Wednesday, November 28, 2018

ASUS UEFI rootkit

Hi folks,

Late October, I noticed this article

The nub of the article is that the authors noticed that the ASUS z390 motherboard was able to access the Internet, without any Windows 10 network drivers, and was able to install extra software.

This is remarkably similar behavior to the Lenovo rootkit, from 2015.

Now, let me stress, that in neither case, do I think they were of malicious intent. They were clearly designed to allow the vendor to install updates as needed, but the problem is that, just like with the Lenovo rootkit, no one would have known it was there, if it hadn't tipped its hand, by doing something obvious, and the obvious question is now, "What _else_ is out there?"

We have now found five variants of the ASUS UEFI updater/rootkit software, none of which seem to be detected by anyone. Oh, and seven variants of the (hopefully extinct) Lenovo rootkit from 2015.

Analysis continues.

Stay tuned.

P.S. If anyone wants to help, I blogged about how to dump firmware here.