

Hacking Team Uses UEFI BiOS Rootkit to Keep RCS 9 Agent in Target Systems - apaprocki
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

======
bediger4000
This is the most interesting Hacking Team revelation yet.

First, a production UEFI bootkit! Yahoo! That's a milestone.

Second, fiddling with Bitcoin wallets. Between the bootkit and the Bitcoin
fiddling, Hacking Team is just a small step away from a Zeus Botnet. That is,
HT is hanging ten on the precipice of crime, it looks like.

Third, this line from HT CEO David Vincenzetti:

 _a modification of the actual Bitcoiin [sic], something different, fully
traceable and supported by clearing houses and the global financial system as
a whole might have a future._

If truly Vincenzetti's viewpoint, that line demonstrates a slide to
authoritarianism. According to accounts, Vincenzetti was an early privacy
advocate. A cypherpunk wouldn't be able to speak the phrase "fully traceable"
except as an insult.

Are we seeing the result of money corrupting, or are authoritarian world views
the inevitable result of working in the defense industrial complex?

~~~
toyg
Vincenzetti ends several emails with clear neo-fascist slogans ( _" Boia chi
molla"_ etc). Some circles in the Italian hacking scene have long had right-
wing connotations.

 _> are authoritarian world views the inevitable result of working in the
defense industrial complex?_

Is this even a question? If your livelihood depended on selling batons, you'd
be extremely supportive of the police, wouldn't you?

~~~
bediger4000
There's involvement and then there's commitment, as the pig said to the
chicken about breakfast.

I'm wondering if merely getting a job programming for a defense company leads
to a moral slide into authoritarianism. You know, suppose you're doing
sysadmin for HT - is that enough to start warping your view of the world?

Also there's the involvement in actions just short of creating a banking-
credential-stealing botnet. False BGP announcements, sniffing for bitcoin
credentials and stuff is the domain of Russian and Romanian "Bad Guys". How on
earth can an employee justify doing that sort of thing?

~~~
pjc50
_is that enough to start warping your view of the world_

That's certainly how cognitive dissidence works. People will do great mental
gymnastics to avoid seeing themselves as one of the bad guys.

~~~
mosdave
while I think "cognitive dissonance" is the phrase you were looking for, you
just came up with a great punk band name.

~~~
scintill76
Also "cognitive dissidents", which sounds the same but is a noun and thus
maybe better for a band name. Both already have hits on Google. :)

~~~
glcd
"Cognitive Dissidents" was used in William Gibson's novel Neuromancer. :)

glcd.bandcamp

------
acd
This is what I thought when viewing my latest computer that came with an UEFI
bios. That the UEFI BIOS is to large and too complex and has way to many
functions to be a BIOS device, hence a perfect place to put advanced malware.

It's like an operating system before the operating system, has its own FAT32
system partition where you can store stuff.

Also after a few years your manufacturer will stop shipping uefi BIOS updates
for your computer due to their interest in selling new computers and then
there will be a lurking security whole laying around.

~~~
RexRollman
UEFI is simply over-engineered.

~~~
wyldfire
And yet traditional BIOSes reuse features, implementation and design from the
dawn of personal computing. They strike me as an unreliable black art.

Bootstrapping computers is "hard" and there's a huge disincentive to breaking
compatibility with operating systems' installation/bootstrapping.

I'm not sure if EFI/UEFI are ideal, but it strikes me as a net win.

~~~
RexRollman
Without a doubt, the classic BIOS needed improvement, but we didn't need this.
The situation reminds me of IPv6, which is also grossly over-engineered.

------
userbinator
Look up Computrace; it's very similar in operation but is installed by default
in most BIOS' as a theft-prevention measure.

 _Admins managing servers can also opt to buy a server with physical BIOS
write-protection, wherein the user will need to put a jumper or turn on a dip
switch in order to update the BIOS._

Motherboards with hardware write-protected BIOSes were common around the turn
of the century, when flash EEPROMs started replacing EPROMs for BIOS storage.
Too bad the amount of tiny extra BOM cost and what seems to be increasingly
buggier BIOSes that require frequent updates has made them mostly disappear...

I wonder how much the "it can always be updated later" mentality prevalent
today has lead to a higher defect rate in code - it seems to me that if it's
harder to change something once it's released, there is more incentive to get
it right the first time. I can't remember there being any significant bugs
with BIOS in the early machines I used (386/486 era) and those basically never
needed to be updated; although PCs have gotten considerably more complex
since, especially with things like UEFI, perhaps not all of that complexity is
warranted and it wouldn't have manifested itself if BIOS' had remained
difficult-to-modify?

------
z3t4
All it takes to install a (BIOS) rootkit is root access ... In windows this
means answering Yes on the question "Do you want to allow the following
program to make changes to your computer".

Remember to flash the BIOS if you've been hacked!

~~~
throwaway7767
If your system firmware has already been compromised, you cannot trust that
reflashing it will bring it back to a good state. Flashing relies on
assistance from the existing system firmware on modern machines.

You would have to open the machine, desolder the flash chips and re-write them
in a flash programmer to get a clean slate. Or, if your adversary is very
high-level, just throw the machine away, since you'll never be able to find
all the places one could hide persistent malware in hardware.

Once you lose physical control of a machine, it's game over if you are
concerned about hardware/firmware attacks.

~~~
raverbashing
No need to desolder, several ones are removable

Some motherboards even have a backup one

~~~
snuxoll
> Some motherboards even have a backup one

Are they detached and non-writable while the primary ROM is active? I have
consistently used Gigabyte boards for a decade because of the extra features
that come with them, Backup BIOS being a key one — in the old days I would
have to flip a jumper on the board to make the system boot from the backup,
today the secondary ROM gets automatically enabled if the primary one fails to
load.

I wouldn't trust the secondary flash ROM on my motherboard to protect me from
APT, it's only purpose is to recover from a failed flash.

~~~
raverbashing
Yeah, I'm not sure if they're read only without a jumper or software writeable
without any protection

------
gesman
UEFI BIOS - Road to hell that was paved with good intentions

~~~
Someone1234
Why exactly? A lot of people's issues with uEFI seem to stem from Secure Boot
(and the lack of additional CAs contained within). And while I grant that
Secure Boot is problematic, uEFI is actually taking us away from black box
firmware that was BIOS.

In many ways this type of stuff has always been possible, the only difference
is the skill threshold has been lowered. So I guess the question is do you
believe in the phase: "Ignorance is bliss?" Because that's what you're asking
for, back to BIOS where these things are still readily do-able, just requires
more technical skill and time.

------
defective
Luckily, this at least requires physical access.

~~~
higherpurpose
Perfect for TAO.

------
fdb
Silly question perhaps, but does this apply to Macs as well?

------
paulmd
Hey guys that BadBios is totally impossible, agreed? What a scrub, UEFI
viruses are impossible. lol psychotic break amirite

I caught a message on the Windows install rebooot about "Intel AMT activated"
during a clean reformat - but in BIOS it shows deactivated on reboot.
Kaspersky/Malwarebytes/CCleaner shows clean on every scan for system files -
I'm seriously wondering whether I need to dump this machine hardware and all.
The cause for the reformat in the first place was a potential virus infection,
maybe a rootkit. I didn't want to let it back on my network after I scanned a
cryptolocker variant in my temp folder.

~~~
alfiedotwtf
Just curious, is there any reason why you may be considered an interesting
target to the NSA and friends?

~~~
paulmd
No, I'm more suspicious of generic botnet/ransomware stuff. Which probably
isn't anything that sophisticated.

That was yesterday. Having slept on it, I think the most likely cause is that
I happened on a key combination that tries to poll status or activate AMT
during POST/early boot (eg maybe something for service techs to load/auto-
configure AMT off PXE or USB or something). An auto-loader for AMT wouldn't
thrill me either, of course. Finding a cryptolocker installer in my Temp
folder just has me running paranoid, I've never seen that particular message
appear before, and it was gone before I could really get a good look.

Managed to dig up this paper on some of the potential black-hat applications
of AMT [1]. Happened on another interesting one on Intel SGX [2]. It's
certainly a net positive to have virtualization/sandboxing, secure enclaves,
etc in our systems - but it always bugs me that they paradoxically create the
potential for rootkits that are impossible to pry out once they're situated.

The idea of a platform-neutral technology that could serve as a vector for
malware is a particularly disturbing one to me. Developing viruses for each
individual BIOS implementation is something of a barrier to large-scale
contagion of such malware, but there's probably a much smaller number of (eg)
AMT or SGX versions with significant code overlap.

[1]
[http://me.bios.io/images/0/0f/Csk_lacon12_intel_amt.pdf](http://me.bios.io/images/0/0f/Csk_lacon12_intel_amt.pdf)

[2] [http://theinvisiblethings.blogspot.com/2013/09/thoughts-
on-i...](http://theinvisiblethings.blogspot.com/2013/09/thoughts-on-intels-
upcoming-software.html)

