Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacking Team's malware uses UEFI rootkit to survive OS reinstalls


  • Please log in to reply
8 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 14 July 2015 - 11:08 AM

Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

 

The company developed a tool that can be used to modify a computer’s UEFI (Unified Extensible Firmware Interface) so that it silently reinstalls its surveillance tool even if the hard drive is wiped clean or replaced.

 

UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. But there are multiple companies that develop UEFI firmware, and there can be significant differences between the implementations used by PC manufactures.

 

Hacking Team developed a method for infecting the UEFI firmware developed by Insyde Software, a Taiwanese company that counts Hewlett-Packard, Dell, Lenovo, Acer and Toshiba among its customers, according to security researchers from antivirus vendor Trend Micro.

 

Article



BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:12:53 AM

Posted 14 July 2015 - 11:19 AM

A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can’t be ruled out, the Trend Micro researchers said.


The fact that is can installed remotely is indeed scary. If it requires physical access then it's something else. Maybe a payload could infect a USB connected to a system and the malware could be installed during the restart or else.

To prevent such infections, Trend Micro advises users to enable the UEFI SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to its latest version so that it has the latest security patches. UEFI/BIOS updates are usually distributed by computer manufacturers through their support websites and some of them do fix issues identified by security researchers.


This should be done as soon as possible for everyone. I'll do that tonight on my desktop computer and my laptop.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:53 PM

Posted 14 July 2015 - 06:19 PM

I think the real issue here is that this is just one company. Think of how many other companies such as this are around and how many work in the under ground side of the web.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:53 AM

Posted 14 July 2015 - 09:00 PM

 

...most antivirus vendors detect the highly intrusive software, which is known as Remote Control System (RCS) or Galileo, as malware.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JerkyMcDilerino

JerkyMcDilerino

  • Banned
  • 241 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 AM

Posted 15 July 2015 - 01:46 AM

All these hackers should put in jail for at least 20 years for real, i can imagine the internet will be peace and safe one day after we slash these hackers on the internet.



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 15 July 2015 - 02:49 AM

They actually had a database that involved testing their malware (FinSpy, Galileo) against various antivirus vendors, which is part of the leaked files.

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:12:53 AM

Posted 15 July 2015 - 05:22 AM

All these hackers should put in jail for at least 20 years for real, i can imagine the internet will be peace and safe one day after we slash these hackers on the internet.


Hacking Team is a legitimate company however and they got hacked, so they won't go to jail for that. The person (or people) that leaked their data however could.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:53 AM

Posted 15 July 2015 - 05:27 AM

...i can imagine the internet will be peace and safe one day after we slash these hackers on the internet.

I doubt that will ever happen...there is always going to be others to take their place.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 19 July 2015 - 12:32 PM

that's why i told italy is mafia land they dont even has minimum ethics

i guess these is only way to removing rcs 9

 

1. make format host usb(infected by rcs 9) by martik usb formatter(don't use windows formatter) then separate it from computer

 

2. download latest uefi(bios) rom image from provider company then make a boot cd with latest uefi(bios) rom flasher

 

3. open your computer case then discharge your mother board by jumper or separate battery from mother board

    also you can find jumper on side of laptop

 

4. when you have finished 3. boot up with 2. uefi flasher cd then make a flash latest uefi rom to your mother board

    also you can overwright uefi by rom file at windows booted but i don't recommend it.. if you failed overwright

    then your computer can get boot problems

 

5. when you have finished 4. go into uefi setup screen then insert new uefi manager password and save it

 

6. maybe you need to low level format(full erase) your hard disks or it can be relapse

 

7. now you prepared for fresh reinstall new windows


Edited by crisis2k, 20 July 2015 - 02:31 AM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users