back to article Hacking Team spyware rootkit: Even a new HARD DRIVE wouldn't get rid of it

‪Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬ The stealth infection tactic, which has been revealed through leaked emails arising from last …

  1. Syntax Error

    The Team

    This Hacking team are a pain in the arse. They appear to serve no useful purpose to this planet apart from help governments spy on people and undermine IT security.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Team

      I don't think they've undermined it, just exposed it for the joke that's supposed to be IT security thanks to some very poor design decisions for the sake of convenience.

    2. This post has been deleted by its author

      1. Destroy All Monsters Silver badge
        Holmes

        Re: The Team

        Come on, it's not revolutionary stuff.

        Why, did you expect an unpublished pamphlet of Leon Trotsky in the stack?

        Of course it's not "revolutionary". But so what. You are 1980's coder, you should diregard the inner child demanding "teh new" every single morning. The future is just like the past, only more so.

      2. Anonymous Coward
        Anonymous Coward

        Re: The Team

        > What have we got, a few flash zero-days, and a UEFI BIOS hack? Come on, it's not revolutionary stuff.

        No, that's what crumbs that one small Italian company has scratched together.

        Several other, much larger companies (and the government that controls them) hold those two things too. However they all also hold the keys to all your computer equipment.

        Think about that for a while.

        Think about how much you trust them all to do the right thing with that great responsibility.

        Think about how much you trust them all to safeguard that responsibility.

        http://www.theregister.co.uk/2015/07/09/nsa_network_security_code_leaks_onto_github/

        http://www.theregister.co.uk/2015/07/09/nsa_snooped_on_german_chancellors_for_decades_wikileaks/

        http://www.theregister.co.uk/2015/06/12/second_opm_data_breach/

        http://www.theregister.co.uk/2015/06/04/nsa_warrantless_internet_snooping/

        http://www.theregister.co.uk/2015/03/19/cansecwest_talk_bioses_hack/

  2. Anonymous Coward
    Anonymous Coward

    In the good old days you had a BIOS lock available to disable flashing, we told you UEFI was a cluster fuck security nightmare and here you go. Kids, will they ever learn.

    1. Spaceman Spiff

      In truth, I think we have Microsoft to thank for UEFI, all the related cruft that comes along with it. It is an egregious violation of the KISS principle. Once you forget that, your malware exposure surface increases by orders of magnitude!

      1. nuked
        Black Helicopters

        Groupthink

        140 companies comprised the UEFI cartel consortium apparently.

        1. Anonymous Coward
          Anonymous Coward

          @nuked - Re: Groupthink

          and they all agreed to let Microsoft hold the encryption keys for Secure Boot. How lovely isn't it ?!

          It reminds me of the OOXML standardization process.

        2. Tom 13

          Re: Groupthink

          How many of them were as big as Microsoft and completely independent of MS's OS?

          When the Big Dog makes up his mind, you go along and hope for a piece of the kill.

      2. Destroy All Monsters Silver badge
        Trollface

        We are now at the ARSE principle: Add Raunchy Sexyness, Eejit!

    2. Anonymous Coward
      Anonymous Coward

      MSFT is the NSA's consumer software division. Has been ever since 1998. What do you suppose US vs MSFT was about and why do you suppose it just went away without MSFT mending its ways? The fact that the _NSAKEY was slipped in during 1999 must just be a coincidence too?

      UEFI is a clusterfuck BY DESIGN. THIS is its purpose.

      Same for "Intel's" AMT/vPro BTW.

      1. elDog

        And just to be safe, Adobe and Google, probably Dell, etc.

        MSFT is the NSA's consumer software division. Has been ever since 1998.

        With oodles of black money to spend and lots of willing recipients in the tech industry, what's to stop the NSA or any other US/foreign entity to influence the consumer products.

        Adobe has been giving away its PDF reader for years. Anyone want to guess why?

        Google has all those nice free services that have already been shown to be open pipes to agency datastores.

        Dell falls on hard times and then miraculously comes back to life. Who wouldn't trust a Dell BIOS?

  3. Anonymous Coward
    Anonymous Coward

    The word "nasty" is in the wrong place in the sub header

    "No amount of scrubbing could shift nasty UEFI BIOS"

    There, fixed it.

  4. Anonymous Coward
    Anonymous Coward

    Security options

    "Various precautions to guard against this sort of attack are possible including enabling UEFI SecureFlash, updating the BIOS whenever there is a security patch and setting up a BIOS or UEFI password"

    If someone has managed to bypass your entire office security, got into the server room and managed to reflash a machine without anyone noticing then IMHO a reflashed BIOS is probably the least of your worries.

    Newsflash: Once someone has physical access to a machine its Game Over.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security options

      Why do you imply physical access is required to flash UEFI?

      Its greatest selling point was replacing our jumpers with their keys.

    2. Voland's right hand Silver badge

      Re: Security options

      You did not read the article. This was targeting primarily laptops.

      I have seen multiple times laptops coming back from conferences and trade shows with keyloggers installed. The usual procedure (in sane IT shops) is to zap anything and everything that has been to a list of countries + any trade show where people from said countries where in attendance. This would work against conventional spyware. Against this - I doubt it.

      1. Tom 13

        Re: zap anything and everything that has been to a list of countries

        We've done away with the list. If you've been on travel, when you get back, it gets wiped and fresh image is installed.

        Not that that would have helped with this particular hack.

        If you're sufficiently paranoid these days, the correct procedure is actually to chuck it all to a reseller as soon as it comes back and give them a new, fresh out of the box, not re-furbed laptop. The BIOS, the hard drive, even the mouse might have been compromised with malware your OotB AV suite simply isn't equipped to deal with.

        1. Anonymous Coward
          Anonymous Coward

          Re: zap anything and everything that has been to a list of countries

          "If you're sufficiently paranoid these days, the correct procedure is actually to chuck it all to a reseller as soon as it comes back and give them a new, fresh out of the box, not re-furbed laptop."

          What's to stop the laptop being compromised at the factory, before it even goes IN the box?

          1. Tom 13

            Re: zap anything and everything that has been to a list of countries

            Nothing.

            At that level of paranoia you're also certifying the factory and your transport service and implementing high level security controls for their facilities. Alos, think armored car transport principles without the obviousness of the armored car.

    3. Yet Another Anonymous coward Silver badge

      Re: Security options

      >If someone has managed to bypass your entire office security, got into the server room and managed to reflash a machine

      Or they simply did it at the UPS facility when the server was on it's way to you or at the motherboard factory - depending whether you are being spied on by the good guys or the bad guys.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security options

        Bit creative with the word "good" there?

        1. Yet Another Anonymous coward Silver badge

          Re: Security options

          Those building in the spying at the factory in are evil henchmen of a commie dictatorship aimed at political enemies of the state.

          Those intercepting the servers in transit and "updating them" are the brave guardians of law and order in their constant battle against the commie terrorists in our midst.

          I really can't see how people could get confused

  5. Paul Crawford Silver badge

    Open BIOS now needed

    It is high time that a few big players, such as Gov/Police/etc insisted on a supply of PCs & laptops with an open and documented BIOS system, so that any bugs can be fixed (not saying they will be, mind) and tools developed to allow the safe wipe and re-installation of any potentially compromised BIOS.

    One can dream :(

    1. Anonymous Coward
      Anonymous Coward

      Re: Open BIOS now needed

      It's us who'd have to do the insisting. "Gov/Police/etc" are dead keen on b0rked crypto and backdoors. Where've you been hiding?

      You're at liberty* to only buy kit supported by coreboot if you value such things.

      *For the moment. I think. You might want to check with a lawyer on that..

      1. Paul Crawford Silver badge

        Re: Open BIOS now needed

        You seem to mistake gov & TLAs for simple monolithic organisations with a singular goal. In reality they are complex, contradictory and often plain incompetent.

        Some of the gov want back-doors and weaknesses in other people's systems, but most certainly do not want it in their own systems. But outside of the likes of NSA/GCHQ for secret-and-above projects, they all buy off the shelf computers and such p0wnage leaves them as vulnerable to other nations (and criminals) as we are.

        Sadly most consumers don't understand and don't care, so they will apply no pressure on Dell, HP, Asus, Gigabit, etc, to offer us coreboot-compatible hardware (or the necessary documentation). My budget is for a couple of machines a year - will they listen?

        So maybe having such UEFI malware from this hack out in the field is actually good in the long term as we, and major security vendors, can start asking pointed questions to suppliers about how to secure the BIOS, and how to put in our own more secure versions.

    2. Anonymous Coward
      Anonymous Coward

      Re: Open BIOS now needed

      On the subject of items being compromised before they hit the shelves - where is the vast majority of consumer IT kit made....

      Thats right - in the good ole People Repulic of China.

      So if anybodys going to be watching you, its going to be them - which is why youd better be doing a better job of watching them than they are of you...

  6. Anonymous Coward
    Anonymous Coward

    It will not be long before

    Windows will have access to UEFI (maybe it is already the case) so we can all face a whole new generation of malware.

    Many thanks to all who made this possible!

    1. Anonymous Coward
      Anonymous Coward

      Re: It will not be long before

      It's probably an undistributed module, signed with the _NSAKEY and custom installed via Flash injections to listed IP/MAC addresses.

  7. Eduard Coli

    UEFI is bad

    BIOS may have need to be updated but UEFI was a bad idea. Every vendor has a different implementation and it is plain to see that it was really designed with content management and lock-in in mind rather than addressing any shortcomings in BIOS or introducing feature that end users might actually want to use.

    1. Anonymous Coward
      Anonymous Coward

      Re: UEFI is bad

      What an OUTSTANDING name!

  8. phil 27

    In light of the suggestion that this *possibly* could have a remote install vector in the bios attack, having to put a bios jumper in another physical position to reflash was a good idea after all...

    But, I suspect the vast majority of people who cared about security said this at the time. Only to be shouted down by the IT ops people who no longer had to go round people's desks to do things.

    1. Tom 13

      Re: bios jumper in another physical position

      I'd settle for a physical switch instead of a jumper. Depending on the motherboard some of those *&%*$!! jumpers were smaller than an eye glasses screw.

      Also, all MBs these days should have a double BIOS setup: One flashable which is the primary boot chip, one ROM which by flipping another switch/setting another jumper can be used to restore the BIOS that originally shipped with the MB.

  9. chivo243 Silver badge
    Unhappy

    IT security and Icebergs?

    If Hacking team is what we see? What is below the surface? I have to think there are things going on inside your 'box' that would surprise us all...

    1. Anonymous Coward
      Anonymous Coward

      Re: IT security and Icebergs?

      Agreed. We've only seen some tricks from a primary school kids IT project. This is nothing compared to what the big boys school can do.

      Although I will say one thing. having worked with the UK police I think peoples views on how they operate is all wrong. If anything the UK police are the only ones I've seen who have rules for doing any of this sort of 'surveillance' on a suspect, rules they follow too. Ok you might get a bad egg police man who abuses his position, you get that in all walks of life, but on the whole they follow procedure, which by the way, includes a court issued warrant to carry out the 'surveillance'.

      Same can't be said for other UK agencies, but the police I will defend, slightly, they are still the police after all!

  10. Zmodem

    download your bios and flash the firmware, or buy a gigabyte and restore from the back up bios, which happens is temperatures reach -20c on 99% of pcb, memory chips get wiped

    1. Anonymous Coward
      Anonymous Coward

      @zmodem

      WHERE do you scrape this bollocks from.

      ONE google search reveals that nearly ALL ICs with memory are tested to (at least) -40 celcius.

      1. Zmodem

        Re: @zmodem

        non writable chips might do, writable chips get wiped around -20c, if you open your window in the winter, your tv will reset, your phone may reset, your bios will reset

        server boards are not special

        1. Sandtitz Silver badge

          Re: @zmodem again

          No really, WHERE do you scrape this bollocks from?

          HP specs their servers to withstand -30C in shipment, IBM (Lenovo) specs them at -40C.

          Try again.

          1. Zmodem

            Re: @zmodem again

            they might work until -40c, but if you have overclocked your cpu and saved custom settings, they will be wiped at -20c, like your tv channels, your tv will turn on with a new install screen

            1. Zmodem

              Re: @zmodem again

              jumperless motherboards with a password, put them in a freezer and make them work again

  11. JeffyPoooh
    Pint

    It's hopeless...

    Everything is now software.

    USB controller chips in USB devices may have switched from ASICS to uCs, and so can be re-purposed to do their designer's bidding. Security scan your 32GB flash drive as much as you want, you won't find this. Maybe you shouldn't turn your back on your mouse, lest it suddenly pretend to be you.

    Mobile phones will have another layer of (re)programmable base-band chipsets below the OS. They could contain malware, just not as we know it Jim.

    It's hopeless. You can't even trust the kit brand new in the box.

  12. Christian Berger

    One should note that Secure Boot won't help in this case

    "Hacking Teams" customers were governments, and those can simply get any firmware image they want signed by the manufacturer or demand the private key from the manufacturer. Secure Boot may protect you from your random commercial malware, but those rarely go through the effort of trying to be persistent.

    Plus with Secure Boot you have no way of changing your own firmware, for example into some much simpler version of Coreboot.

    1. Voland's right hand Silver badge

      Re: One should note that Secure Boot won't help in this case

      and those can simply get any firmware image they want

      The government of DumbF***istan? Give me a break.

      Hacking team customers were small dictatorships operating under embargo or semi-embargo which could not purchase proper products from the big guys. Any such government making any demands along the lines you describe would have received a nice 3 finger salute response there and then.

      1. Christian Berger

        Re: One should note that Secure Boot won't help in this case

        "Hacking team customers were small dictatorships operating under embargo or semi-embargo which could not purchase proper products from the big guys."

        You mean like Germany and Belgium?

  13. David Roberts

    Mitigation?

    I've still seen no real explanation about mitigation.

    Regularly patching and applying BIOS/UEFI updates sound fine until you realise that the motherboard manufacturers aren't issuing any updates and patches.

    So will this work?

    (1) Remove all hard drives.

    (2) Reflash motherboard with latest BIOS/UEFI.

    (3) Boot from trusted CD.

    (4) Scan all the hard drives you removed (plus any external devices including memory sticks, camera cards etc.) with software which can remove the (possible) infection. This includes all backups.

    (5) Refit the hard drives and hope.

    Of course if you have a network of PCS and a file server for backups a full shut down and clean

    could be enormously time consuming.

    Or are they saying that it just can't be removed?

    1. Anonymous Coward
      Anonymous Coward

      Re: Mitigation?

      I suspect the latter. Why would a persistent malicious UEFI overwrite itself without either:

      1) Infecting the new image you're attempting to replace it with.

      2) Generating some spurious error message (e.g. proclaiming the new image is corrupt) to tell you to fuck off.

      3) Feigning a successful flash while actually doing nothing.

      4) Performing some other equally enjoyable ruse for us to savour.

      Now, if the chips weren't soldered onto the boards and encrusted with ever more elaborate tamper-proofing to obstruct their "owners" from taking ownership then we'd at least stand a chance of reprogramming them to our requirements. Of course that would rather defeat their purpose.

      All your computer are belong to U.S.

    2. Tom 13
      Black Helicopters

      Re: Mitigation?

      How do you know the latest BIOS/UEFI hasn't been compromised at the factory level?

      Yeah, when you start going this route, you're deep in black helicopter territory.

      1. Sir Runcible Spoon

        Re: Mitigation?

        Deploy a proxy using a whitelist.

        Anything that doesn't go via the proxy gets blocked.

        Of course, then you need to set up a proxy for your proxy etc :)

  14. Blacklight
    Windows

    So....

    Does BitLocker assist here?

    Assuming you've turned on the PCRs which check the BIOS and/or option ROMs haven't changed checksum, and you've got boot protection enabled (i.e. key/passphrase required) then the O/S should have a hissy fit on boot up, which should ring alarm bells?

    1. Christian Berger

      Re: So....

      Of course not, since the malware is used by people who can simply force the manufacturer to give them the private keys, they can just sign it themselves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like