Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
I remember a little while back, the year was 2011. Those were the last of my consumer Windows tech support days before I specialized in cybersecurity. I would buy Maximum PC magazines in print, because the “no books or magazines at your desk” rule very specifically excluded anything related to computer technology. So Psychology Today had to wait until I was on the bus ride home.
Anyway, one issue that year had a feature on UEFI, a technology that was just starting to become more common in consumer PCs. Better quality motherboards for Intel Core i5 and i7 reliably had UEFI back then. Now in 2018, it’s unusual for a new x86-64/amd64 motherboard to have an old-fashioned BIOS, UEFI is now standard. UEFI stands for Unified Extensible Firmware Interface, a more sophisticated style of firmware to check that PC hardware components are working before booting into your operating system. I loved looking at UEFI GUIs, all of the extra options and even mouse support! The possibility for network connectivity before booting into an operating system sounded promising. Most of my work back then was remote support, and it would be very convenient for me to be able to fix hardware configuration or boot order issues on my own. Because I could only remote into a user’s PC once Windows was running, it would really test my patience to give users instructions over the phone. “You need to change the boot order, so we can reinstall Windows from your DVD.” “I need you to hit F8 at the right time, so you can boot into Windows Safe Mode.” Sometimes my customers were not very computer literate and it was a challenging part of my job.
But because I already thought like a cybersecurity professional, I was also concerned about the increased cyber-attack surface of UEFI compared to BIOS-based systems. A cyber attacker could really wreak havoc via remote control a target PC before booting into an operating system!
I’m actually surprised that it took until 2018 for there to be UEFI rootkit malware that’s not just a proof-of-concept.
LoJax is a malicious fork of Absolute Software’s non-malicious LoJack anti-theft software. Early versions of LoJax were spotted during the first part of 2017. Its BIOS and UEFI persistence feature was fascinating. Researchers explained how the feature was implemented in Computrace, the precursor to legitimate LoJack software:
“Computrace attracted attention from the security community mostly because of its unusual persistence method. Since this software’s intent is to protect a system hardware from theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large portion of laptops manufactured by various OEMs, waiting to be activated by users. This activation step can be done through a BIOS option.”
LoJax is a weapon for APT (advanced persistent threat) attacks. Therefore, LoJax attacks are very targeted. When the malware is deployed and infects the targeted machine, cyber attackers can control the computer at the UEFI level and also see sensitive data about hardware configurations, such as PCI Express, Memory, and PCI Option ROMs.
The first stage of a LoJax attack is to get the DXE driver component to execute in a Windows machine. Because the driver is unsigned, it won’t work if Secure Boot is enabled.
If the driver deploys as the cyber attacker intended, an event is created associated with the Notify function. The event gets triggered when the UEFI boot manager chooses a boot device. From that point, payloads are written to the Windows NTFS file system. Then LoJax manifests like a disease, infecting both UEFI and the operating system. While maintaining persistence, cyber attackers command and control servers gain even more control of a target machine than a typical RAT (remote access trojan) infected computer.
Researchers are almost completely certain that LoJax is the work of the Russian Sednit APT group, for several different reasons. Russia is suspected because LoJax infections were found in government computers in the Balkans, Central, and Eastern Europe. and the domain names associated with the LoJax command and control servers are linked to Sednit specifically.
Because LoJack is legitimate software, antivirus software often whitelists its characteristics. Malicious LoJax code is mainly the same as benign LoJack, so it slips through the cracks.
Keeping your UEFI firmware up to date can prevent LoJax infections. Enabling Secure Boot prevents the LoJax unsigned driver from working. Plus, advanced and frequently patched malware detection heuristics (like Comodo’s) can prevent malware like LoJax from infecting your network in the first place.
Related Resource
Website Malware Scanner
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP