Thursday, July 16, 2015

Intelsecurity analysis of UEFI rootkit from HackingTeam, and a revelation

This is courtesy of Xeno's twitterfeed

 http://www.intelsecurity.com/advanced-threat-research/blog.html


From the paper:
Updating the SPI flash, where system firmware is usually stored, is usually accomplished either through physically attaching a programmer to the chip or through a signed update mechanism built into the firmware. One of the leaked emails contains a presentation (presumably for potential customers) that describes this:

 Explanations:
  1. "Attaching a programmer to the chip" - well known - supply chain attack or "black bag job"
  2. "Signed update mechanism" - presumed, but important since I think this is much more common on enterprise systems over personal or consumer
This  is key - it means it needs a bag job, or an enterprise system.

If you support enterprise systems, you can consider yourself a target.

I'm sorry their email was compromised, but they're doing bad things, and they're not an entertainment company here, trash talking movie stars.  They're targeting me and my clients/sponsors - the contents of the emails and files are fair game for us to protect ourselves.

 How do I protect myself or my clients?

From the paper:

Intel has released CHIPSEC, which contains various tests and tools for platform security assessment, including some forensic capabilities.

They go on to give examples of how to use and what the results mean, and most importantly:
 
Installing [the Hacking Team] firmware rootkit involves rewriting SPI flash. The system firmware is responsible for securely configuring the protections on SPI flash in order to prevent this. CHIPSEC contains configuration checks that users can easily run:
    • python chipsec_main.py -m common.bios_wp
This does not mean that the system is infected, but it would be harder to infect a system that passes this test than one that fails.If this test fails, it may be possible for software running on the system to modify the BIOS in the SPI flash due to insecure configuration of the hardware protections. 

This means to me that you'll need python to run it (go figure, we're on windows, guys) , but I'll spin it up on a couple of machines to see what happens

P
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)