> Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.
How is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.
> The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute's servers via the internet. This installer (small agent) is vulnerable to certain local attacks
There is not just a single explanation, but I'll give it a go. 1) Many industry titans such as MS, Apple and Monsanto, just as examples, have encouraged employees to participate in forums like this in order to affect conversations and influence debates, so real users of a strong bias against uncomfortable truths/facts use down votes in a way not intended. 2) from those same types of companies, sockpuppetry has become a pervasive and powerful item in their toolbelt, accomplishing the same as above but with inorganic users and on a large scale. 3) HN has some extremely good commentators, some who have been around for a long time, but I have noticed a large careening away from the type of hackeristic dogged pursuit of truth and lack of fear of attacking power that seemed to be the core of HN in its earlier days. in particular, since the user protested and ignored rule change to "don't be negative" , where heated debates between truth to power speakers and status quo speakers tend to bring the hammer down on those against the status quo. Hence why I say HN seems to me to have become much More than ever before, MBAs who pretend to be hackers, instead of the other way around. 4) As a greybeard sysadmin type, I think many users suffer from Stockholm syndrome, and will blindly downvote (usually with no comment) attacks against their kidnappers, even if truthful.
I started spending more time here specifically because these problems became more pervasive on reddit. Seems like the same thing is happening here now.
Unfortunately I don't. one thing to keep in mind is that More specialized and specific forums tend to maintain that vibe, so instead of more generalized forums find the niche ones and watch em on RSS.
I also still enjoy irc, usenet, and deepnet sites (such as onion sites, etc) for the less mainstream, old school hacker vibe.
1. Are there any probable/plausible examples of such manipulation? I say this from a 100% naive standpoint - literally: I've never seen it myself, so it unfortunately does work. Not to say I doubt it exists; I've read about the concept enough times that I accept that it exists.
2. Regarding (3), do you think it would be possible to cultivate that mindset again, in a different setting/environment, or are these trends influenced by the contemporary status quo? :/
2a. If you _do_ think it might be possible, I'm very interested to absorb ideas on how to create constructive discussions online. People have had more than enough interactions with the current mainstream (twitter, facebook, reddit, here, etc) to probably have _some_ idea on how to massively improve tooling/UX/etc.
2) I do think it is possible, but it is much more difficult to gain those users back who have fled due to those issues. It would require a public shift in forum management style that openly acknowledges it's issues, which especially in a place like this would be hard because for the most part dang et al actually do a great job and the issues we are talking about are very nuanced...
2a) If you come to some conclusions on this I'd like to hear them too. Its something I think about often, and I'm yet to find some silver bullet. I tend to gravitate towards some mishmash of past techniques, for example, I really liked Slashdot mod system, where random users were given mod ability, and instead of just points, you could label something informative, funny, etc. I also think exclusivity can be a boon, so for example invite-only forums or some other exclusion method can naturally curate conversations, but on the flip side you will tend to keep otherwise good commentators silent that way. steemit's idea of monetization via crypto of good content is another approach... none of them alone seems to be enough...
One idea I've had that's technically challenging would be some sort of AI comment judge with preselected criteria, so let's say a commentor makes many logically fallacious comments, then that person gets a temp-ban.
Another has been just purely based on comment depth/length. If a user often goes in depth, a few one sentence quips would reduce their score-weight but they could still post, but another user who only does one line quips would get a temp-ban.
in short, I don't know, but whoever figures this out is going to be a big deal
I don’t know about Monsanto, but I have knowledge of the social media policies of both Apple and MS and you couldn’t be more wrong. Don’t mistake personal bias/company pride for an organized sock puppet campaign.
MS allows its employees to comment on matters in a personal capacity with a disclaimer indicating such.
Apple employees are not supposed to comment at all, and can be terminated for doing so.
Both explicity forbid shilling, and there is no encouragement by the company to do anything like what you’re describing. This should be obvious if one considers how many lawyers they employ whose sole job it is to prevent them from being sued, charged, or investigated.
I know folks at both companies, and while everyone is unique, I noticed that many have a lot of pride in their employer, have a strong dislike for competitors, and would likely engage in expressing their disagreement voluntarily.
Your comment is incorrect as applied to the actual rootkit being discussed. It's (arguably) factually correct in isolation, but misleading.
> UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.
> Only Windows obliges to this request. Linux is immune.
UEFI firmware runs before the OS and with greater privileges – e.g. it has control over System Management Mode (SMM), which is hidden from the OS. It can force the OS to do whatever it wants. For example, it can modify system files on disk, which should be enough to compromise most Linux installations. If that isn't possible (because something verifies the files), it could, e.g., patch the next stage bootloader it loads (which could be GRUB or the kernel itself via EFISTUB), in memory before executing it. Or, as an easier approach, it could just add a SMI handler that patches the kernel later on.
It is true that Windows 8 and later exposes a way for UEFI to "ask it nicely" to load a given driver, without having to patch anything, namely the WPBT (Windows Platform Binary Table). As you note, this is the mechanism Lenovo used to persist Superfish. The reason it exists, however, is for anti-theft software such as Computrace/LoJack. Earlier versions of Computrace took a "brute force" route to installing its persistence driver, patching system files on disk, and there wasn't really anything Microsoft could do to stop it. So instead they decided to give them a sanctioned route to accomplish the same thing, which at least is less likely to break something in the process.
However, at least according to the white paper, the LoJax UEFI rootkit does not use WPBT at all. Instead it uses an approach that seems to be inspired by older (pre-WPBT) versions of Computrace. [1] Specifically, it drops a binary "autoche.exe" into the filesystem, then modifies the registry to execute autoche.exe on boot instead of the normal autochk.exe (note that the last letter is different).
Thus, WPBT is irrelevant in this case. The malware hijacks Windows by modifying its filesystem, and if the authors cared enough to target Linux, they could hijack most Linux installations the same way (and all installations with a somewhat more difficult approach). But then, even if some piece of malware did decide to use WPBT when targeting Windows, it could still use the more elaborate methods to target Linux. At most, WPBT makes it slightly easier for UEFI malware to target Windows than it would otherwise be. But it really doesn't make much difference.
[1] To clarify: As the white paper describes, a later stage of the bootstrap, rpcnetp.exe, is actually copied from an older version of Computrace and merely patched to change the C&C server address. However, the UEFI part of the malware is custom, and merely uses a similar (but slightly different) overall approach. Computrace's own UEFI driver worked by actually modifying autochk.exe, whereas the malware modifies the registry to execute a different filename instead.
Is there anything that prevents the FW from writing to the disk directly? Or patching the OS kernel in memory? Unless there are actually security mechanisms in place to assure that firmware can only politly request the OS to do something, then it is only a matter of best practices and ease that that is the mechanism used.
You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems, and then when people give them reasons why linux isn't a solution to their problems they get really defensive and start using canned excuses like "well it works for me", "you didn't pick the right distro", "normal users don't need that", "you need to research your hardware", "you have the source so you could fix it yourself", or even "Windows/MacOS have problems too!".
The community alone is enough reason to avoid linux.
note: in this instance, "linux" is being used as shorthad for "the GNU/Linux Desktop".
> You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems ...
This is true for nearly anything imaginable, not just Linux.
> The community alone is enough reason to avoid linux.
If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
That's definitely why you're hanging out on a website built for armchair intellectuals. There's definitely no bias on the selection of people who visit and comment here. /s
Clearly you've had some frustrations using GNU/Linux, and I'm sorry you've had to deal with that. It must be really upsetting to have your problems disregarded like that by other people, and not being listened to.
However, it's also quite inappropriate to completely ignore the main point of someone else's comment and vent all these frustrations on them for using the informal term "fanboying", and I don't think that doing so contributes anything to the current discussion about whether GNU/Linux is vulnerable to this rootkit.
What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.
If you can't trust the underlying hardware or firmware, you cannot trust the machine.
But there's no technical reason this behavior must be Windows-only; it's just that way now because Linux isn't a business priority. The fundamental architecture, where UEFI software can write to a filesystem on the disk, applies to Linux installs just as much as Windows.
Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.
The problem here is not UEFI software being able to do nasty things to your OS disk.
Anything launched prior to your OS can do that, like boot-sector viruses of the old days.
What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.
And thus the initial agent gets deployed and installed.
Windows installs the root kit into its own FS, all by itself.
But only on Windows, because Linux does NOT look for or use that UEFI driver payload.
Linux is immune to this attack. Really.
If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?
At these levels Linux doesn't need to include the functionality. This operates below the kernel and can include its own functionality without the Kernel ever seeing it present.
Where this code lives they can sit passively by until you've decrypted your hard drive (capturing your key in the process), patch the kernel with a rootkit, and start processes or drop files that will be invisible and inaccessible to even other kernel processes.
This isn't a vulnerability in Windows, or Linux. This is drinking from a polluted pool before they come into existence and poisoning the system.
You are describing some sort of firmware modification attack. That is not what this is. If the software stub is not actively downloaded by the OS then it can't run. This exploit is very specific to a bonehead thing Windows does. No other OS (e.g. Linux) would be vulnerable.
You're talking about an attack against the agent this is designed to download, or you don't understand what a UEFI attack is. This is an attack against the UEFI part, not the agent. This isn't firmware, but it is pre-bootloader. UEFI is the bootloader that loads your bootloader and is stored not on your hard drive.
If software at this level is malicious, it has equal privileges as your BIOS before any kernel gets loaded. It doesn't matter what the operating system is, it just has to be designed for it. It can return TPM approved checksums to your kernel and continue a secure boot as long as it knew what those checksums were before it modified them. Oh you use an external drive for your unencrypted boot partition? That can be modified as it is read off disk, before you're ever prompted for a disk passphrase, and it will report the correct checksum before it gets loaded.
This is a vicious level of access for malicious software, and it is OS agnostic as far as the attack goes. THIS instance is Windows only because that is what it was targeted at.
Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.
Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.
Maybe against this specific vulnerability, but with firmware (e.g. Intel ME) running in ring -3, it could in principle inject itself into any (ring 0) kernel.
You might be in the clear, but make sure you've traversed every menu and sub-menu in the BIOS configuration. One of my laptops -- I don't recall which, sorry -- has the settings located a few levels deep with some very unsuspecting terminology. Even when I was looking specifically for it (I knew it was in there!), it took me a few minutes to actually find it.
Also, WRT turning it off, there are typically two options: deactivate and disable. One is just "temporary" (in that it can be turned back on later), the other is (supposedly) permanent and "impossible" to revert. Make sure you choose the right one (for you).
You’d hope that’s unlikely, but unfortunately it is not. Microsoft left a backdoor in UEFI/Bootlocker to specifically support this.
It’s also had a history of major security issues, and a vendor who does not understand how to deal with vulnerability reports.
They aren’t on Apple laptops though, just most OEMs.
Personally, I think it’s absolutely fantastic that this has finally been publicly exploited in the wild and repurposed for malicious purposes, because this was called out as an obvious threat almost 10 years ago now, and none of the vendors took it seriously or cared. Now they can’t ignore it with the “we have no reports of any customers being attacked” deflection and they will likely face far more scrutiny. It’s just like what happened with the Intel ME staying under the radar for so long, but at least to Intel’s credit, they actually attempted to build security in.
ekianjo's wikipedia link describes how it works: tracking is still done by a high-level software agent, the firmware part is there to make sure that it is present on the filesystem each time the machine boots, making it survive Windows reinstalls.
- Put secure software in the lowest ring possible to make it more secure
- "The good can use it against the bad" but not the other way round
- Proof of ownership based on "I said it first"
- Of course, closed source, because security
Sorry for the tinfoil interpretation, but I believe it's hard to convince every company to (most likely) pay for this stuff without some sort of coercion.
Looks to me like Intel ME, secure platform processors, mandatory backdoors for devices, and the likes.
> Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.
This is useful, but not obviously good. It's good only if it's securely implemented, but as a user, I'm not sure. I've disabled Computrace on every laptop I own, and now stopped worrying about it after installing coreboot.
Kind of a shame that security houses are doing legitimate research, but the products they release just don't have the same effectiveness they used to. If sales of antivirus is dropping, where will they get their funding from? Perhaps there needs to be some new approaches to anti-virus. The old fire and forget method doesn't work anymore, and lots of people/organisations don't realise that yet. But it won't be like that forever.
> the products they release just don't have the same effectiveness they used to. If sales of antivirus is dropping, where will they get their funding from?
Anti-virus software was very easy to circumvent in the past. Getting the kernel32 address from the PEB, having your own PE loader and having most code xored with the Mersenne twister output in the data segment for obfuscation, as well as some runtime is_sandbox() heuristics and no AV would detect anything malicious.
Don't know if it got better or worse, but AV software was not very good at finding malicious code explicitly written to not run in plain sight in the past.
AV isn’t good at finding malicious code that hasn’t been discovered and classified but it’s also pretty unlikely that you’ll encounter one unless you are a high value target which is being actively targeted.
Having Windows Defender on is sufficient for the casual threats most people would encounter.
And for many things WD is simply much better than any solution this includes offline removal of rootkits (it can boot into a WinPE environment for a scan) and Ransomware protection where Windows Defender can restrict apps from accessing folders that tend to keep user data: https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/...
Basically if you have Windows 7, 8 or 10 keep Windows Defender on it actually does work.
> it’s also pretty unlikely that you’ll encounter [malicious code that hasn’t been discovered and classified] unless you are a high value target which is being actively targeted.
No this is simply what they are good at it's like a vaccine it won't help you against mutations or something that was engineered but it's not a reason to not vaccinate when it's does cover a large number of other infectious diseases.
So unless you going to say that vaccination is survivorship bias because we don't have them against some diseases I really don't see your point.
Windows Defender will block virtually every common infection these are what most people get hit by, it will also block virtually all ransomware and you can see just how much the ransomware "market" got hit once they implemented it to see that it is effective.
Yes it won't protect you against NSA or some high end hacking group that writes completely custom malware to target single individuals but you are also not likely being the target of these.
But you are likely be target of the 1000's of known threats that are spread through driveby attacks, infected media and pretty old stuff you'll be surprised just how common 5 year old infections still are.
They still have corporate clients that need AV for “compliance”, AV isn’t totally useless unless you are a high value target that said with Windows using anything other than Windows Defender is a waste of money these days for the casual known threat it’s good enough.
If you share removeable media with other people and have people who use your computer or on your network that aren’t exactly security conscious it’s not a terrible idea to have it enabled.
Slightly OT, but you would be surprised at how much power PDFs have (especially when opened in Adobe Acrobat/Reader). I recently came across this monstrosity[1] on HN, and the author mentions this:
> Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects.
That's an unprecedented level of power for what is supposedly a simple document format.
That being said, PDFs are only a threat when opened in a with support for these obscure APIs, such as Adobe's own readers. You (probably) will be fine opening untrusted PDFs in Chrome's PDF reader (PDFium) and Preview.
There were multiple vulnerabilities related to PDF parsing in Adobe/Acrobat Reader/, firefox (pdf.js) and document viewers(libpopler, Okular).
Also, there was a "game of life" implementation in PostScript and you can expect same level of capabilities in PDF.
PostScript at least has the excuse that it _is_ a programming language (for assembling documents for printing, but still a proper programming language) while PDF is supposed to be a fixed document format. PDF has far too much power for what it is supposed to do.
Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.
> Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.
On the other hand, they also get it wrong with other things and we end up with SYSTEM-level compromises due to a vulnerability in a font!
This is very interesting, to be sure, and I commend everyone involved for their work in exposing this stuff. But does anyone else get irked by the style of writing? He’s alternating between implying complete assuredness and being excessively vague:
> (2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government.
How could he possibly be so sure (that he implies) that this is the same group? Sure, he adds a couple of “probably”s, but the style is completely undoubting.
Then, later:
> (6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.
Maybe what? Why is he being cagey about what it could be? It looks like he wants the reader to feel like the “in”-group who knows what he means, but in reality nobody does.
I didn't get the impression that he was trying to imply anything beyond what he wrote... I think it was very clear that such speculation had no backing and was purely that- speculation.
Worth noting this important caveat mentioned in the article:
> "The tool described above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008)."
FWIW, some BIOSes have a setting to disable "remote" firmware updates -- although I certainly cannot speak for how reliable that is (and, judging by past experiences, it isn't very reliable at all).
The Lo Jack stuff is a red herring. The main attack vector is SPI write protection bypass. I'm not sure what they used to get local root though. Once you can write to the SPI flash, you can write whatever you want, lojack or not. And this uses some old known vulnerabilities for SPI write bypass. There have been some of those over the years. I had to use one myself to bypass wifi whitelists in lenovo bioses. I don't think this would work on platforms with boot-guard though.
that's correct, something like SecureBoot would have prevented this as the signatures wouldn't have been able to be verified and therefore never proceeded.
The root of the problem that old BIOSes wrote their configuration into the CMOS memory, while all UEFI-based firmware storing configuration right in the SPI flash itself. Changing the values of variables every boot, sometimes performing "garbage collection" for compressing the size. Moreover, ME-like systems also write into the flash, sometimes even logging events. Every single boot, this is how it was designed.
Using flashrom [1] you can dump the contents of your SPI flash for the inspection and open the image with UEFITool [2]. Both tools are opensource and developed for years. Some people recommend to use chipsec [3], but it can less in terms of dumping and unpacking. The state of security in UEFI firmware is horrible, thing is overengineered and poorly written (bad code practices). Not to mention Intel ME/AMT/etc that also provide the easy way for attacker to persist and hide itself once compromised. Projects like coreboot [4] and vendors like Purism [5] allow the tighter control of your own hardware, but thanks to Intel it still has a lot of blobs of a bad code. Apple realized they can't trust Intel and other "BIOS" writers, so working on improving the security and codebase. Thus the state of affairs is slightly better on Macbooks. I believe x86 firmware world is beyond any hope to get any better and everyone should focus on building better hardware/architectures from scratch. Hopefully companies like Raptor Engineering [6] can shift the mindset of consumers.
You are probably talking about data loss. That's what online backup is for. My recommendation to non-technical people is to do what I do: have one four-word password that unlocks the computer, their password manager, and the online backup. Typing the password every day to unlock the computer makes super sure they won't forget it.
But yes, not letting people reset their computer by accident is just good user interface.
88 comments
[ 2.9 ms ] story [ 151 ms ] threadHow is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.
And once again Linux is a solution.
Only Windows obliges to this request. Linux is immune.
I’m baffled to say the least.
[1] https://news.ycombinator.com/item?id=10039870
Any suggestions on where to go next?
I also still enjoy irc, usenet, and deepnet sites (such as onion sites, etc) for the less mainstream, old school hacker vibe.
1. Are there any probable/plausible examples of such manipulation? I say this from a 100% naive standpoint - literally: I've never seen it myself, so it unfortunately does work. Not to say I doubt it exists; I've read about the concept enough times that I accept that it exists.
2. Regarding (3), do you think it would be possible to cultivate that mindset again, in a different setting/environment, or are these trends influenced by the contemporary status quo? :/
2a. If you _do_ think it might be possible, I'm very interested to absorb ideas on how to create constructive discussions online. People have had more than enough interactions with the current mainstream (twitter, facebook, reddit, here, etc) to probably have _some_ idea on how to massively improve tooling/UX/etc.
2) I do think it is possible, but it is much more difficult to gain those users back who have fled due to those issues. It would require a public shift in forum management style that openly acknowledges it's issues, which especially in a place like this would be hard because for the most part dang et al actually do a great job and the issues we are talking about are very nuanced...
2a) If you come to some conclusions on this I'd like to hear them too. Its something I think about often, and I'm yet to find some silver bullet. I tend to gravitate towards some mishmash of past techniques, for example, I really liked Slashdot mod system, where random users were given mod ability, and instead of just points, you could label something informative, funny, etc. I also think exclusivity can be a boon, so for example invite-only forums or some other exclusion method can naturally curate conversations, but on the flip side you will tend to keep otherwise good commentators silent that way. steemit's idea of monetization via crypto of good content is another approach... none of them alone seems to be enough...
One idea I've had that's technically challenging would be some sort of AI comment judge with preselected criteria, so let's say a commentor makes many logically fallacious comments, then that person gets a temp-ban.
Another has been just purely based on comment depth/length. If a user often goes in depth, a few one sentence quips would reduce their score-weight but they could still post, but another user who only does one line quips would get a temp-ban.
in short, I don't know, but whoever figures this out is going to be a big deal
MS allows its employees to comment on matters in a personal capacity with a disclaimer indicating such.
Apple employees are not supposed to comment at all, and can be terminated for doing so.
Both explicity forbid shilling, and there is no encouragement by the company to do anything like what you’re describing. This should be obvious if one considers how many lawyers they employ whose sole job it is to prevent them from being sued, charged, or investigated.
I know folks at both companies, and while everyone is unique, I noticed that many have a lot of pride in their employer, have a strong dislike for competitors, and would likely engage in expressing their disagreement voluntarily.
> UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.
> Only Windows obliges to this request. Linux is immune.
UEFI firmware runs before the OS and with greater privileges – e.g. it has control over System Management Mode (SMM), which is hidden from the OS. It can force the OS to do whatever it wants. For example, it can modify system files on disk, which should be enough to compromise most Linux installations. If that isn't possible (because something verifies the files), it could, e.g., patch the next stage bootloader it loads (which could be GRUB or the kernel itself via EFISTUB), in memory before executing it. Or, as an easier approach, it could just add a SMI handler that patches the kernel later on.
It is true that Windows 8 and later exposes a way for UEFI to "ask it nicely" to load a given driver, without having to patch anything, namely the WPBT (Windows Platform Binary Table). As you note, this is the mechanism Lenovo used to persist Superfish. The reason it exists, however, is for anti-theft software such as Computrace/LoJack. Earlier versions of Computrace took a "brute force" route to installing its persistence driver, patching system files on disk, and there wasn't really anything Microsoft could do to stop it. So instead they decided to give them a sanctioned route to accomplish the same thing, which at least is less likely to break something in the process.
However, at least according to the white paper, the LoJax UEFI rootkit does not use WPBT at all. Instead it uses an approach that seems to be inspired by older (pre-WPBT) versions of Computrace. [1] Specifically, it drops a binary "autoche.exe" into the filesystem, then modifies the registry to execute autoche.exe on boot instead of the normal autochk.exe (note that the last letter is different).
Thus, WPBT is irrelevant in this case. The malware hijacks Windows by modifying its filesystem, and if the authors cared enough to target Linux, they could hijack most Linux installations the same way (and all installations with a somewhat more difficult approach). But then, even if some piece of malware did decide to use WPBT when targeting Windows, it could still use the more elaborate methods to target Linux. At most, WPBT makes it slightly easier for UEFI malware to target Windows than it would otherwise be. But it really doesn't make much difference.
[1] To clarify: As the white paper describes, a later stage of the bootstrap, rpcnetp.exe, is actually copied from an older version of Computrace and merely patched to change the C&C server address. However, the UEFI part of the malware is custom, and merely uses a similar (but slightly different) overall approach. Computrace's own UEFI driver worked by actually modifying autochk.exe, whereas the malware modifies the registry to execute a different filename instead.
You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems, and then when people give them reasons why linux isn't a solution to their problems they get really defensive and start using canned excuses like "well it works for me", "you didn't pick the right distro", "normal users don't need that", "you need to research your hardware", "you have the source so you could fix it yourself", or even "Windows/MacOS have problems too!".
The community alone is enough reason to avoid linux.
note: in this instance, "linux" is being used as shorthad for "the GNU/Linux Desktop".
This is true for nearly anything imaginable, not just Linux.
> The community alone is enough reason to avoid linux.
If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
Yes, it is, but that doesn't mean you should be doing it if you actually care about linux.
> If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
I'm not selectively picking anything. This is the part of the community I am constantly exposed to because it is the part that evangelizes.
That's definitely why you're hanging out on a website built for armchair intellectuals. There's definitely no bias on the selection of people who visit and comment here. /s
However, it's also quite inappropriate to completely ignore the main point of someone else's comment and vent all these frustrations on them for using the informal term "fanboying", and I don't think that doing so contributes anything to the current discussion about whether GNU/Linux is vulnerable to this rootkit.
Certainly not. The exploit depends on Windows-specific and Windows-only behavior[1].
[1] https://news.ycombinator.com/item?id=10039870
What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.
If you can't trust the underlying hardware or firmware, you cannot trust the machine.
Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.
Anything launched prior to your OS can do that, like boot-sector viruses of the old days.
What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.
And thus the initial agent gets deployed and installed.
Windows installs the root kit into its own FS, all by itself.
But only on Windows, because Linux does NOT look for or use that UEFI driver payload.
Linux is immune to this attack. Really.
If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?
Where this code lives they can sit passively by until you've decrypted your hard drive (capturing your key in the process), patch the kernel with a rootkit, and start processes or drop files that will be invisible and inaccessible to even other kernel processes.
This isn't a vulnerability in Windows, or Linux. This is drinking from a polluted pool before they come into existence and poisoning the system.
If software at this level is malicious, it has equal privileges as your BIOS before any kernel gets loaded. It doesn't matter what the operating system is, it just has to be designed for it. It can return TPM approved checksums to your kernel and continue a secure boot as long as it knew what those checksums were before it modified them. Oh you use an external drive for your unencrypted boot partition? That can be modified as it is read off disk, before you're ever prompted for a disk passphrase, and it will report the correct checksum before it gets loaded.
This is a vicious level of access for malicious software, and it is OS agnostic as far as the attack goes. THIS instance is Windows only because that is what it was targeted at.
Does it need to? Is there anything stopping the firmware dropping, say, a systemd service on the disc?
Disable UEFI. https://github.com/corna/me_cleaner
Disable the ACPI hooks that register the kernel with UEFI. http://heim.ifi.uio.no/~knuto/kernel/4.14/admin-guide/kernel...
Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.
Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.
Or a combination of all of the above.
Also, WRT turning it off, there are typically two options: deactivate and disable. One is just "temporary" (in that it can be turned back on later), the other is (supposedly) permanent and "impossible" to revert. Make sure you choose the right one (for you).
It’s also had a history of major security issues, and a vendor who does not understand how to deal with vulnerability reports.
They aren’t on Apple laptops though, just most OEMs.
Personally, I think it’s absolutely fantastic that this has finally been publicly exploited in the wild and repurposed for malicious purposes, because this was called out as an obvious threat almost 10 years ago now, and none of the vendors took it seriously or cared. Now they can’t ignore it with the “we have no reports of any customers being attacked” deflection and they will likely face far more scrutiny. It’s just like what happened with the Intel ME staying under the radar for so long, but at least to Intel’s credit, they actually attempted to build security in.
- Install more software to make it more secure
- Put secure software in the lowest ring possible to make it more secure
- "The good can use it against the bad" but not the other way round
- Proof of ownership based on "I said it first"
- Of course, closed source, because security
Sorry for the tinfoil interpretation, but I believe it's hard to convince every company to (most likely) pay for this stuff without some sort of coercion.
Looks to me like Intel ME, secure platform processors, mandatory backdoors for devices, and the likes.
This is useful, but not obviously good. It's good only if it's securely implemented, but as a user, I'm not sure. I've disabled Computrace on every laptop I own, and now stopped worrying about it after installing coreboot.
Anti-virus software was very easy to circumvent in the past. Getting the kernel32 address from the PEB, having your own PE loader and having most code xored with the Mersenne twister output in the data segment for obfuscation, as well as some runtime is_sandbox() heuristics and no AV would detect anything malicious.
Don't know if it got better or worse, but AV software was not very good at finding malicious code explicitly written to not run in plain sight in the past.
Having Windows Defender on is sufficient for the casual threats most people would encounter.
And for many things WD is simply much better than any solution this includes offline removal of rootkits (it can boot into a WinPE environment for a scan) and Ransomware protection where Windows Defender can restrict apps from accessing folders that tend to keep user data: https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/...
Basically if you have Windows 7, 8 or 10 keep Windows Defender on it actually does work.
This sounds much like survivorship bias to me.
So unless you going to say that vaccination is survivorship bias because we don't have them against some diseases I really don't see your point.
Windows Defender will block virtually every common infection these are what most people get hit by, it will also block virtually all ransomware and you can see just how much the ransomware "market" got hit once they implemented it to see that it is effective.
Yes it won't protect you against NSA or some high end hacking group that writes completely custom malware to target single individuals but you are also not likely being the target of these.
But you are likely be target of the 1000's of known threats that are spread through driveby attacks, infected media and pretty old stuff you'll be surprised just how common 5 year old infections still are.
If you share removeable media with other people and have people who use your computer or on your network that aren’t exactly security conscious it’s not a terrible idea to have it enabled.
https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/
https://www.welivesecurity.com/wp-content/uploads/2018/09/ES...
I don’t know why security-conscious people would willingly load a PDF but there you go.
> Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects.
That's an unprecedented level of power for what is supposedly a simple document format.
That being said, PDFs are only a threat when opened in a with support for these obscure APIs, such as Adobe's own readers. You (probably) will be fine opening untrusted PDFs in Chrome's PDF reader (PDFium) and Preview.
[1]: https://github.com/osnr/horrifying-pdf-experiments
Not that PDFium is any worse than Adobe, but certainly not much better.
Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.
PDF is not just a representation of paper, you can for instance also build forms.
It would be nice if there was a separate ‘static paper’ only extension/mime type but there isn’t.
On the other hand, they also get it wrong with other things and we end up with SYSTEM-level compromises due to a vulnerability in a font!
> (2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government.
How could he possibly be so sure (that he implies) that this is the same group? Sure, he adds a couple of “probably”s, but the style is completely undoubting.
Then, later:
> (6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.
Maybe what? Why is he being cagey about what it could be? It looks like he wants the reader to feel like the “in”-group who knows what he means, but in reality nobody does.
> "The tool described above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008)."
Does the SPI chip have a write protect line? Or could it be subbed with one that does?
[1] https://flashrom.org/Flashrom
[2] https://github.com/LongSoft/UEFITool
[3] https://github.com/chipsec/chipsec
[4] http://coreboot.org/
[5] https://puri.sm/
[6] https://www.raptorcs.com/content/base/products.html
But yes, not letting people reset their computer by accident is just good user interface.