The Hacking Team, the surveillance software maker, apparently deploys the Unified Extensible Firmware Interface (UEFI) Basic Input/Output System (BIOS) rootkit to ensure that the malware stays put in the victim's PC even after the hard drive has been wiped clean and reinstalled.
After the Hacking Team data leak, antivirus firm Trend Micro's investigations have revealed the use of the UEFI BIOS rootkit as a replacement for the traditional BIOS.
Trend Micro figured out how the Hacking Team managed to install malicious software, which stayed in place in the victim's system despite reinstallation.
Apparently, the group created a method whereby it was able to infect the UEFI firmware that was developed by Taiwan-based Insyde Software. The Hacking Team used the UEFI BIOS rootkit to develop a module for the RCS software. This software would check if a victim's system was infected with the malware agent whenever the victim rebooted their PC. In the even the agent was MIA, the software would infect the system again.
"The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running," stated Trend Micro researchers.
The procedure of how the attack is carried out was identified by the research team thanks to a leaked presentation after the 400 GB Hacking Team data breach.
For the malware agent to be installed, three files need to be copied on the victim's PC, namely Ntfs.mod, dropper.mod and Rkloader.mod. The presentation from the Hacking Team says that the process only works if there is physical access to the victim's PC. However, the antivirus firm's researchers do not "rule out the possibility of remote installation."
The Trend Micro team advises how to avoid being affected:
– Ensure UEFI SecureFlash is enabled.
– Update BIOS whenever a security patch is issued.
– Create a password for BIOS or UEFI.
Photo: Adam Thomas | Flickr