Ghosts reappear (deep) inside the machine: BIOS bootkits & UEFI exploits

News by Adrian Bridgwater

BIOS bookits are being used in APTs, with new research demonstrating abiity to exploit newly discovered vulnerabilities.

Use of BIOS bootkits to exfiltrate data is being reported as a current threat, with new research into their use exploiting recently discovered vulnerabilities to create a 'malware infection' route that is highly resistant to removal. The research has been validated by Kaspersky Lab's operations unit whose experts had found a bootkit laid down by The Equation Group. This APT espionage group's deep technical convolution and sophistication suggested nation-state - and likely NSA - involvement.

US whistleblower Edward Snowden is said to have mentioned BIOS bootkits among this list of tools handled by the NSA's Advanced/Access Network Technology (ANT) division.

A BIOS bootkit can exploit flaws in a machine's BIOS; its Basic Input Output System used during machine bootup procedures. Successful BIOS bootkits (or BIOS-resident malware) affect a machine's startup code and ‘boot sector' and can therefore typically survive the reinstallation of an entire computer operating system.

Windows bootkits get Stoned

Although relatively few bootkits have been recorded, there is a good deal of open information detailing the Stoned bootkit. This software attacks Windows versions from 2000 up to 7 and is loaded before Windows starts so it is memory resident up to the Windows kernel. Stoned Lite was designed to attack Windows 8 Developer Preview. All Stoned bootkits are now out of date.

“A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel and thus get unrestricted access to the entire computer,” said Peter Kleissner, in The Art of Bootkit Development. “It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted.”

Due to the complexity and severity of their nature, there is some discussion over whether bootkits should be classified as ‘just malware'. Consequently, they have also been referred to as ‘malicious implants' in the Advanced Persistent Threat (APT) category.

Secretive computer espionage faction

Data Scientist and founder of Kentucky-based Analytical-Solution Carla Gentry spoke to  to say, “I guess my biggest question here is always if one company can protect users, why can't they all - and is it down to cost? If Google Chromebooks can have a hardware switch for the hardware protection of a part of the flash chip that stores its firmware (how it uses open source) why can't they all do this?”

Principal security researcher with Kaspersky Lab Vitaly Kamluk has called the latest recorded bootkits an, ultimate persistence mechanism, with the ultimate resilience to removal.

For additional clarification here, Microsoft describes the UEFI (Unified Extensible Firmware Interface) as a standard firmware interface for PCs, designed to replace BIOS. This standard was created by more than 140 technology companies as part of the UEFI consortium, including Microsoft. It's designed to improve software interoperability and address limitations of BIOS. 

UEFI still not impenetrable

But UEFI is not impenetrable. Rafal Wojtczuk, security researcher at Bromium told that presentations focused on UEFI at Canadian information security conference Cansecwest this month have seen researchers from LegbaCore discuss portable methods of infecting the BIOS. They demonstrated the implementation of BIOS-based malware capable of exfiltrating PGP keys.

“There were four talks about UEFI security at Cansecwest; and I was a co-author (with Corey Kallenberg) on one of them that showed that flaws in UEFI implementations can be exploited to get write access to the BIOS/UEFI code (resulting in ability to remotely implant malware),” said Wojtczuk.

Jared DeMott, principal security researcher at Bromium agrees that, “Yes, exploiting pre-boot code such as attacks against UEFI is very much possible. Though, like encryption breaking, it's probably more commonly used by nation state actors vs. everyday malware authors. That's because it takes a bit more effort and targeting to pull off in the real world.”

CTO at ‘flow analysis' for security and network performance monitoring company Lancope TK Keanini reminds us that it has always (and will always) remain an objective for attackers to get in the middle or just under the domain that is being secured.

He who controls the BIOS, controls the device!

“If the attacker can get control of the computing environment before any security can be put in place, they will always win,” Keanini told “BIOS exists in any and all hardware devices. Hard drives, motherboards, expansion cards and don't forget all Internet of Things endpoints like automobiles, home automation units. Basically, everything that has to power up from being off will need a BIOS to load before the operating system. He who controls the BIOS, controls the device!”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews