Monday, August 20, 2018

Three Lenovo "Rootkit" versions?

Hi folks, In 2015, Lenovo was accused of sending out laptops with a "rootkit" in the firmware. Lenovo essentially said, "Ooops... it was meant to be an updater, to help with security. We bought it from a third party, and assumed it was ok." They patched their firmware, and everyone moved on.

Now, I'm not suggesting for even a second that Lenovo did anything intentionally wrong. I think they were completely innocent, and just trying to make their products more secure, but here's where it gets interesting...

To this day, only one out of about sixty anti-malware products recognizes the rootkit as malicious. If you want to check, search VirusTotal for this sha256, d3c154a38823b09edd2e119ecfd8366c2c5e725fda4f744c04e2d26fcc7c5803, and you will see that only Endgame recognizes it.

This particular bit of software identifies itself as "NovoSecEngine2", in the firmware volume, and is 139,512 bytes long. Now that we have been able to analyze a bunch of firmware, we have found two other executables identifying themselves as NovoSecEngine and NovoSecEngine2. NovoSecEngine is 248,832 bytes long, and the second NovoSecEngine2 is 203,712 bytes long.

Guess how many of the sixty anti-malware programs recognize these No one thinks they are variants of the rootkit.

This means that they are either completely different programs, accidentally sharing the rootkit name, or ... no one has analyzed them.

Our analysis of these two programs continues, and we will post more information as we figure it out, but what this probably really means is that no one is looking at the firmware, and everyone is relying on the "Hope and trust" method.

This, in turn, leads one to wonder how many other programs with rootkit capability lurk in our firmware.

Anything in the firmware is invisible to regular anti-malware programs.

Here are some rough stats from our initial research:

Manufacturers analyzed: {'Toshiba', 'Acer', 'Lenovo', 'Asrock', 'Desenvolvida por Positivo Informatica SA', 'Razer', 'Clevo', 'American Megatrends Inc./Advantech', 'American Megatrends Inc.', 'LG Electronics', 'Dell', 'ASUSTeK', 'Gygabyte', 'Intel', 'Sony', 'Hewlett-Packard', 'Apple Inc.'}

Total firmware analyzed: 550

Total firmware with portable executables analyzed: 515

Total portable executables analyzed: 131289

Total portable executables triggering one heuristic: 20964

Total portable executables triggering more than one heuristic: 3178

Average portable executables per ROM: 254

Average portable executables triggering heuristic per ROM: 40

Average portable executables triggering more than one heuristic per ROM: 6

Now, just because they are triggering our heuristics, doesn't mean they will definitely be bad. It just means that we think they are worthy of a closer look. We will be perfectly happy if all of them are completely innocent, but having been in the anti-malware business for a long time, we suspect we will find some number of Bad Things(tm).

If anyone wants to help, and can upload a firmware dump to us here, we will gladly take a look at it.

Stay tuned, folks, and keep safe.
*** Update: Just in case it's not clear, I don't think these three are currently around, unless someone hasn't updated their BIOS. I think Lenovo took care of it just fine at the time. The point I am trying to make is that there could be lots of other "backdoors" or "rootkits" in firmware, and no one would know. I'm trying to get more people to pay attention.

No comments: