[Discuss] UEFI-based rootkits
Rich Pieri
richard.pieri at gmail.com
Mon Sep 24 16:49:47 EDT 2012
http://www.theregister.co.uk/2012/09/19/win8_rootkit/
Starting with Windows Vista, 64-bit versions of Windows require all
kernel mode drivers be signed with a certificate obtained from
Microsoft. This proof of concept UEFI rootkit replaces the Windows 8
boot loader with a version that does not check for these signatures,
permitting malware to have its way with the target system. While the
POC is for Windows 8, the technique could be used to compromise any OS
including Macintosh (the Macintosh UEFI POC demonstrated earlier this
year at Black Hat inspired this Windows 8 POC) and GNU/Linux. There are
no Linux UEFI rootkits yet that I am aware of, but if OS X can be
compromised this way then it's only a matter of time before someone
ports the POCs to Linux and *BSD.
--
Rich P.
More information about the Discuss
mailing list