Malware Buried Deep Down the SPI Flash: Sednit's First UEFI Rootkit Found in the Wild
ฝัง
- เผยแพร่เมื่อ 13 ม.ค. 2020
- BIOS rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. This APT group, also known as Fancy Bear, Sofacy and APT28, has been linked to numerous high profile cyberattacks such as the 2016 Democratic National Committee email leak scandal.
By Jean-Ian Boutin & Frederic Vachon
Full Abstract & Presentation Materials: www.blackhat.com/eu-18/briefi...
I caught this one! This video helped me figure out how to get rid of it and I'm gonna share it with my viewers! Amazing research!
you don't get rid of it. ;) you throw out the hardware. you would have to build a custom blind flash ROM file oforyour exact stack of all attached firmware , and blindflash that bitch in the same reboot cycle (doesn't work via bootable or environment or BIOS interface, and risk bricking yourhardware.... in order to to sucessfully get rid of it, because of the way these rakshaasa's remap your memory addresses. if you successfully flash your bios and your vBIOS or yourt [insert attached firmware here] will get you .. while you're at it youre going to want to burn or lose anything that touched that device or lived on the same network... memory, remoable media, periipherals, network devices, ioT shit, burnt optica ROMs.
@@gratefulnoumena1254That whole novella is wrong and insanely wasteful.
Serial programming by it's nature replaces each data space on the rom in linear fashion (in series, hence serial). It's like replacing shoelaces in a pair of shoes if the new shoelace pushed the old lace out. The unused spaces are filled as well.
Buy some genuine Pomona clips or make your own jumpers and get dirty with it. A rasp pi pico can do this. Throwing away hardware because you're scared of bricking it doesn't even make sense. "I'm so scared of the repair that I won't even try to fix it" is all I hear.
Oh, and it infects all forms of hardware, all over the network with the same code? How magical! 😅
This SPI fearmongering stems from a personal tech deficiency of yours, and is unnecessary to spread to others as fact.
These rootkits / bootkits are able to be written to most eeprom chips and in fact most hardware. providing there is enough space. Jtag can facilitate it, and maybe forth language
2 of my systems was compromised by boot kit along with the Smm compromised even had a hyper visor root kit. Nothing I could do.
i have predator helios 300. somehow behaves VERY strange. malwarebytes says everythings ok, but it isnt. intel chipsec tells me old computracce backdoor looks fishy....so what happened? Putin himself did stealthaction into my bios and opened up russian disco, so lots of people in tracksuits drinking wodka in my spi-flash now and wont go. the guy i hired to watch that backdoor, called intel sgx, fell asleep and is still sleeping. now i have linux-only gaming laptop...hallelujah
Russian parties are the best because they go on non-stop
Intel ME and AMD PSP are actual malware
This is an intresting one ngl
@@targetedindividualsresearch you can probably reflash it if you open up the laptop
The new version of roaming mantis deploy this & xhelper variants.
9:41