The malware is set to phone home, which is what led to its detection.
Yep, HP detected the malware when it phoned them!
HP accidentally signed some malware, according to Krebs on Security. Krebs reports that the certificate was “used to cryptographically sign software components that ship with many of its older products”, mostly for PC software, but that back in 2010 it was also used to sign some malware. HP will therefore revoke the …
Someone manages to get some malware into certified HP distributions, but we're supposed not to worry "because it had the same name as a genuine HP package"?
So HP weren't checking ANYTHING other than the package name before HP signed/certified the stuff for distributiion?
Some more details would be welcome, but on the surface it sounds rather like somebody in HP needs certifying.
I might being sound of wind and limb suggest that further analysis should that analysis be warranted or required or be intimated of this incident or any other incident now or past or present or future and that incident be connected to this incident or any other incident or happening now or in the past or present or in the future whereby the terms past present or pink goblins be defined hereforeto herewith or my teeth fall out or other bollocks be defined wherein.
Sorry, someone else's day job interferred with my post.
This is negligence of one sort or another. The scale of which probably needs to go to court. On the face of it as presented, in my opinion: it's probably errr should be criminal.
Cheers
Jon
Even if EFI wouldn't be a mess of complexity far bigger than the BIOS could have ever been, it's only claimed security feature is bogus. Companies will loose their secret keys, and people will use them to sign malware.
Code signing is no security feature as such.