How to freak a computer geek

R esearchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware target the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Previously discovered bootkits such as CosmicStrand, MosaicRegressor, and MoonBounce work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the EFI system partition.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

Jeff

10 Likes

Ugh, Bad. Makes me feel itchy all over. Where is my calomine lotion?

Modernity seems to be drifting deeper into total failure modes rooted in “lust after money” and “status driven immorality”.

I would have stopped with the first word but we have to write at least 30 or so,

4 Likes

This is not actually happening in the west.

Kaspersky detected the rootkit running on computers in China, Vietnam, Iran, and Russia. All victims were running Kaspersky’s free product, an indication that targets may have been private individuals. Company researchers have been unable to identify any specific organizations or even industry verticals that were infected. Researchers so far have been unable to determine the entry point that allows the rootkit to get installed in the first place. Qihoo360’s report speculated that one infection may have been the result of a backdoored motherboard ordered at a second-hand reseller, but so far Kaspersky has been unable to confirm that.

If it were to happen in the west our technology companies would be obliged to fix it fast. Simply sending us new firmware and blocking certain players.

Instead this is spying on internal players in dictatorships.

2 Likes

Note I do not know if Vietnam is a dictatorship. The country runs the risk of China’s tech overrunning it. This may be a good example of that happening.

1 Like

Ahh, but nary a Windows machine in the house… They all went away when I & DW retired…

2 Likes