UEFI-Rootkit Reading Time: 3 minutes


I remember a little while back, the year was 2011. Those were the last of my consumer Windows tech support days before I specialized in cybersecurity. I would buy Maximum PC magazines in print, because the “no books or magazines at your desk” rule very specifically excluded anything related to computer technology. So Psychology Today had to wait until I was on the bus ride home.

Anyway, one issue that year had a feature on UEFI, a technology that was just starting to become more common in consumer PCs. Better quality motherboards for Intel Core i5 and i7 reliably had UEFI back then. Now in 2018, it’s unusual for a new x86-64/amd64 motherboard to have an old-fashioned BIOS, UEFI is now standard. UEFI stands for Unified Extensible Firmware Interface, a more sophisticated style of firmware to check that PC hardware components are working before booting into your operating system. I loved looking at UEFI GUIs, all of the extra options and even mouse support! The possibility for network connectivity before booting into an operating system sounded promising. Most of my work back then was remote support, and it would be very convenient for me to be able to fix hardware configuration or boot order issues on my own. Because I could only remote into a user’s PC once Windows was running, it would really test my patience to give users instructions over the phone. “You need to change the boot order, so we can reinstall Windows from your DVD.” “I need you to hit F8 at the right time, so you can boot into Windows Safe Mode.” Sometimes my customers were not very computer literate and it was a challenging part of my job.

But because I already thought like a cybersecurity professional, I was also concerned about the increased cyber-attack surface of UEFI compared to BIOS-based systems. A cyber attacker could really wreak havoc via remote control a target PC before booting into an operating system!

I’m actually surprised that it took until 2018 for there to be UEFI rootkit malware that’s not just a proof-of-concept.

LoJax is a malicious fork of Absolute Software’s non-malicious LoJack anti-theft software. Early versions of LoJax were spotted during the first part of 2017. Its BIOS and UEFI persistence feature was fascinating. Researchers explained how the feature was implemented in Computrace, the precursor to legitimate LoJack software:

“Computrace attracted attention from the security community mostly because of its unusual persistence method. Since this software’s intent is to protect a system hardware from theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large portion of laptops manufactured by various OEMs, waiting to be activated by users. This activation step can be done through a BIOS option.”

LoJax is a weapon for APT (advanced persistent threat) attacks. Therefore, LoJax attacks are very targeted. When the malware is deployed and infects the targeted machine, cyber attackers can control the computer at the UEFI level and also see sensitive data about hardware configurations, such as PCI Express, Memory, and PCI Option ROMs.

The first stage of a LoJax attack is to get the DXE driver component to execute in a Windows machine. Because the driver is unsigned, it won’t work if Secure Boot is enabled.

If the driver deploys as the cyber attacker intended, an event is created associated with the Notify function. The event gets triggered when the UEFI boot manager chooses a boot device. From that point, payloads are written to the Windows NTFS file system. Then LoJax manifests like a disease, infecting both UEFI and the operating system. While maintaining persistence, cyber attackers command and control servers gain even more control of a target machine than a typical RAT (remote access trojan) infected computer.

Researchers are almost completely certain that LoJax is the work of the Russian Sednit APT group, for several different reasons. Russia is suspected because LoJax infections were found in government computers in the Balkans, Central, and Eastern Europe. and the domain names associated with the LoJax command and control servers are linked to Sednit specifically.

Because LoJack is legitimate software, antivirus software often whitelists its characteristics. Malicious LoJax code is mainly the same as benign LoJack, so it slips through the cracks.

Keeping your UEFI firmware up to date can prevent LoJax infections. Enabling Secure Boot prevents the LoJax unsigned driver from working. Plus, advanced and frequently patched malware detection heuristics (like Comodo’s) can prevent malware like LoJax from infecting your network in the first place.

Related Resource

Website Malware Scanner