detect attached monitors, import external resources, and manipulate 3D
> objects.

That's an unprecedented level of power for what is supposedly a simple
document format.

That being said, PDFs are only a threat when opened in a with support for
these obscure APIs, such as Adobe's own readers. You (probably) will be fine
opening untrusted PDFs in Chrome's PDF reader (PDFium) and Preview.

[1]: [https://github.com/osnr/horrifying-pdf-
experiments](https://github.com/osnr/horrifying-pdf-experiments)

~~~
ggm
You should totes makes this a top level HN post!!!! (I typed in my statutory
copied one line NeWS program back in the day too. Never again)

~~~
JdeBP
[https://news.ycombinator.com/item?id=17915296](https://news.ycombinator.com/item?id=17915296)

