Sunday, October 17, 2021

Annnd another UEFI rootkit

So, anyway, I was examining some new firmware uploads this weekend (yes, when you work in the anitmalware space, you are like Inspector Gadget ... always on duty), and my program detected some similarities to a certain POC (Proof of concept) rootkit from a few years ago. (I call it a POC because when you look at the code, it has comments in it, paraphrasing, "This is empty, but is where the payload would go")br>
As I said, it's a few years old now, but it is very unusual for my scanner to detect any similar code, so, naturally, I had to look deeper.

After researching it a bit, it seems likely that this new one, too, was a POC, from 2019, but the interesting things were ...

(1) No major antimalware product detects either of these (one scanner from Russia that I'd never heard of detected one of them, but that was all), and...

(2) When I tweaked my detectors (in this case, an ssdeep sig) a bit, I suddenly found multiple other detections in my collection, with 80% to as high as 97% code match.

These may well turn out to be simple, and innocent, false positives, but ... they must be investigated... we shall see.

And of course, one wonders how many other things like this are waiting to be discovered.

No comments: