So, anyway, I was examining some new firmware uploads this weekend (yes, when you work in the anitmalware space, you are like Inspector Gadget ... always on duty), and my program detected some similarities to a certain POC (Proof of concept) rootkit from a few years ago. (I call it a POC because when you look at the code, it has comments in it, paraphrasing, "This is empty, but is where the payload would go")br>
As I said, it's a few years old now, but it is very unusual for my scanner to detect any similar code, so, naturally, I had to look deeper.
After researching it a bit, it seems likely that this new one, too, was a POC, from 2019, but the interesting things were ...
(1) No major antimalware product detects either of these (one scanner from Russia that I'd never heard of detected one of them, but that was all), and...
(2) When I tweaked my detectors (in this case, an ssdeep sig) a bit, I suddenly found multiple other detections in my collection, with 80% to as high as 97% code match.
These may well turn out to be simple, and innocent, false positives, but ... they must be investigated... we shall see.
And of course, one wonders how many other things like this are waiting to be discovered.
Sunday, October 17, 2021
Thursday, October 7, 2021
A couple of thoughts about the recent UEFI bootkit discoveries
So, anyway, you've probably noticed that two "new" UEFI bootkits were announced in the last couple of weeks. One is ESPector (so named by our friends at ESET), and the other is FinSpy.
ESPector has roots that go back to 2014-ish, but the main difference here is that they've found a way to bypass signature checking, and to gain persistence in the system partition... not quite in the firmware, but a separate partition on disk that is not easy to look at.
Whenever I see something like that, I think, "Wait ... if this gang has found a way to bypass signature checking, how do we know that this is the only version of the bootkit?" After all, they've had six or seven years to work on this.
The answer to this question, of course, is that we don't know. Not many people/products look at the system partition.
FinSpy is interesting from another angle.
FinSpy was originally developed by the Hacking Team, which was dox'd in 2016. Among the documents leaked was the source code to their VectorEdk UEFI rootkit (the product known as FinSpy). The Hacking Team's business model was to sell their product to law enforcement, and governmenrt bodies, ala NSO with Pegasus. This doxing effectively killed the Hack Team business, but it has now resurfaced, with a new, and improved, FinSpy, which was what the guys at Kaspersky found.
Now, that's all very well, but the thing that concerns me is that the source code to VectorEdk/FinSpy is still freely available for download on GitHub.
Does anyone really believe that this single company/group will be the only one to have developed new versions of this rootkit?
If anyone does believe that, I would like to sell you some ocean front property in Arizona. It's very cheap, and a bargain. ;)
Heads up, folks. Something evil, this way comes.
Please pay attention to your firmware.
ESPector has roots that go back to 2014-ish, but the main difference here is that they've found a way to bypass signature checking, and to gain persistence in the system partition... not quite in the firmware, but a separate partition on disk that is not easy to look at.
Whenever I see something like that, I think, "Wait ... if this gang has found a way to bypass signature checking, how do we know that this is the only version of the bootkit?" After all, they've had six or seven years to work on this.
The answer to this question, of course, is that we don't know. Not many people/products look at the system partition.
FinSpy is interesting from another angle.
FinSpy was originally developed by the Hacking Team, which was dox'd in 2016. Among the documents leaked was the source code to their VectorEdk UEFI rootkit (the product known as FinSpy). The Hacking Team's business model was to sell their product to law enforcement, and governmenrt bodies, ala NSO with Pegasus. This doxing effectively killed the Hack Team business, but it has now resurfaced, with a new, and improved, FinSpy, which was what the guys at Kaspersky found.
Now, that's all very well, but the thing that concerns me is that the source code to VectorEdk/FinSpy is still freely available for download on GitHub.
Does anyone really believe that this single company/group will be the only one to have developed new versions of this rootkit?
If anyone does believe that, I would like to sell you some ocean front property in Arizona. It's very cheap, and a bargain. ;)
Heads up, folks. Something evil, this way comes.
Please pay attention to your firmware.