© R3 CyberSecurity
LOJAX: A VIRUS ALMOST IMPOSSIBLE TO ELIMINATE
Carlos Molina Guadaño // 16 de octubre de 2018
What is LOJAX?
We are currently in an era of constant technological innovation. Which is continually affected by the appearance of new malwares which attack and affect the devices we use regularly. An example of this is LOJAX.
This new malware has been developed by the Fancy Bear, a group of famous hackers in Russia. It consists of a UEFI rootkit (link) which infects the UEFI of any operating system and goes completely unnoticed by antivirus. This malware, unlike the rest, is capable of infecting the computer insistently, since it is hosted on the motherboard.
It is also used to attack government organizations in the Balkans, as well as in Central and Eastern Europe.
How does this malware work?
As we mentioned before, the main problem with this malware is that it is very difficult to identify, since it lives in the UEFI (Unified Extensible Firmware Interface).
UEFI is the updated BIOS version, and it is the part of the system that controls the boot process of the computer. That is, the black screen that appears when turning on the computer, mobile, etc. What allows to install an operating system on it.
What Lojax does, once it manages to run on the victim’s computer, modifies the UEFI of it. One of the least suspicious places on the team where you expect to find malware.
The dangerous thing about this virus is that once the UEFI is modified, it will be executed during the start of the system, making it almost imperceptible and even indestructible, because it will survive, even if the hard disk is replaced or the operating system is reinstalled.
The researchers believe that LoJax is a variation of the LoJack anti-theft system. The intention is to protect the equipment and indicate to the user where it is in case of being stolen. For that reason, it was important to resist the reinstallation of the operating system or the replacement of the hard disk. What is achieved precisely when implemented as a UEFI / BIOS module, capable of surviving this type of actions.
How can we protect our LoJax equipment and other UEFI rootkit?
Usually, formatting or restoring the factory settings of the device is usually the best way to eliminate malware. But in this case it will not work.
The first and most difficult step is to detect the malware. The only thing that the user will begin to notice will be a slowdown of the system and the connection to the internet.
According to the theory, to eliminate LoJax you will have to start the computer in safe mode. In this way, the system ensures that each of the firmware components are started correctly signed.
The second step would be the installation of a UEFI firmware update. This is not easy, since it must be done by the owner of said element against the malware. That is, it can not be done by the user, but by those responsible for UEFI / BIOS (the provider).
Subsequently, it must be updated and this has another series of inconveniences, such as possible incompatibilities.
Finally, if the problem persists. The most effective solution, although the most difficult, would be the replacement of the motherboard, considered the heart of the computer. Bearing in mind that this process must be carried out by the UEFI / BIOS provider.
Desde R3 CyberSecurity esclarecemos que dichos ataques tienen como objetivo grandes compañias u organizaciones públicas.
Finalmente mencionar que Lojax es algo aislado. pero es posible que ahora otros hackers malintencionados intenten utilizar malwares similares para entrar en los equipos.
Comparte el post con tus amigos
CON LA CONFIANZA DE
ÚNETE AL EQUIPO
Conoce todas las oportunidades profesionales que te permitirán alcanzar tus metas personales.