Fighting persistent malware with a UEFI scanner, or ‘What’s it all about UEFI?”

The short answer to the headline’s question is that a UEFI scanner is all about helping you protect your computer against people who seek to take it over by abusing its Unified Extensible Firmware Interface (UEFI). A successful attack on a system’s UEFI can give the attacker complete control of that system, including persistence: the ability to secretly maintain unauthorized access to the machine despite rebooting and/or reformatting of the hard drive.

As you can imagine, this form of persistence is not a virtue and can prolong the pain and inconvenience of a malicious code infection. If your security software only scan drives and memory, without scanning UEFI, it is possible to think you have a clean machine when you don’t, that’s why we recommend a security solution that scans it, like ESET.

Why does my device have a UEFI?

Computing devices work by executing code: the instructions that we call software and which make the hardware – such as a laptop or smartphone – do something useful. Code can be fed to the device in several ways. For example, it can be read from storage on a disk, held in memory, or delivered via a network connection. But when you power on a digital device it has to start somewhere (bootstrap), and that first piece of code is typically stored in a chip on the device. This code, referred to as firmware, may include a “power-on self-test” or POST to make sure things are working correctly, followed by the loading into memory of the basic instructions for handling input and output.

If you’ve been into computers for a while you might recognize this chip-based code as BIOS or Basic Input Output System. In fact, BIOS technology dates back to the 1970s and so it is not surprising that it would eventually struggle to meet the demands of today’s computers, a point made by my colleague, Cameron Camp, in this excellent article on UEFI scanning. As Cameron details, UEFI technology has evolved to replace BIOS, although some devices still refer to it as BIOS. (I’m tempted to say “Meet the new BIOS, same as the old BIOS” but UEFI is signifcantly different, and besides, this article already has a headline that exploits a classic lyric: “What’s it all about, Alfie?”)

“FOR MOST PEOPLE, THIS IS THE RIGHT QUESTION TO BE ASKING, AND THE RIGHT ANSWER WILL DEPEND ON WHO YOU ARE”

Technically, UEFI is a specification, maintained by the Unified Extensible Firmware Interface Forum (uefi.org). According to the forum, the specification defines a new model for the interface between personal computer operating systems and platform firmware, and it “consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its boot loader.” Without going into greater technical detail, UEFI added a great deal of functionality to the boot process, including some serious security measures (these are discussed in the  ESET white paper referenced by this article).

Unfortunately, the illicit benefits of devising code that can surreptitiously take over a system early in the boot process – generically referred to as a bootkit – are a powerful motivator to the folks who specialize in unauthorized access to digital devices. Such folks could be: cybercriminals; domestic and foreign agencies like NSA and CIA; and private companies that sell “surveillance tools” to governments.

For more details, check out the excellent article by my ESET colleague Cassius Puodzius that discusses these “threat actors” and their interest in UEFI. The broader topic of bootkit evolution from early days through 2012 is ably covered by ESET Senior Research Fellow, David Harley, in this article. You might also check out the paper “Bootkits, Past, Present, and Future”, presented at Virus Bulletin 2014. And of course there are plenty of technical papers on the UEFI Forum site.

So what’s my UEFI risk?

For most people, this is the right question to be asking, and the right answer will depend on who you are. For example, are you someone whose computer might be of interest to the NSA or CIA or other government entity that has the resources to invest in code that abuses UEFI, either its own code or a commercial surveillance product purchased from a commercial vendor? Are you using your computer to develop, review, or otherwise handle intellectual property worth stealing? If you answered either of those questions in the affirmative, then I would say you have an above average risk of encountering UEFI malware.

Currently, I am not aware of any large-scale, broadly-targeted criminal malware campaigns that exploit UEFI to attack the general public’s computer systems (if you know of any, please share the knowledge). However, even if you are not in a high risk category, I strongly suggest you still need security software with UEFI scanning capability. Why? Remember those three letter agencies that have been developing UEFI attacks? Well, they don’t have a stellar reputation for keeping their tools secret. In fact, the biggest news in malware so far this year has been WannaCryptor a.k.a. WannaCry, and one reason that particular ransomware spread so fast was because it used a “top secret” exploit developed by the NSA, an agency known to have dabbled in UEFI compromise.

In other words, we just don’t know when a new malware campaign that abuses UEFI to maintain persistence on compromised systems will appear in the wild. What I can say is that folks who are performing UEFI scans on a regular basis will be better prepared to protect their systems from future malware than people who are not. And that is what UEFI scanning is all about.

ESET latest endpoint security products now include an industry first UEFI scanning.

 

 

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries. 

THREAT HUNTING WITH MENDEL

“Threat hunting,” or “cyber threat hunting” is the process of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools and is done by a threat hunter or security analyst. It is essential for network security because it works to identify hidden threats within an existing set of network data.

Threat hunting utilizes manual techniques from the threat hunter and machine-assisted techniques, the combination of which aims to find Tactics, Techniques, and Procedures (TTPs) of advanced adversaries. While this methodology is both time-tested and effective, it is also time consuming, and can sometimes miss important clues in mountains of network data. In the article below, we will discuss not only what threat hunting is, but also how it can be made more efficient through the use of modern tools.

Download the article here.


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

GREYCORTEX MENDEL DETECTS BADRABBIT

GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.

MENDEL is able to detect this ransomware in two different ways:

  • MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
  • Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.

This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.

 

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

“TALES FROM THE MALWARE LAB” IS LIVE!

Following the success of our video describing the WannaCry ransomware, we are happy to announce an ongoing series of YouTube videos: “Tales from the Malware Lab – Powered by GREYCORTEX.” In it, we will leverage our in-house malware lab, complete with the latest version of GREYCORTEX MENDEL to provide useful information about emerging network security threats in an easy-to-follow visual format.

 The videos will provide an overview of each threat’s activity within the network, and visualize these attacks from the network traffic analysis standpoint. We are releasing these videos as a public service to the greater network security community, which will benefit from this video-based approach to malware.

 The first video, addressing the “EternalRocks” malware, is available here: https://youtu.be/vI1lRi5e-SM


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

GREYCORTEX PROTECTS AGAINST WANNACRY

GREYCORTEX is happy to report that MENDEL, our network traffic analysis solution, affirmatively detects infection by the WannaCry ransomware, its possible variants/clones, and protects users more effectively than rule-based detection tools alone.

Because GREYCORTEX MENDEL uses advanced artificial intelligence, machine learning, and data analysis to identify network anomalies, it easily identifies threats like WannaCry, allowing network security teams to take rapid action and stop threats before they do damage.

In the case of WannaCry, GREYCORTEX tested the ransomware in our malware lab. It was found to engage in aggressive and anomalous practices, like port-scanning behavior on an SMB port (445), attempting to connect to over 4000 devices in 175 countries across the Internet in five minutes, and downloading TOR network software. All of these behaviors were identified by MENDEL’s advanced network behavior analysis.

MENDEL users are better protected from malware like WannaCry and its variants/clones than users of firewall, IDS, or other rule-based security solutions alone. Rule-based security solutions require a known malware signature in order to create a rule. This means an attack must happen before the signature of the attack can be added as a rule. MENDEL doesn’t need a signature to identify the attack. It’s network behavior analysis features detect the attack’s symptoms before it harms the network. This means security teams have the peace of mind to know that should an attack happen, they will see it, and be able to stop it before it does damage.

If you are concerned about malware attacks, either from WannaCry or from other ransomware or malware, you may benefit from a 30 day Proof of Concept (PoC) from GREYCORTEX. During the PoC, MENDEL automatically learns your network to identify threats which may exist, including ransomware which is lying dormant in your network, or unpatched applications, which may leave you vulnerable. Do not hesitate to contact your network security professional, or GREYCORTEX  directly to arrange a PoC.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.