LogoFAIL, or how a simple virus becomes almost impossible to detect

2023-12-07 06:11:36

The UEFI firmware that boots Windows and Linux devices can be hijacked by simple malicious logo images.

Before we begin, some definitions.

What is UEFI? Released in 2006, UEFI is an improvement to the BIOS of Windows systems. UEFI means Unified Extensible Firmware Interface, or unified extensible firmware interface in French. Stored on a chip on the motherboard, its primary role is to overcome the limitations of the BIOS (basic input/output system or basic input/output system) in order to create a new, more efficient system, in the face of new computer performance.

For the uninitiated, BIOS is a program of instructions in a computer that checks, at boot time, each of the basic components in order to adapt the operating system to its hardware environment.

An attack that is difficult to stop

Hundreds of Windows and Linux computer models from virtually every hardware manufacturer are vulnerable to a new attack that runs malicious firmware early in the boot sequence, enabling infections that are virtually impossible to detect or eliminate using current defense mechanisms.

LogoFAIL: remote control

The attack, dubbed LogoFAIL, is notable for the relative ease with which it is executed, the breadth of consumer and professional models affected, and the high level of control it allows to be exercised over them.

In many cases, LogoFAIL can be executed remotely in post-exploitation situations using techniques that cannot be detected by traditional security products.

Example of a corrupted BIOS

And because the infections run during the early stages of a computer’s startup process, they are able to bypass a multitude of defenses, including Secure Boot of the industry, the Secure Boot from Intel and similar protections from other companies designed to prevent infections by bootkits – or malware that attacks boot firmware.

To protect your system: install UEFI security updates

Over the past several years, a handful of new UEFI bootkits have been discovered. In response to these threats, device manufacturers have started taking steps to better lock down the UEFI boot process.

The best way to prevent LogoFAIL attacks is to install UEFI security updates. These patches will be distributed by the manufacturer of the device or the motherboard installed in the device. It is also advisable, where possible, to configure UEFI to use multiple layers of defense. In addition to Secure Boot, these are Intel Boot Guard and, where available, Intel BIOS Guard. Similar additional defenses are available for devices with AMD or ARM processors.

1701935517
#LogoFAIL #simple #virus #impossible #detect

Leave a Replay