Hacking Team's malware uses UEFI rootkit to survive OS reinstalls

The feature allows the company's software to persist even if the hard disk drive if replaced

Victim of identity theft

Victim of identity theft

Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

The company developed a tool that can be used to modify a computer's UEFI (Unified Extensible Firmware Interface) so that it silently reinstalls its surveillance tool even if the hard drive is wiped clean or replaced.

UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. But there are multiple companies that develop UEFI firmware, and there can be significant differences between the implementations used by PC manufactures.

Hacking Team developed a method for infecting the UEFI firmware developed by Insyde Software, a Taiwanese company that counts Hewlett-Packard, Dell, Lenovo, Acer and Toshiba among its customers, according to security researchers from antivirus vendor Trend Micro.

"However, the code can very likely work on AMI BIOS as well," the Trend Micro researchers said in a blog post. AMI BIOS refers to firmware developed by American Megatrends, a long-time BIOS market leader.

Trend Micro found details about the UEFI rootkit in the more than 400GB worth of files and emails that were leaked recently from Milan-based Hacking Team by a hacker. For the past week, security researchers and journalists have been sifting through the data uncovering malware source code, client lists, exploits for unpatched vulnerabilities and more information.

A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can't be ruled out, the Trend Micro researchers said.

Gaining temporary physical access to some computers wouldn't be a big problem for government agencies, because many countries have laws that allow the inspection of laptops and other devices at their borders.

Hacking Team refers to its surveillance software as "the hacking suite for governmental interception" and claims to sell it only to government agencies. Even so, most antivirus vendors detect the highly intrusive software, which is known as Remote Control System (RCS) or Galileo, as malware.

To install the RCS UEFI rootkit, an attacker must reboot the system into the UEFI shell, extract the firmware, write the rootkit to the dumped image and then flash it back to the system, the Trend Micro researchers said.

The rootkit itself has three modules: one for reading and writing to NTFS file systems; one for hooking the OS boot process; and one that checks if RCS is present on the system.

The rootkit checks for the existence of two software agents called scout.exe and soldier.exe every time the system is rebooted. If they don't exist, it installs scout.exe at a predefined location inside the OS, the Trend Micro researchers said.

The possibility of installing rootkits into a computer's BIOS or UEFI firmware has been demonstrated by multiple researchers at security conferences over the past several years. However, known cases of such rootkits being used in the wild are extremely rare.

A search through the email communications leaked from Hacking Team reveals that the company's engineers have kept an eye out for every article and research paper on BIOS and UEFI hacking written since 2009. This includes blog posts on cracking BIOS passwords, papers on defeating signed BIOS enforcement and leaked documents about the U.S. National Security Agency's BIOS infecting capabilities.

The emails also show that the company's research and development team was working on the "persistent UEFI infection" feature since at least mid-2014. On September 9, a customer from INTECH-Solutions, a German vendor of "technology and solutions for law enforcement and intelligence agencies" had already inquired about a list of computers for which the persistent infection feature worked.

"We are sorry, we have not a list of Computer Models where the persistent UEFI infection works well," a Hacking Team employee responded. "We tested the last series of Acer with UEFI boot. We are working to support other models like Asus but at the moment we can't provide you a date of that release."

In December, Hacking Team's operations manager Daniele Milan asked a senior security engineer for clarifications on the feature in order to answer potential customer inquiries.

The engineer responded that the feature was tested successfully on Dell Latitude 6320, Dell Precision T1600, Asus X550C and Asus F550C. It also worked on Toshiba Satellite C50 and the Acer Aspire E1-570, but with a higher risk of failure.

In principle, the software works on all laptops, workstations and servers with 64-bit CPU architectures that support Windows 7 and Windows 8 Pro, the engineer said.

In a later email, he mentioned that the "chiavetta" also works on Dell servers. Chiavetta means key in Italian, but it's also widely used to refer to USB thumb drives, giving a hint about how the UEFI rootkit can be deployed.

To prevent such infections, Trend Micro advises users to enable the UEFI SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to its latest version so that it has the latest security patches. UEFI/BIOS updates are usually distributed by computer manufacturers through their support websites and some of them do fix issues identified by security researchers.

Join the PC World newsletter!

Error: Please check your email address.

Tags intrusiontrend microsecurityspywaremalwareHacking Team

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?