Hackers have been compromising PCs with UEFI malware and your anti-virus software doesn’t know it. Cybersecurity firm Eclypsium has detected an ongoing campaign that targets motherboards manufactured by Taiwan based Gigabyte Technologies (2376). The attacks use a hidden backdoor installed by Gigabyte which is being exploited by attackers.
The flaw impacts up to millions of Gigabyte motherboards. The flaw goes back to the AMD 400-series chipsets up to the latest Intel 700-series or AMD 600-series motherboards. Eclypsium found that every time a computer with an affected Gigabyte motherboard (PDF) restarts, its firmware silently runs an update program which downloads and launches another piece of software. While this is meant to keep your PC hardware up to date, Eclypsium says the hidden code implemented insecurely, it can use an HTTP connection, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte’s intended program.
Because the updater program is triggered from the computer’s UEFI firmware, it loads before Windows loads, making it difficult to detect or remove. UEFI stands for Unified Extensible Firmware Interface, and it is the software that runs before the operating system starts. By running before the operating system, any planted malware can bypass security mechanisms such as Secure Boot and antivirus scans. UEFI malware can also persist across operating system reinstalls or hard drive replacements, making it difficult to detect and remove.
How to determine if your PC has UEFI malware
There are a few steps you can take to check for signs of infection:
- Use the command prompt to check the motherboard model. Open the Command Prompt from the Start Menu, and type in:
wmic baseboard get product,Manufacturer
Windows will return the manufacturer and Product.
2. If the command prompt freaks you out, you can use the Windows GUI to find you motherboard’s manufacturer. From the Start menu type “System Information” into the search bar and bring up the System Information app.
The System Information page will display. BaseBoard Manufacturer is the motherboard manufacturer, and BaseBoard Product is the name of the motherboard.
3.If neither of these options work, you can try a 3rd party utility. HWInfo, and CPU-Z are popular 3rd party tools that can determine the manufacturer of your motherboard.
What to look for
Some UEFI malware may cause noticeable changes in your system performance, stability, or functionality. For example, you may experience frequent crashes, blue screens, boot errors, slow boot times, missing files, network issues, or unexpected pop-ups. These symptoms may also be caused by other factors, so they are not conclusive evidence of infection, but they can be indicators that something is wrong.
What to do if you have UEFI malware
If you suspect that your PC has UEFI malware, you should take immediate action to remove it and prevent further damage. The best way to do this is to reset or reflash the firmware using a trusted source from your device manufacturer. This will overwrite the malicious code and restore the original firmware. However, this process can be risky and complex, and it may require physical access to the device or special tools. You should carefully follow the instructions from your device manufacturer and back up your data before attempting this procedure.
How do I prevent UEFI malware?
The first step is to dig into you BIOS and set a BIOS password. This will help prevent any future changes without your knowledge. If getting into the BIOS makes you nervous, you can use software.
Some antivirus systems include a UEFI scanner. For example, Microsoft Defender ATP has a UEFI scanner that brings its protection capabilities to the firmware level. Another example is Kaspersky Anti-Virus for UEFI (KUEFI) Kaspersky says KUEFI provides effective protection from rootkits and bootkits and ensures safe OS loading.
These tools detect a threat, they will alert you and provide instructions on how to repair the firmware. However, not all antivirus programs have this feature, and some UEFI malware may evade detection by hiding or encrypting itself.
Gigabyte has released an update to close the hole.
rb-
UEFI malware can compromise your system security and privacy. To protect yourself from this type of attack, you should:
- Keep your firmware and operating system updated with the latest patches and security fixes.
- Use a reliable antivirus program that can scan and protect your firmware as well as your files.
- Avoid opening suspicious attachments or links from unknown sources.
- Be careful when downloading or installing software from untrusted websites.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
ChannelE2E also correctly predicted the Symantec team could face job cuts, layoffs, or potential business spin-offs as a result of the deal. Right on queue, Symantec 
