ESET experts describe how they trained a machine-learning model to recognize a handful of unwanted UEFI components within a flood of millions of harmless samples
UEFI (Unified Extensible Firmware Interface) security has been a hot topic for the past few years, but, due to various limitations, very little UEFI-based malware has been found in the past. After having discovered the first UEFI rootkit in the wild, known as LoJax, we set out to build a system that would enable us to explore the vast UEFI landscape in an efficient way – and reliably spot emerging UEFI threats.
Using the telemetry gathered by ESET’s UEFI scanner as a starting point, we devised a custom processing pipeline for UEFI executables that leverages machine learning to detect oddities among the incoming samples. This system, besides showing strong capabilities in identifying suspicious UEFI executables, offers real-time monitoring of the UEFI landscape, and was found to reduce the workload of our analysts by up to 90 percent.
Hunting for UEFI threats using our processing pipeline, we uncovered multiple interesting UEFI components, which can be divided into two categories – UEFI firmware backdoors and OS-level persistence modules. The most notable out of our discoveries is the so-called ASUS backdoor, a UEFI firmware backdoor found in several ASUS laptop models and remediated by ASUS following our notification.
UEFI is a specification defining the interface that exists between the OS and the device’s firmware. It defines a set of standardized services, called “boot services” and “runtime services”, that are the core APIs available in UEFI firmware. UEFI is a successor to the legacy BIOS (Basic Input/Outp ..
Support the originator by clicking the read the rest link below.
