[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:18.20,Default,,0000,0000,0000,,{\i1}35C3 preroll music{\i0}
Dialogue: 0,0:00:18.20,0:00:22.60,Default,,0000,0000,0000,,Herald angel: OK so our next talk is given\Nby Frederic Vachon, so please give him a
Dialogue: 0,0:00:22.60,0:00:33.14,Default,,0000,0000,0000,,warm round of applause.\N{\i1}Applause{\i0}
Dialogue: 0,0:00:33.14,0:00:39.45,Default,,0000,0000,0000,,Vachon: Okay so hello everyone. Thank you\Nfor having me today. I'm really happy to
Dialogue: 0,0:00:39.45,0:00:45.95,Default,,0000,0000,0000,,be to be here. So today I'm going to talk\Nabout a research that a colleague of mine,
Dialogue: 0,0:00:45.95,0:00:51.49,Default,,0000,0000,0000,,Jean-Ian Boutin and I did earlier this\Nyear and which led us to the discovery of
Dialogue: 0,0:00:51.49,0:00:57.60,Default,,0000,0000,0000,,a UEFI rootkit. So very quickly. My name\Nis Frederic Vachon, I'm a malware
Dialogue: 0,0:00:57.60,0:01:04.96,Default,,0000,0000,0000,,researcher at ESET and I've been working\Nthere for the last two years and for the
Dialogue: 0,0:01:04.96,0:01:12.00,Default,,0000,0000,0000,,last year or so I've been really focusing\Non boot level threats and UEFI firmware
Dialogue: 0,0:01:12.00,0:01:17.37,Default,,0000,0000,0000,,reverse engineering. So let's look at the\Nagenda for this talk. So the first thing I
Dialogue: 0,0:01:17.37,0:01:23.26,Default,,0000,0000,0000,,want to talk about is what is Sednit very\Nquickly. Then I'll talk about LoJack,
Dialogue: 0,0:01:23.26,0:01:28.46,Default,,0000,0000,0000,,which is an anti-theft software and past\Nresearch related to this software and the
Dialogue: 0,0:01:28.46,0:01:33.45,Default,,0000,0000,0000,,reason for that is that the UEFI rootkit\Nthat I'll talk about really mimics the
Dialogue: 0,0:01:33.45,0:01:39.33,Default,,0000,0000,0000,,architecture of this legitimate software.\NThen we'll move on and I'll talk a little
Dialogue: 0,0:01:39.33,0:01:44.44,Default,,0000,0000,0000,,bit about compromised LoJack agents that\Nwere found in the wild, and finally I'll
Dialogue: 0,0:01:44.44,0:01:50.50,Default,,0000,0000,0000,,jump into the UEFI rootkit, well, where\NI'll talk about the tools around the
Dialogue: 0,0:01:50.50,0:01:56.88,Default,,0000,0000,0000,,rootkit and the UEFI rootkit itself. So,\NSednit. Sednit is an espionage group
Dialogue: 0,0:01:56.88,0:02:04.82,Default,,0000,0000,0000,,active since the early 2000s and it is\Nalso known as Fancy Bear, APT28 and
Dialogue: 0,0:02:04.82,0:02:12.11,Default,,0000,0000,0000,,STRONTIUM, so maybe you know this group by\None of these alternative names. And Sednit
Dialogue: 0,0:02:12.11,0:02:19.29,Default,,0000,0000,0000,,is the name basically that we use at ESET.\NSo this group was very visible in the past
Dialogue: 0,0:02:19.29,0:02:25.40,Default,,0000,0000,0000,,few years as being allegedly behind some\Npretty mysterious hacks like the hack
Dialogue: 0,0:02:25.40,0:02:29.62,Default,,0000,0000,0000,,against the Democratic National Committee,\Nthe DNC, where some emails were leaked
Dialogue: 0,0:02:29.62,0:02:36.09,Default,,0000,0000,0000,,online. The hack against the World Anti-\NDoping Agency as well as the hack against
Dialogue: 0,0:02:36.09,0:02:41.61,Default,,0000,0000,0000,,the French broadcasting network TV5 Monde.\NBut at ESET when we're talking about
Dialogue: 0,0:02:41.61,0:02:45.69,Default,,0000,0000,0000,,Sednit, we're really talking about the\Ntools and the different campaigns that
Dialogue: 0,0:02:45.69,0:02:52.24,Default,,0000,0000,0000,,were led using these tools, and we're not\Ntalking about the people who are operating
Dialogue: 0,0:02:52.24,0:02:56.78,Default,,0000,0000,0000,,this malware because we don't have the\Ninformation necessary to draw such
Dialogue: 0,0:02:56.78,0:03:05.11,Default,,0000,0000,0000,,conclusions. However, in July 2018 the\NU.S. Department of Justice named the group
Dialogue: 0,0:03:05.11,0:03:10.64,Default,,0000,0000,0000,,as being responsible for the Democratic\NNational Committee hack in this specific
Dialogue: 0,0:03:10.64,0:03:17.65,Default,,0000,0000,0000,,indictment. And what's interesting is that\Nthe tools that we analyzed were... are
Dialogue: 0,0:03:17.65,0:03:26.74,Default,,0000,0000,0000,,named in this specific indictment and they\Nalso mention who's the authors of these
Dialogue: 0,0:03:26.74,0:03:37.13,Default,,0000,0000,0000,,malware. And also early, not earlier, but\Ncloser from from now, in October 2018, the
Dialogue: 0,0:03:37.13,0:03:41.37,Default,,0000,0000,0000,,Department of Justice issued another\Nindictment naming pretty much the same
Dialogue: 0,0:03:41.37,0:03:48.80,Default,,0000,0000,0000,,people are related to the World Anti-\NDoping Agency hack. And the way that
Dialogue: 0,0:03:48.80,0:03:53.67,Default,,0000,0000,0000,,Sednit will usually infect their targets\Nis by sending phishing emails, so
Dialogue: 0,0:03:53.67,0:03:58.83,Default,,0000,0000,0000,,sometimes they will contain malicious\Nlinks and some of the time malicious
Dialogue: 0,0:03:58.83,0:04:06.15,Default,,0000,0000,0000,,attachments. OK. So now let's talk a\Nlittle bit about LoJack. So Lojack is an
Dialogue: 0,0:04:06.15,0:04:10.48,Default,,0000,0000,0000,,anti-theft software as I mentioned, and it\Nwas previously known as Computrace. So
Dialogue: 0,0:04:10.48,0:04:16.01,Default,,0000,0000,0000,,maybe you know the solution by this name\Ninstead. And it is made by Absolute
Dialogue: 0,0:04:16.01,0:04:26.04,Default,,0000,0000,0000,,Software. So, yeah, and this solution is\Nbuilt in many laptops. But an anti-theft
Dialogue: 0,0:04:26.04,0:04:30.79,Default,,0000,0000,0000,,software needs to be as persistent as\Npossible if you want it to be reliable. It
Dialogue: 0,0:04:30.79,0:04:35.65,Default,,0000,0000,0000,,needs to be... to survive an operating\Nsystem re-install or a hard disk
Dialogue: 0,0:04:35.65,0:04:41.16,Default,,0000,0000,0000,,replacement. So to achieve this what\NAbsolute Software did is that they added a
Dialogue: 0,0:04:41.16,0:04:48.93,Default,,0000,0000,0000,,module in the UEFI BIOS itself. Yeah and\Nthe solution needs to be activated in the
Dialogue: 0,0:04:48.93,0:04:53.92,Default,,0000,0000,0000,,BIOS setup. So with a persistence\Nmechanism like that coming from the
Dialogue: 0,0:04:53.92,0:04:57.69,Default,,0000,0000,0000,,firmware, it's really attracted the\Nattention of security researchers, who
Dialogue: 0,0:04:57.69,0:05:05.17,Default,,0000,0000,0000,,looked into this to find vulnerabilities\Nbasically. And at BlackHat in 2009 there
Dialogue: 0,0:05:05.17,0:05:12.14,Default,,0000,0000,0000,,was a talk there where the architecture of\Nthe solution was described and several
Dialogue: 0,0:05:12.14,0:05:18.01,Default,,0000,0000,0000,,design vulnerabilities in the agent were\Nalso described there. So let's look at the
Dialogue: 0,0:05:18.01,0:05:25.92,Default,,0000,0000,0000,,architecture of LoJack back then. So the\Nfirst thing that we have here is a module
Dialogue: 0,0:05:25.92,0:05:32.14,Default,,0000,0000,0000,,in the UEFI BIOS, and this module will\Nwrite a file to the Windows partition. So
Dialogue: 0,0:05:32.14,0:05:36.94,Default,,0000,0000,0000,,this file is called autochk.exe, which\Nreplaces the legitimate autochk.exe, whose
Dialogue: 0,0:05:36.94,0:05:44.23,Default,,0000,0000,0000,,job is to perform filesystem integrity\Ncheck during early Windows boot. So by
Dialogue: 0,0:05:44.23,0:05:50.81,Default,,0000,0000,0000,,replacing this agent during early Windows\Nboot it will be executed. And from there
Dialogue: 0,0:05:50.81,0:05:57.71,Default,,0000,0000,0000,,it will drop rpcnetp.exe, which is the\Nsmall agent, and will install a service
Dialogue: 0,0:05:57.71,0:06:03.49,Default,,0000,0000,0000,,and when Windows will run it will run this\Nservice, and rpcnetp will be launched at
Dialogue: 0,0:06:03.49,0:06:09.30,Default,,0000,0000,0000,,this point. And it will inject itself into\Nsvchost , and then from there it will
Dialogue: 0,0:06:09.30,0:06:13.66,Default,,0000,0000,0000,,inject itself into Internet Explorer which\Nis pretty interesting because it's very
Dialogue: 0,0:06:13.66,0:06:18.03,Default,,0000,0000,0000,,shady and that's something that we see\Npretty much all the time in malware but
Dialogue: 0,0:06:18.03,0:06:24.27,Default,,0000,0000,0000,,not often in legitimate software. And from\NInternet Explorer it will then communicate
Dialogue: 0,0:06:24.27,0:06:32.22,Default,,0000,0000,0000,,with the command and control server and it\Nwill download the full recovery agent. So
Dialogue: 0,0:06:32.22,0:06:38.19,Default,,0000,0000,0000,,now let's look at some of the issues that\Nthe researchers found with this... in this
Dialogue: 0,0:06:38.19,0:06:44.58,Default,,0000,0000,0000,,solution. So one of the vulnerabilities\Nthey found is very interesting for us and
Dialogue: 0,0:06:44.58,0:06:49.14,Default,,0000,0000,0000,,in fact that's really the only one that\Nmatters for this talk. And this is a
Dialogue: 0,0:06:49.14,0:06:55.62,Default,,0000,0000,0000,,configuration file vulnerability. So the\Nconfiguration is embedded into rpcnetp.exe
Dialogue: 0,0:06:55.62,0:07:00.99,Default,,0000,0000,0000,,and it is encrypted but it is encrypted\Nwith a very weak algorithm. So it is in
Dialogue: 0,0:07:00.99,0:07:08.40,Default,,0000,0000,0000,,single byte XOR key, and it is not\Nauthenticated whatsoever. And what's in
Dialogue: 0,0:07:08.40,0:07:14.56,Default,,0000,0000,0000,,this configuration file? Well, that's\Nwhere you can find the server, the command
Dialogue: 0,0:07:14.56,0:07:20.86,Default,,0000,0000,0000,,and control server. So an attacker can\Njust change this configuration to point to
Dialogue: 0,0:07:20.86,0:07:27.90,Default,,0000,0000,0000,,its own attacker-controlled server. So we\Nknew that this vulnerability existed for a
Dialogue: 0,0:07:27.90,0:07:35.11,Default,,0000,0000,0000,,while, it was back in 2009, but we had no\Nevidence of it being used in the wild.
Dialogue: 0,0:07:35.11,0:07:41.12,Default,,0000,0000,0000,,Until earlier this year, when Arbor\NNetworks published a blog post where they
Dialogue: 0,0:07:41.12,0:07:46.91,Default,,0000,0000,0000,,described some modified small agent with\Nmodified configuration where the domains
Dialogue: 0,0:07:46.91,0:07:55.21,Default,,0000,0000,0000,,that were embedded in this configuration\Nwere linked to old Sednit domains. So
Dialogue: 0,0:07:55.21,0:08:00.55,Default,,0000,0000,0000,,let's go back to LoJack architecture and\Nlook at where this attack took place. So
Dialogue: 0,0:08:00.55,0:08:16.24,Default,,0000,0000,0000,,it took place at this level here. So from\Nthere we did some detection for this
Dialogue: 0,0:08:16.24,0:08:24.25,Default,,0000,0000,0000,,malware and it was... and we hunted to\Ngather as much samples as as we could. And
Dialogue: 0,0:08:24.25,0:08:30.80,Default,,0000,0000,0000,,it was fairly simple because they always\Nmodified the same exact version of the
Dialogue: 0,0:08:30.80,0:08:37.28,Default,,0000,0000,0000,,agent and they modified, so that's what we\Ncan see here, so they modified the command
Dialogue: 0,0:08:37.28,0:08:42.91,Default,,0000,0000,0000,,and control server. And here we see the\Nencrypted version of course. So by looking
Dialogue: 0,0:08:42.91,0:08:48.71,Default,,0000,0000,0000,,at this we will look at ESET's telemetry\Nand found out that there was a few
Dialogue: 0,0:08:48.71,0:08:53.49,Default,,0000,0000,0000,,organizations that were hit mostly in the\NBalkans, in Central Europe as well as in
Dialogue: 0,0:08:53.49,0:08:59.15,Default,,0000,0000,0000,,Eastern Europe. These were military and\Ndiplomatic organizations. And what's
Dialogue: 0,0:08:59.15,0:09:06.67,Default,,0000,0000,0000,,interesting is that we also found other\NSednit tools in the same organization. So
Dialogue: 0,0:09:06.67,0:09:11.69,Default,,0000,0000,0000,,at this point we wondered how this malware\Ngot there, but since there was other
Dialogue: 0,0:09:11.69,0:09:16.79,Default,,0000,0000,0000,,backdoors of Sednit in the organization we\Nthought it might be the infection vector,
Dialogue: 0,0:09:16.79,0:09:22.19,Default,,0000,0000,0000,,but by digging a little bit deeper we\Nfound another interesting component. And
Dialogue: 0,0:09:22.19,0:09:28.85,Default,,0000,0000,0000,,if we go back to the LoJack architecture,\Nthe component that we found is at this
Dialogue: 0,0:09:28.85,0:09:35.37,Default,,0000,0000,0000,,step here. So at this step in the LoJack\Narchitecture it's autochk.exe that lives
Dialogue: 0,0:09:35.37,0:09:41.14,Default,,0000,0000,0000,,there. But what we found is another file\Ncalled autoche.exe instead of autochk. And
Dialogue: 0,0:09:41.14,0:09:47.22,Default,,0000,0000,0000,,it does pretty much the same thing. So it\Nalso installs a service and it also drops
Dialogue: 0,0:09:47.22,0:09:54.25,Default,,0000,0000,0000,,rpcnetp.exe. But it is the rpcnetp version\Nthat has a modified server in it. So
Dialogue: 0,0:09:54.25,0:09:59.76,Default,,0000,0000,0000,,Sednit domain basically. And we continue\Nto look at what we can find in this
Dialogue: 0,0:09:59.76,0:10:06.16,Default,,0000,0000,0000,,organization and we found another tool\Nwhich is called info_efi.exe, and that
Dialogue: 0,0:10:06.16,0:10:10.35,Default,,0000,0000,0000,,allows to drop... to dump a lot of\Ninformation about very low level settings
Dialogue: 0,0:10:10.35,0:10:17.96,Default,,0000,0000,0000,,of the machine. And this tool uses Read\NWrite Everything's driver. And
Dialogue: 0,0:10:17.96,0:10:23.02,Default,,0000,0000,0000,,Read Write Everything is a software that allows you\Nto manipulate very low level setting of
Dialogue: 0,0:10:23.02,0:10:27.66,Default,,0000,0000,0000,,your machine. So using this tool you can\Nread and write to PCI configuration
Dialogue: 0,0:10:27.66,0:10:32.100,Default,,0000,0000,0000,,register, to memory-mapped IOs, to IO port\Nspace and you can also access physical
Dialogue: 0,0:10:32.100,0:10:38.31,Default,,0000,0000,0000,,memory and this tool uses a kernel driver\Nof course - if you want to do those things
Dialogue: 0,0:10:38.31,0:10:43.36,Default,,0000,0000,0000,,you need a kernel driver. And this kernel\Ndriver is properly signed so that you can
Dialogue: 0,0:10:43.36,0:10:49.80,Default,,0000,0000,0000,,push it on even a recent version of\NWindows. And so yeah, that's the driver
Dialogue: 0,0:10:49.80,0:10:57.04,Default,,0000,0000,0000,,that was used by info_efi here. And by\NGoogling a little bit around what we found
Dialogue: 0,0:10:57.04,0:11:02.22,Default,,0000,0000,0000,,out is that this specific driver was used\Nin the past by security researchers to
Dialogue: 0,0:11:02.22,0:11:10.04,Default,,0000,0000,0000,,exploit vulnerabilities at the firmware\Nlevel. So, yeah, the last thing that was
Dialogue: 0,0:11:10.04,0:11:17.35,Default,,0000,0000,0000,,missing here to mimic the whole LoJack\Nsolution was a UEFI BIOS module. So at
Dialogue: 0,0:11:17.35,0:11:24.56,Default,,0000,0000,0000,,this point we wondered, did they get\Nthere. So, because of the tool dumping
Dialogue: 0,0:11:24.56,0:11:28.22,Default,,0000,0000,0000,,information about the BIOS that I just\Nspoke about, we were pretty confident that
Dialogue: 0,0:11:28.22,0:11:34.15,Default,,0000,0000,0000,,something more was happening there. And by\Ndigging a little bit deeper, we found
Dialogue: 0,0:11:34.15,0:11:40.31,Default,,0000,0000,0000,,other tools that strengthen our\Nsuspicions. So the first tool is called
Dialogue: 0,0:11:40.31,0:11:47.43,Default,,0000,0000,0000,,ReWriter_read. And it is a tool used to\Ndump the content of the SPI flash memory,
Dialogue: 0,0:11:47.43,0:11:54.01,Default,,0000,0000,0000,,and it also uses Read Write Everything's driver and\Nit uses these specific IO control codes.
Dialogue: 0,0:11:54.01,0:11:59.85,Default,,0000,0000,0000,,So it allows it to read and write to\Nmemory-mapped IO space as well as read and
Dialogue: 0,0:11:59.85,0:12:05.71,Default,,0000,0000,0000,,write to PCI configuration registers.\NWhat's interesting for us as reverse
Dialogue: 0,0:12:05.71,0:12:09.68,Default,,0000,0000,0000,,engineer is that this tool contains a lot\Nof debug strings which really made our job
Dialogue: 0,0:12:09.68,0:12:16.51,Default,,0000,0000,0000,,easier. And it consists of the following\Noperations. So the first thing it will do
Dialogue: 0,0:12:16.51,0:12:22.19,Default,,0000,0000,0000,,is that it will log information on the\NBIOS_CNTL register and we'll talk a lot of
Dialogue: 0,0:12:22.19,0:12:27.86,Default,,0000,0000,0000,,detail about this register just a little bit later\Nin this talk. Then it locates the BIOS
Dialogue: 0,0:12:27.86,0:12:35.44,Default,,0000,0000,0000,,region base address. And finally it reads\Nthe UEFI firmware content and dump it to a
Dialogue: 0,0:12:35.44,0:12:42.11,Default,,0000,0000,0000,,file. So another tool that we found is\Nreally complementary to the tool to
Dialogue: 0,0:12:42.11,0:12:47.28,Default,,0000,0000,0000,,ReWriter_read and it is called\NReWriter_binary. So it also contains a lot
Dialogue: 0,0:12:47.28,0:12:53.92,Default,,0000,0000,0000,,of debug strings. It also uses\NRWEverything's driver. And now the UEFI
Dialogue: 0,0:12:53.92,0:12:59.42,Default,,0000,0000,0000,,firmware is dumped into memory, the next\Nstep is to add the rootkit to the firmware
Dialogue: 0,0:12:59.42,0:13:02.44,Default,,0000,0000,0000,,and to write it back to the SPI flash\Nmemory and that's exactly what this tool
Dialogue: 0,0:13:02.44,0:13:09.78,Default,,0000,0000,0000,,does. Okay. So now let's talk about the\Npatching of the UEFI firmware. But before
Dialogue: 0,0:13:09.78,0:13:13.07,Default,,0000,0000,0000,,we dig into the subjects there are a\Ncouple things that I wanted to introduce
Dialogue: 0,0:13:13.07,0:13:16.55,Default,,0000,0000,0000,,here just to make sure that we're on the\Nsame page. So the first thing I want to
Dialogue: 0,0:13:16.55,0:13:22.91,Default,,0000,0000,0000,,talk about is UEFI and UEFI stands for\NUnified Extensible Firmware Interface and
Dialogue: 0,0:13:22.91,0:13:26.77,Default,,0000,0000,0000,,it is a standardized specification that\Ndefines the interface that exists between
Dialogue: 0,0:13:26.77,0:13:31.96,Default,,0000,0000,0000,,the operating system and the firmware. And\Nit's kind of a replacement for the legacy
Dialogue: 0,0:13:31.96,0:13:39.15,Default,,0000,0000,0000,,BIOS. So, a UEFI compliant firmware will\Nprovide a set of services to UEFI
Dialogue: 0,0:13:39.15,0:13:43.67,Default,,0000,0000,0000,,applications and here read the operating\Nsystem loader. There are other UEFI
Dialogue: 0,0:13:43.67,0:13:50.64,Default,,0000,0000,0000,,applications, but usually it's the\Noperating system loader that runs. So the
Dialogue: 0,0:13:50.64,0:13:55.39,Default,,0000,0000,0000,,first set of services is called the boot\Nservices and these are services that are
Dialogue: 0,0:13:55.39,0:14:00.15,Default,,0000,0000,0000,,available during the firmware lifetime but\Nonce the operating system is loaded, these
Dialogue: 0,0:14:00.15,0:14:04.43,Default,,0000,0000,0000,,services are not available anymore and\Nthere are the runtime services that are
Dialogue: 0,0:14:04.43,0:14:10.63,Default,,0000,0000,0000,,also available during firmware lifetime.\NBut once the operating system is loaded
Dialogue: 0,0:14:10.63,0:14:14.56,Default,,0000,0000,0000,,they are still available, so that a kernel\Ndriver for instance can make call in these
Dialogue: 0,0:14:14.56,0:14:20.72,Default,,0000,0000,0000,,services. An example of these services\Nallows the operating system to read and
Dialogue: 0,0:14:20.72,0:14:25.74,Default,,0000,0000,0000,,write to UEFI variables. And what's\Ninteresting with UEFI is that there is no
Dialogue: 0,0:14:25.74,0:14:30.56,Default,,0000,0000,0000,,more master boot record and volume boot\Nrecord involved in the boot process
Dialogue: 0,0:14:30.56,0:14:37.96,Default,,0000,0000,0000,,meaning that there is no easy way to\Nhijack the early boot control flow. So the
Dialogue: 0,0:14:37.96,0:14:43.28,Default,,0000,0000,0000,,second thing I want to introduce here are\Nthe driver execution environment drivers -
Dialogue: 0,0:14:43.28,0:14:47.65,Default,,0000,0000,0000,,so the DXE drivers. So DXE drivers are\NPE/COFF images meaning that they are
Dialogue: 0,0:14:47.65,0:14:53.52,Default,,0000,0000,0000,,basically Windows executables, and they\Nare kind of the core of UEFI firmware so
Dialogue: 0,0:14:53.52,0:14:57.67,Default,,0000,0000,0000,,that they can do many things, some of them\Nwill be used to abstract the hardware.
Dialogue: 0,0:14:57.67,0:15:01.24,Default,,0000,0000,0000,,Some of them will be used to produce the\NUEFI standard interface, so the boot
Dialogue: 0,0:15:01.24,0:15:05.89,Default,,0000,0000,0000,,services and the runtime services, and\Nthey can also be used by firmware vendors
Dialogue: 0,0:15:05.89,0:15:11.66,Default,,0000,0000,0000,,or OEMs to extend the firmware by\Nregistering new services - the so-called
Dialogue: 0,0:15:11.66,0:15:17.43,Default,,0000,0000,0000,,protocols in the UEFI specification. And,\Nthe DXE drivers are loaded during the DXE
Dialogue: 0,0:15:17.43,0:15:22.27,Default,,0000,0000,0000,,phase of the platform initialization and\Nthey are loaded by the DXE dispatcher that
Dialogue: 0,0:15:22.27,0:15:28.83,Default,,0000,0000,0000,,will also be referred to as the DXE Core.\NThe last thing that I'm going to do: I
Dialogue: 0,0:15:28.83,0:15:34.09,Default,,0000,0000,0000,,want to introduce for now is the UEFI\Nfirmware layout - so the UEFI firmware
Dialogue: 0,0:15:34.09,0:15:40.06,Default,,0000,0000,0000,,is located in the BIOS region of the SPI\Nflash memory. And this region will contain
Dialogue: 0,0:15:40.06,0:15:45.64,Default,,0000,0000,0000,,multiple volume. But let's look at it with\Na little bit more detail in this tool here
Dialogue: 0,0:15:45.64,0:15:51.12,Default,,0000,0000,0000,,which is UEFI tool, that is an open source\Nsoftware that allows you to manipulate
Dialogue: 0,0:15:51.12,0:15:57.19,Default,,0000,0000,0000,,UEFI firmware images. So here I loaded the\Ntypical content of SPI flash memory dump
Dialogue: 0,0:15:57.19,0:16:01.58,Default,,0000,0000,0000,,in this tool and let's look at what we\Nhave. So, the first thing that we see here
Dialogue: 0,0:16:01.58,0:16:05.99,Default,,0000,0000,0000,,is the descriptor region, so it contains...\Nthis region contains metadata about how
Dialogue: 0,0:16:05.99,0:16:11.28,Default,,0000,0000,0000,,the remaining data in the SPI flash memory\Nis laid out. The second region that we
Dialogue: 0,0:16:11.28,0:16:16.63,Default,,0000,0000,0000,,find here is the ME region which contains\Nthe Intel Management Engine firmware. And
Dialogue: 0,0:16:16.63,0:16:20.41,Default,,0000,0000,0000,,finally we have the BIOS region which is\Nreally the main interest... the main thing
Dialogue: 0,0:16:20.41,0:16:27.58,Default,,0000,0000,0000,,that we want to look at today. So the BIOS\Nregion contains multiple volumes. So let's
Dialogue: 0,0:16:27.58,0:16:32.57,Default,,0000,0000,0000,,look at one volume in a little bit more\Ndetail. So here we have a volume of type
Dialogue: 0,0:16:32.57,0:16:37.87,Default,,0000,0000,0000,,firmware filesystem version 2 and this\Nvolume contains multiple files and these
Dialogue: 0,0:16:37.87,0:16:42.07,Default,,0000,0000,0000,,files are identified by GUIDs. So that's\Nwhat we can see under the name column
Dialogue: 0,0:16:42.07,0:16:49.75,Default,,0000,0000,0000,,here. And a file doesn't contain directly\Nthe UEFI executable, but it is composed of
Dialogue: 0,0:16:49.75,0:16:55.16,Default,,0000,0000,0000,,multiple sections and one of these section\Nis the actual UEFI executable, but there
Dialogue: 0,0:16:55.16,0:16:59.14,Default,,0000,0000,0000,,are other section and in this case we see\Na DXE dependency section that allows to
Dialogue: 0,0:16:59.14,0:17:05.97,Default,,0000,0000,0000,,define dependencies for this specific UEFI\Nimage and we also see a version section
Dialogue: 0,0:17:05.97,0:17:09.92,Default,,0000,0000,0000,,and a user interface section which allows\Nto give us a human readable name for this
Dialogue: 0,0:17:09.92,0:17:17.02,Default,,0000,0000,0000,,file instead of the GUID which is very\Npretty difficult to remember for humans.
Dialogue: 0,0:17:18.66,0:17:24.29,Default,,0000,0000,0000,,OK, so now that we have all this in mind\Nlet's go back to ReWriter_binary. So what
Dialogue: 0,0:17:24.29,0:17:28.61,Default,,0000,0000,0000,,ReWriter_binary will do is that it will\Nparse all of the firmware volumes that it
Dialogue: 0,0:17:28.61,0:17:36.74,Default,,0000,0000,0000,,can find looking for 4 specific files. So\Nit looks for Ip4Dxe, NtfsDxe, SmiFlash,
Dialogue: 0,0:17:36.74,0:17:42.99,Default,,0000,0000,0000,,and the DXE Core. So why does it look for\NIp4Dxe and the DXE Core? Well these files
Dialogue: 0,0:17:42.99,0:17:48.47,Default,,0000,0000,0000,,are looked for to find the firmware volume\Nwhere to install the UEFI rootkit. So
Dialogue: 0,0:17:48.47,0:17:54.58,Default,,0000,0000,0000,,usually in UEFI firmwares all of the DXE\Ndrivers all in the same volume, so when
Dialogue: 0,0:17:54.58,0:17:59.14,Default,,0000,0000,0000,,the tool will parse... will find in fact\NIp4Dxe, it will know it is currently
Dialogue: 0,0:17:59.14,0:18:03.74,Default,,0000,0000,0000,,parsing the volume with all of the DXE\Ndrivers in it and it will keep it as a
Dialogue: 0,0:18:03.74,0:18:07.77,Default,,0000,0000,0000,,candidate for the UEFI rootkit\Ninstallation. And it looks for the DXE
Dialogue: 0,0:18:07.77,0:18:13.01,Default,,0000,0000,0000,,Core basically for the same reason, but\Nsometimes the DXE Core is in a different
Dialogue: 0,0:18:13.01,0:18:17.39,Default,,0000,0000,0000,,volume, so when it will find it, it will\Nkeep the volume as another candidate for
Dialogue: 0,0:18:17.39,0:18:22.28,Default,,0000,0000,0000,,the UEFI rootkit installation and the\Nchosen volume will be the one with enough
Dialogue: 0,0:18:22.28,0:18:31.05,Default,,0000,0000,0000,,free space available in it. Now, NtfsDxe.\NSo NtfsDxe is the American Megatron Inc.
Dialogue: 0,0:18:31.05,0:18:37.88,Default,,0000,0000,0000,,NTFS driver and if the tool finds it, it\Nwill remove it, and the reason for that is
Dialogue: 0,0:18:37.88,0:18:44.34,Default,,0000,0000,0000,,that the UEFI rootkit embeds its own NTFS\Ndriver, so to avoid any conflict with
Dialogue: 0,0:18:44.34,0:18:51.89,Default,,0000,0000,0000,,another NTFS driver it just removes it.\NAnd now SmiFlash, so, SmiFlash is looked
Dialogue: 0,0:18:51.89,0:18:57.01,Default,,0000,0000,0000,,for... and, you know, the tool will... if\Nthe tool finds it, it will keep some
Dialogue: 0,0:18:57.01,0:19:00.68,Default,,0000,0000,0000,,metadata about it in the structure, but in\Nthe version of the tool that we analyzed
Dialogue: 0,0:19:00.68,0:19:07.12,Default,,0000,0000,0000,,it's not used anywhere. But interestingly,\NSmiFlash is a known vulnerable DXE driver.
Dialogue: 0,0:19:07.51,0:19:11.12,Default,,0000,0000,0000,,So what we believe is that Sednit might\Nhave been fiddling in another version of
Dialogue: 0,0:19:11.12,0:19:16.01,Default,,0000,0000,0000,,the tool with some exploit for this driver\Nin order to be able to bypass write
Dialogue: 0,0:19:16.01,0:19:22.16,Default,,0000,0000,0000,,protection mechanisms to the BIOS region\Nof the SPI flash memory. So now that it
Dialogue: 0,0:19:22.16,0:19:28.86,Default,,0000,0000,0000,,has found the volume where to install the\Nrootkit, it will add the rootkit, right.
Dialogue: 0,0:19:28.86,0:19:33.98,Default,,0000,0000,0000,,So the first thing it does, it will create\Na firmware file system file header, then
Dialogue: 0,0:19:33.98,0:19:38.94,Default,,0000,0000,0000,,it will append the rootkit file, which is\Na compressed section that contains two
Dialogue: 0,0:19:38.94,0:19:46.75,Default,,0000,0000,0000,,other sections, one of one of these is the\Nactual UEFI rootkit image and the other
Dialogue: 0,0:19:46.75,0:19:53.06,Default,,0000,0000,0000,,one is a user interface section defining\Nthe name for this rootkit which is SecDXE,
Dialogue: 0,0:19:53.06,0:19:59.80,Default,,0000,0000,0000,,as in security DXE. And then it will take\Nthis blob of data and write it at the end
Dialogue: 0,0:19:59.80,0:20:02.20,Default,,0000,0000,0000,,of the firmware volume that was chosen.
Dialogue: 0,0:20:11.05,0:20:14.31,Default,,0000,0000,0000,,So now that the UEFI rootkit is inside the
Dialogue: 0,0:20:14.31,0:20:19.72,Default,,0000,0000,0000,,firmware into memory, the next step is to\Nwrite it back to the SPI flash memory. And
Dialogue: 0,0:20:19.72,0:20:23.87,Default,,0000,0000,0000,,once again there's a couple of things that\NI want to introduce here. So I want to
Dialogue: 0,0:20:23.87,0:20:28.53,Default,,0000,0000,0000,,talk about BIOS write protection\Nmechanisms. So the chipset exposes write
Dialogue: 0,0:20:28.53,0:20:33.54,Default,,0000,0000,0000,,protection mechanisms that need to be\Nproperly configured by the firmware. So
Dialogue: 0,0:20:33.54,0:20:38.65,Default,,0000,0000,0000,,there are no such thing as, you know, BIOS\Nwrite particular mechanism enabled by
Dialogue: 0,0:20:38.65,0:20:43.16,Default,,0000,0000,0000,,default. It's really the job of the\Nfirmware to do that. And today will only
Dialogue: 0,0:20:43.16,0:20:48.16,Default,,0000,0000,0000,,cover relevant protections to our\Nresearch. So only the protection mechanism
Dialogue: 0,0:20:48.16,0:20:54.70,Default,,0000,0000,0000,,that are looked for by \NREWriter_binary. And yeah the protection
Dialogue: 0,0:20:54.70,0:20:58.73,Default,,0000,0000,0000,,we'll talk about are exposed via the BIOS\Ncontrol register that we've seen a little
Dialogue: 0,0:20:58.73,0:21:04.44,Default,,0000,0000,0000,,bit earlier in this talk. So, if you're a\Nkernel driver and you want to write to be
Dialogue: 0,0:21:04.44,0:21:08.75,Default,,0000,0000,0000,,BIOS region of the SPI flash memory, what\Nyou need to do first is you need to set
Dialogue: 0,0:21:08.75,0:21:13.94,Default,,0000,0000,0000,,the BIOS Write Enable field of the BIOS\Ncontrol register to 1 and then you're able
Dialogue: 0,0:21:13.94,0:21:21.18,Default,,0000,0000,0000,,to write to the SPI flash memory. But of\Ncourse you don't want any kernel driver to
Dialogue: 0,0:21:21.18,0:21:26.04,Default,,0000,0000,0000,,be able to modify your UEFI firmware and\Npotentially brick your machine. So there's
Dialogue: 0,0:21:26.04,0:21:29.84,Default,,0000,0000,0000,,a protection mechanism there which is\Nanother field in the BIOS control register
Dialogue: 0,0:21:29.84,0:21:35.99,Default,,0000,0000,0000,,and this field is called BIOS lock enable\Nand it allows to lock BIOS Writer Enable to
Dialogue: 0,0:21:35.99,0:21:44.89,Default,,0000,0000,0000,,0. And this field is readable in WLO. WLO\Nmeans write lock once. And what it means
Dialogue: 0,0:21:44.89,0:21:48.76,Default,,0000,0000,0000,,is that once the firmware has set this bit\Nthere's no other way to set it back to 0
Dialogue: 0,0:21:48.76,0:21:50.43,Default,,0000,0000,0000,,than performing a full platform reset.
Dialogue: 0,0:21:53.01,0:21:56.10,Default,,0000,0000,0000,,But there's a problem here, and it lies in the
Dialogue: 0,0:21:56.10,0:22:03.22,Default,,0000,0000,0000,,fact that BIOS lock enable implementation\Nis vulnerable. So how it works is that
Dialogue: 0,0:22:03.22,0:22:10.93,Default,,0000,0000,0000,,when BIOS write enable is set to 1, it's\Nvalue will actually change in the BIOS
Dialogue: 0,0:22:10.93,0:22:16.06,Default,,0000,0000,0000,,control register for a small amount of\Ntime. And then the platform will issue a
Dialogue: 0,0:22:16.06,0:22:22.24,Default,,0000,0000,0000,,system management interrupt and the SMI\Nhandler will set BIOS write enable back to
Dialogue: 0,0:22:22.24,0:22:28.18,Default,,0000,0000,0000,,0. But, yeah, the firmware must implement\Nthis SMI, otherwise this mechanism is
Dialogue: 0,0:22:28.18,0:22:35.08,Default,,0000,0000,0000,,totally useless. But maybe you've guessed\Nit. But what happens if we write to the
Dialogue: 0,0:22:35.08,0:22:41.02,Default,,0000,0000,0000,,SPI flash memory before the SMI handler\Nsets BIOS write enable back to 0? So there
Dialogue: 0,0:22:41.02,0:22:45.75,Default,,0000,0000,0000,,is a race condition vulnerability here.\NAnd there is a paper about it which is
Dialogue: 0,0:22:45.75,0:22:50.24,Default,,0000,0000,0000,,called "speed racer". And to exploit this\Nwhat you need to do is, you need one
Dialogue: 0,0:22:50.24,0:22:55.46,Default,,0000,0000,0000,,thread that continuously sets BIOS write\Nenable to 1, while another thread tries to
Dialogue: 0,0:22:55.46,0:23:00.13,Default,,0000,0000,0000,,write the data to the SPI flash memory.\NAnd according to this paper it works on
Dialogue: 0,0:23:00.13,0:23:03.74,Default,,0000,0000,0000,,multicore processors as well as on single\Ncore processors with hyper-threading
Dialogue: 0,0:23:03.74,0:23:09.82,Default,,0000,0000,0000,,enabled. So Intel came up with a fix for\Nthis issue and was introduced in the
Dialogue: 0,0:23:09.82,0:23:15.49,Default,,0000,0000,0000,,platform controller hub family of Intel\Nchipsets around 2008. And what they did
Dialogue: 0,0:23:15.49,0:23:20.06,Default,,0000,0000,0000,,is, that they added a field in the BIOS\Ncontrol register. And this field is called
Dialogue: 0,0:23:20.06,0:23:25.48,Default,,0000,0000,0000,,SMM BIOS write protect disable. And the\Nname is a little bit misleading, but if
Dialogue: 0,0:23:25.48,0:23:30.37,Default,,0000,0000,0000,,you remove disable, that's actually what\Nit does. And if this mechanism is
Dialogue: 0,0:23:30.37,0:23:35.47,Default,,0000,0000,0000,,activated, there will be no other way to\Nwrite to the SPI, to the BIOS region of
Dialogue: 0,0:23:35.47,0:23:41.45,Default,,0000,0000,0000,,the SPI flash memory, than if you don't\Nhave all of the cores of your processor
Dialogue: 0,0:23:41.45,0:23:47.76,Default,,0000,0000,0000,,running into SMM, meaning that the job of\Nwriting to the SPI flash memory is now only
Dialogue: 0,0:23:47.76,0:23:53.67,Default,,0000,0000,0000,,available to system management mode. And\Nonce again the firmware must set this bit.
Dialogue: 0,0:23:53.67,0:24:02.75,Default,,0000,0000,0000,,Otherwise this mechanism is not activated,\Nright. Okay so let's go back to
Dialogue: 0,0:24:02.75,0:24:06.83,Default,,0000,0000,0000,,ReWriter_Binary. So of course if I talk\Nabout all of these mechanisms it's because
Dialogue: 0,0:24:06.83,0:24:11.35,Default,,0000,0000,0000,,ReWriter_Binary checks for them. So it\Nwill check if the platform is properly
Dialogue: 0,0:24:11.35,0:24:16.72,Default,,0000,0000,0000,,configured and it implements the exploit\Nfor the race condition that I just spoke
Dialogue: 0,0:24:16.72,0:24:22.75,Default,,0000,0000,0000,,about. So let's look at the writing\Nprocess decision tree. So the first thing
Dialogue: 0,0:24:22.75,0:24:28.70,Default,,0000,0000,0000,,that it will look for is if BIOS write\Nenable is set, and if BIOS write enable is
Dialogue: 0,0:24:28.70,0:24:34.91,Default,,0000,0000,0000,,set there, then there's nothing stopping\Nit from writing the UEFI image. But if it
Dialogue: 0,0:24:34.91,0:24:40.29,Default,,0000,0000,0000,,is not set, then it will check "Oh, is\NBIOS lock enable activated?". And this, if
Dialogue: 0,0:24:40.29,0:24:45.85,Default,,0000,0000,0000,,this mechanism is not activated then it\Nwill just flip BIOS write enable to 1, and
Dialogue: 0,0:24:45.85,0:24:50.40,Default,,0000,0000,0000,,then it will write the UEFI image. But if\Nit is activated, the last thing it will
Dialogue: 0,0:24:50.40,0:24:57.28,Default,,0000,0000,0000,,check for is "Is SMM BIOS write protect\Nset?". And if it is not set, then it will
Dialogue: 0,0:24:57.28,0:25:02.94,Default,,0000,0000,0000,,exploit the race condition that we spoke\Nabout. And if it is set, then the tool
Dialogue: 0,0:25:02.94,0:25:11.26,Default,,0000,0000,0000,,will just fail. So the tool only works if\Nthe platform is misconfigured. And we
Dialogue: 0,0:25:11.26,0:25:17.06,Default,,0000,0000,0000,,spoke about SmiFlash, the vulnerable DXE\Ndriver. So yeah, what we think is that by
Dialogue: 0,0:25:17.06,0:25:21.31,Default,,0000,0000,0000,,being able to exploit this vulnerability,\Nthey would have been able to have a tool
Dialogue: 0,0:25:21.31,0:25:28.44,Default,,0000,0000,0000,,that works even when the platform is\Nproperly configured. So it's a very good
Dialogue: 0,0:25:28.44,0:25:36.42,Default,,0000,0000,0000,,example of; I mean if firmware vendors\Nwould have done their job correctly here,
Dialogue: 0,0:25:36.42,0:25:40.58,Default,,0000,0000,0000,,this tool would have failed at flashing\Nthe UEFI firmware, so that's a great
Dialogue: 0,0:25:40.58,0:25:47.42,Default,,0000,0000,0000,,example of how, you know, firmware\Nsecurity is. So here let's just take a
Dialogue: 0,0:25:47.42,0:25:52.10,Default,,0000,0000,0000,,step back and look at what we have. So\Nwhat we have is a software implementation
Dialogue: 0,0:25:52.10,0:25:57.34,Default,,0000,0000,0000,,to flash the firmware remotely post\Nexploitation, meaning that as an attacker
Dialogue: 0,0:25:57.34,0:26:03.12,Default,,0000,0000,0000,,I can, you know, infect my target the way\NI usually do - let's say by sending a
Dialogue: 0,0:26:03.12,0:26:07.03,Default,,0000,0000,0000,,phishing email. And once I have a foothold\Nin the machine, I can use this tool to
Dialogue: 0,0:26:07.03,0:26:12.77,Default,,0000,0000,0000,,deploy the UEFI rootkit. And one we knew\Nabout in the past was Hacking Team's UEFI
Dialogue: 0,0:26:12.77,0:26:19.20,Default,,0000,0000,0000,,rootkit and it needed physical access to\Nbe deployed. So it's so much more
Dialogue: 0,0:26:19.20,0:26:25.02,Default,,0000,0000,0000,,convenient to be able to do it remotely.\NAnd let's note here that there is no proof
Dialogue: 0,0:26:25.02,0:26:30.31,Default,,0000,0000,0000,,of Hacking Team's rootkit being used in an\Nactual cyber attack. It has never been
Dialogue: 0,0:26:30.31,0:26:36.88,Default,,0000,0000,0000,,found on a victim's machine or at least if\Nit had, it hasn't been publicly disclosed.
Dialogue: 0,0:26:36.88,0:26:41.27,Default,,0000,0000,0000,,So what we did at this point is that we\Nextracted the UEFI rootkit from the tool
Dialogue: 0,0:26:41.27,0:26:47.05,Default,,0000,0000,0000,,and we looked at ESET's UEFI scanner\Ntelemetry to see if we can find something.
Dialogue: 0,0:26:47.05,0:26:52.03,Default,,0000,0000,0000,,Turns out that we found the UEFI rootkit\Nin the SPI flash memory of a victim's
Dialogue: 0,0:26:52.03,0:26:57.99,Default,,0000,0000,0000,,machine, making it the first publicly\Nknown UEFI rootkit to be used in an actual
Dialogue: 0,0:26:57.99,0:27:01.35,Default,,0000,0000,0000,,cyber attack. Okay.
Dialogue: 0,0:27:01.35,0:27:14.71,Default,,0000,0000,0000,,So now let's look at the UEFI \Nrootkit itself. So the UEFI
Dialogue: 0,0:27:14.71,0:27:19.26,Default,,0000,0000,0000,,rootkit is a DXE driver. So it is loaded\Nby the DXE dispatcher every time that the
Dialogue: 0,0:27:19.26,0:27:25.51,Default,,0000,0000,0000,,machine will boot. Its file name is SecDxe\Nas we've seen earlier and here's the file
Dialogue: 0,0:27:25.51,0:27:33.52,Default,,0000,0000,0000,,GUID for future reference. So let's look\Nat the UEFI rootkit workflow. So UEFI
Dialogue: 0,0:27:33.52,0:27:36.83,Default,,0000,0000,0000,,firmware we'll go through multiple phases\Nwhen it boots. The first phase is the
Dialogue: 0,0:27:36.83,0:27:41.38,Default,,0000,0000,0000,,security phase, the second one is the pre\NEFI initialization phase, and then there
Dialogue: 0,0:27:41.38,0:27:44.54,Default,,0000,0000,0000,,is the driver execution environment phase\Nand that's where it begins to be
Dialogue: 0,0:27:44.54,0:27:50.74,Default,,0000,0000,0000,,interesting for this rootkit. So that's\Nwhere the DXE dispatcher lives. So that's
Dialogue: 0,0:27:50.74,0:27:55.65,Default,,0000,0000,0000,,when all of the DXE drivers will be\Nloaded. So at some point the UEFI rootkit
Dialogue: 0,0:27:55.65,0:28:01.59,Default,,0000,0000,0000,,will be loaded. And what will happen is\Nthat the rootkit will create an event
Dialogue: 0,0:28:01.59,0:28:07.71,Default,,0000,0000,0000,,attached to EFI GROUP_READY_TO_BOOT. And\Nit will bind a notify function to this
Dialogue: 0,0:28:07.71,0:28:14.34,Default,,0000,0000,0000,,event. So in the next phase, when the boot\Nmanager will run, at some point it will
Dialogue: 0,0:28:14.34,0:28:22.33,Default,,0000,0000,0000,,signal this event and the notify function\Nwill be called. So, the notify function
Dialogue: 0,0:28:22.33,0:28:28.50,Default,,0000,0000,0000,,does 3 things. The first thing is that it\Nwill install an NTFS driver. Then it will
Dialogue: 0,0:28:28.50,0:28:35.46,Default,,0000,0000,0000,,drop autoche.exe and rpcnetp.exe using\Nthis NTFS driver. And finally it will
Dialogue: 0,0:28:35.46,0:28:42.96,Default,,0000,0000,0000,,patch a value in the Windows Registry. So,\Nthe NTFS driver is needed to get file
Dialogue: 0,0:28:42.96,0:28:49.70,Default,,0000,0000,0000,,based access to Windows partition and\NSednit's operator did not write their own
Dialogue: 0,0:28:49.70,0:28:55.50,Default,,0000,0000,0000,,NTFS driver. What did it is that they use\NHacking Team's NTFS driver from Hacking
Dialogue: 0,0:28:55.50,0:29:03.92,Default,,0000,0000,0000,,Team's leak. And, yeah, so here's the code\Nresponsible for dropping the files. So as
Dialogue: 0,0:29:03.92,0:29:08.40,Default,,0000,0000,0000,,we can see here, it is dropping\Nrpcnetp.exe and here it is dropping
Dialogue: 0,0:29:08.40,0:29:16.64,Default,,0000,0000,0000,,autoche.exe. And the last step is to patch\Nthe Windows Registry. So how it does that
Dialogue: 0,0:29:16.64,0:29:22.54,Default,,0000,0000,0000,,is that it will open the file backing the\NHKLM\SYSTEM Registry hive and it doesn't
Dialogue: 0,0:29:22.54,0:29:27.68,Default,,0000,0000,0000,,have all the logic to parse Windows\NRegistry structures, so it will only look
Dialogue: 0,0:29:27.68,0:29:31.90,Default,,0000,0000,0000,,for a textual pattern and the textual\Npattern it will look for is "autocheck
Dialogue: 0,0:29:31.90,0:29:36.96,Default,,0000,0000,0000,,autochk {\i1}" and it will change it to\N"autocheck autoche {\i0}" and it happens to be
Dialogue: 0,0:29:36.96,0:29:43.20,Default,,0000,0000,0000,,modifying the BootExecute key. So, the\NBootExecute key is the key responsible for
Dialogue: 0,0:29:43.20,0:29:50.51,Default,,0000,0000,0000,,launching autochk.exe during Windows early\Nboot. So by modifying it to autoche
Dialogue: 0,0:29:50.51,0:29:56.76,Default,,0000,0000,0000,,instead of autochk that's autoche.exe that\Nwill be executed instead of autochk. And,
Dialogue: 0,0:29:56.76,0:30:01.13,Default,,0000,0000,0000,,so here if we go back to the UEFI rootkit\Nworkflow, when the operating system will
Dialogue: 0,0:30:01.13,0:30:06.49,Default,,0000,0000,0000,,run, then it will execute autoche.exe.\NThen autoche.exe will drop the small
Dialogue: 0,0:30:06.49,0:30:13.47,Default,,0000,0000,0000,,agent, the rpcnetp.exe, and so on. But\Nwhat's interesting here is that it will
Dialogue: 0,0:30:13.47,0:30:18.62,Default,,0000,0000,0000,,revert back the modification in the\NWindows Registry from autoche to autochk.
Dialogue: 0,0:30:18.62,0:30:23.58,Default,,0000,0000,0000,,So that as a Windows user, for instance,\Nif I look in the Windows Registry, I won't
Dialogue: 0,0:30:23.58,0:30:28.71,Default,,0000,0000,0000,,find that anything, any modification\Noccurred there. So that's a pretty
Dialogue: 0,0:30:28.71,0:30:32.46,Default,,0000,0000,0000,,interesting sealth technique that is\Nenabled by the fact that the malware is
Dialogue: 0,0:30:32.46,0:30:42.36,Default,,0000,0000,0000,,coming from the firmware. Okay. So, the\Nlast thing that I want to talk about now
Dialogue: 0,0:30:42.36,0:30:50.63,Default,,0000,0000,0000,,is prevention and remediation, so what can\Nyou do to protect yourself against this
Dialogue: 0,0:30:50.63,0:30:56.19,Default,,0000,0000,0000,,kind of attack? And if ever you were... \Nyou find out that you had a UEFI rootkit in
Dialogue: 0,0:30:56.19,0:31:04.09,Default,,0000,0000,0000,,your machine, what can you do? So,\Nprevention. So the first thing and the
Dialogue: 0,0:31:04.09,0:31:10.80,Default,,0000,0000,0000,,most important thing, which is also the\Nmost accessible thing, thankfully, is that
Dialogue: 0,0:31:10.80,0:31:16.06,Default,,0000,0000,0000,,you should keep your UEFI firmware up to\Ndate to make sure that if, you know,
Dialogue: 0,0:31:16.06,0:31:23.55,Default,,0000,0000,0000,,security researchers found some issues\Nwith your firmware and they disclosed it
Dialogue: 0,0:31:23.55,0:31:27.95,Default,,0000,0000,0000,,and the firmware vendor fixed them, you\Nwant to make sure that you have the latest
Dialogue: 0,0:31:27.95,0:31:34.18,Default,,0000,0000,0000,,patches available on your machine. Then\Nthe second thing is that you should really
Dialogue: 0,0:31:34.18,0:31:38.53,Default,,0000,0000,0000,,enable Secure Boot. But let's note here\Nthat Secure Boot itself would not
Dialogue: 0,0:31:38.53,0:31:43.20,Default,,0000,0000,0000,,effectively you against this specific\Nattack. And the reason for that is that
Dialogue: 0,0:31:43.20,0:31:48.52,Default,,0000,0000,0000,,Secure Boot takes the content of the SPI\Nflash memory as its root of trust, meaning
Dialogue: 0,0:31:48.52,0:31:55.65,Default,,0000,0000,0000,,that what's inside the SPI flash memory is\Nnot subject for validation. So what does
Dialogue: 0,0:31:55.65,0:32:00.24,Default,,0000,0000,0000,,it validates then, right? Well, Secure\NBoot will check what's coming from outside
Dialogue: 0,0:32:00.24,0:32:04.48,Default,,0000,0000,0000,,of the SPI flash memory meanings the PCI\Noption ROMs and probably the most
Dialogue: 0,0:32:04.48,0:32:08.81,Default,,0000,0000,0000,,important thing, the operating system\Nloader. So it's really a mechanism that
Dialogue: 0,0:32:08.81,0:32:14.86,Default,,0000,0000,0000,,checks that the operating system loader\Nhasn't been tampered with. So what can we
Dialogue: 0,0:32:14.86,0:32:20.61,Default,,0000,0000,0000,,do then, right? Well, what we need is a\Nhardware root of trust. So we need to move
Dialogue: 0,0:32:20.61,0:32:25.76,Default,,0000,0000,0000,,the root of trust from the SPI flash\Nmemory to some piece of hardware. So it
Dialogue: 0,0:32:25.76,0:32:31.09,Default,,0000,0000,0000,,must be in a, you know, one time\Nprogrammable chip that is programmed
Dialogue: 0,0:32:31.09,0:32:38.96,Default,,0000,0000,0000,,during manufacturing time and that cannot\Nbe written to ever after. An example of
Dialogue: 0,0:32:38.96,0:32:45.41,Default,,0000,0000,0000,,this exists - technology like Intel\NBootGuard implements this. And also Apple
Dialogue: 0,0:32:45.41,0:32:51.57,Default,,0000,0000,0000,,T2 security chip has a hardware root of\Ntrust. And then you kind of need to hope
Dialogue: 0,0:32:51.57,0:32:57.21,Default,,0000,0000,0000,,that your firmware configures the security\Nmechanisms properly and there's not much
Dialogue: 0,0:32:57.21,0:33:02.23,Default,,0000,0000,0000,,you can do about it if your firmware is\Nup-to-date. But thankfully there are
Dialogue: 0,0:33:02.23,0:33:06.05,Default,,0000,0000,0000,,firmware security assessment tool\Navailable out there and an example of that
Dialogue: 0,0:33:06.05,0:33:13.38,Default,,0000,0000,0000,,is Intel CHIPSEC. So, with Intel CHIPSEC\Nwhich is an open source software tool, so
Dialogue: 0,0:33:13.38,0:33:19.37,Default,,0000,0000,0000,,you can just download this tool, put it in\Nan USB key, boot from it and then this
Dialogue: 0,0:33:19.37,0:33:22.94,Default,,0000,0000,0000,,tool will check for all of the security\Nmechanism that we spoke about today, it
Dialogue: 0,0:33:22.94,0:33:28.63,Default,,0000,0000,0000,,will check if they are properly configured\Nand also it checks for a bunch more stuff.
Dialogue: 0,0:33:28.63,0:33:38.31,Default,,0000,0000,0000,,And now also CHIPSEC checks if your\Nfirmware has this LoJax rootkit. So if you
Dialogue: 0,0:33:38.31,0:33:42.20,Default,,0000,0000,0000,,want to know if your firmware properly\Nconfigures these security mechanism that's
Dialogue: 0,0:33:42.20,0:33:52.24,Default,,0000,0000,0000,,really the way to go. Now about\Nremediation. So, this slide is kind of
Dialogue: 0,0:33:52.24,0:33:57.21,Default,,0000,0000,0000,,short. And the reason for that is that if\Nyou find out that you have a UEFI rootkit
Dialogue: 0,0:33:57.21,0:34:02.35,Default,,0000,0000,0000,,in your SPI flash, there's not pretty much\Nyou can do. You really need to re-flash
Dialogue: 0,0:34:02.35,0:34:07.11,Default,,0000,0000,0000,,your UEFI firmware and that's definitely\Nnot something that is easy to do for
Dialogue: 0,0:34:07.11,0:34:13.49,Default,,0000,0000,0000,,anybody. And well, if it's not an option\Nfor you, then you kind of need to get rid
Dialogue: 0,0:34:13.49,0:34:19.36,Default,,0000,0000,0000,,of your motherboard or your laptop and get\Na new one basically. So that's how serious
Dialogue: 0,0:34:19.36,0:34:29.48,Default,,0000,0000,0000,,this kind of attack is. Now, conclusion.\NSo, our research shows that UEFI rootkits
Dialogue: 0,0:34:29.48,0:34:35.24,Default,,0000,0000,0000,,are not only toys for researchers to play\Nwith, but they are real world threats used
Dialogue: 0,0:34:35.24,0:34:41.46,Default,,0000,0000,0000,,in actual cyber attacks. So it might be\Nsomething that you want to keep in mind
Dialogue: 0,0:34:41.46,0:34:48.34,Default,,0000,0000,0000,,when you'll be defining your threat model.\NAlso we won't stress this enough: firmware
Dialogue: 0,0:34:48.34,0:34:53.49,Default,,0000,0000,0000,,must be built with security in mind from\Nthe bottom up, and things are getting
Dialogue: 0,0:34:53.49,0:34:57.21,Default,,0000,0000,0000,,better because there are more and more\Nsecurity researchers looking into this,
Dialogue: 0,0:34:57.21,0:35:03.75,Default,,0000,0000,0000,,but there's still work to do. And\Nhopefully, our research help share
Dialogue: 0,0:35:03.75,0:35:11.13,Default,,0000,0000,0000,,knowledge about how to prevent and\Nmitigate UEFI-based threats. So that is
Dialogue: 0,0:35:11.13,0:35:17.16,Default,,0000,0000,0000,,pretty much it for me today. So thank you\Nfor having me and if ever you're
Dialogue: 0,0:35:17.16,0:35:22.24,Default,,0000,0000,0000,,interested to know more details about this\Nresearch, the white paper is available at
Dialogue: 0,0:35:22.24,0:35:27.97,Default,,0000,0000,0000,,welivesecurity.com and you can grab a copy\Nthere. So, thanks.
Dialogue: 0,0:35:27.97,0:35:38.26,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NHerald: Alright, you know the drill. We
Dialogue: 0,0:35:38.26,0:35:44.18,Default,,0000,0000,0000,,have 5 minutes for Q&amp;A. So please, quick\Nand short questions. Number 1 please.
Dialogue: 0,0:35:46.43,0:35:56.48,Default,,0000,0000,0000,,Question: (incomprehensible) attacking\Nother operating systems (incomprehensible)
Dialogue: 0,0:35:56.48,0:36:01.26,Default,,0000,0000,0000,,Answer: In this case, well, that's kind of\Nthe... pretty much the only one we're aware
Dialogue: 0,0:36:01.26,0:36:07.41,Default,,0000,0000,0000,,of, apart from Hacking Team's UEFI\Nrootkit, and this one only works on
Dialogue: 0,0:36:07.41,0:36:13.45,Default,,0000,0000,0000,,Windows, so we have no; we don't know\Nabout any other that target's Linux or Mac
Dialogue: 0,0:36:13.45,0:36:14.30,Default,,0000,0000,0000,,OS for instance.
Dialogue: 0,0:36:16.40,0:36:19.35,Default,,0000,0000,0000,,Herald: Please refrain from walking in\Nfront of the cameras when you're leaving.
Dialogue: 0,0:36:19.35,0:36:23.12,Default,,0000,0000,0000,,Thank you.\NCould we get microphone number
Dialogue: 0,0:36:23.12,0:36:28.32,Default,,0000,0000,0000,,2 please.\NQ: Hello, thanks for the talk. On your
Dialogue: 0,0:36:28.32,0:36:35.83,Default,,0000,0000,0000,,slides you mentioned a tool, open source,\Nfor checking out the layout. What was the
Dialogue: 0,0:36:35.83,0:36:41.53,Default,,0000,0000,0000,,name of the tool?\NA: It's called UEFI tool. {\i1}Laughter{\i0}
Dialogue: 0,0:36:41.53,0:36:44.03,Default,,0000,0000,0000,,Q: Nice.\NA: So you can find it on GitHub.
Dialogue: 0,0:36:45.17,0:36:47.09,Default,,0000,0000,0000,,Q: Thanks.\NHerald: The internet please.
Dialogue: 0,0:36:47.09,0:36:54.39,Default,,0000,0000,0000,,Q: Thank you. Does the rootkit also work\Nwhen the UEFI is in BIOS legacy mode?
Dialogue: 0,0:36:56.31,0:37:06.24,Default,,0000,0000,0000,,A: Uhm... That is a pretty good question.\NI think it should, but I am not sure about
Dialogue: 0,0:37:06.24,0:37:12.84,Default,,0000,0000,0000,,it. That's a good question, I'd have to\Nlook into this, to have a... {\i1}laughing{\i0} an
Dialogue: 0,0:37:12.84,0:37:16.65,Default,,0000,0000,0000,,answer I'm 100 percent sure about. Sorry\Nfor that.
Dialogue: 0,0:37:16.65,0:37:24.63,Default,,0000,0000,0000,,Herald: Microphone number 3 please. It's\Nyou in the back, are you? No that's 4,
Dialogue: 0,0:37:24.63,0:37:29.90,Default,,0000,0000,0000,,I'm sorry.\NQ: OK. So, does the UEFI dropper still
Dialogue: 0,0:37:29.90,0:37:33.29,Default,,0000,0000,0000,,work with BitLocker enabled?
Dialogue: 0,0:37:35.37,0:37:37.79,Default,,0000,0000,0000,,A: I know. Oh yeah. Yeah. We test that.
Dialogue: 0,0:37:37.79,0:37:47.12,Default,,0000,0000,0000,,No, it doesn't work if BitLocker is\Nenabled, so it doesn't wait for the... for
Dialogue: 0,0:37:47.12,0:37:52.43,Default,,0000,0000,0000,,BitLocker to have decrypted all of the\Ndata. So no, it doesn't work if
Dialogue: 0,0:37:52.43,0:37:53.55,Default,,0000,0000,0000,,BitLocker is enabled.
Dialogue: 0,0:37:55.62,0:37:57.02,Default,,0000,0000,0000,,Herald: Number 1 please.
Dialogue: 0,0:37:59.71,0:38:08.43,Default,,0000,0000,0000,,Q: Would it be possible to work within\Nfull disk encryption. (incomprehensible)
Dialogue: 0,0:38:08.43,0:38:12.10,Default,,0000,0000,0000,,the file system was decrypted and then\Ninstalled the dropper.
Dialogue: 0,0:38:12.10,0:38:15.80,Default,,0000,0000,0000,,A: I'm not sure I heard all of the\Nquestion, but if it works if there's full
Dialogue: 0,0:38:15.80,0:38:22.60,Default,,0000,0000,0000,,disk encryption? Is it the question right?\NQ: Would it be possible to make it work
Dialogue: 0,0:38:22.60,0:38:28.61,Default,,0000,0000,0000,,with full disk encryption?\NA: I think it should be because the LoJack
Dialogue: 0,0:38:28.61,0:38:33.48,Default,,0000,0000,0000,,software is a legitimate one, the anti-\Ntheft solution. They are able to make it
Dialogue: 0,0:38:33.48,0:38:39.31,Default,,0000,0000,0000,,work even if BitLocker is enabled or full\Ndisk encryption. So yeah, it should be
Dialogue: 0,0:38:39.31,0:38:40.61,Default,,0000,0000,0000,,possible to do so.
Dialogue: 0,0:38:42.23,0:38:44.39,Default,,0000,0000,0000,,Herald: One more internet question please.
Dialogue: 0,0:38:44.39,0:38:50.23,Default,,0000,0000,0000,,Q: Thank you. What if a rootkit doesn't\Nfit in the SPI flash. Is filling up the
Dialogue: 0,0:38:50.23,0:38:54.75,Default,,0000,0000,0000,,SPI flash space completely a valid\Nprevention?
Dialogue: 0,0:38:54.75,0:39:01.83,Default,,0000,0000,0000,,A: No I don't know... we could really call\Nit a prevention mechanism. But yeah, if
Dialogue: 0,0:39:01.83,0:39:06.71,Default,,0000,0000,0000,,there is not enough free space available\Non the firmware volumes the tool will just fail.
Dialogue: 0,0:39:09.28,0:39:10.57,Default,,0000,0000,0000,,Herald: Number two please.
Dialogue: 0,0:39:10.96,0:39:17.23,Default,,0000,0000,0000,,Q: Hi. You said that there is no real\Npossibility to secure everything, but what
Dialogue: 0,0:39:17.23,0:39:22.73,Default,,0000,0000,0000,,are your daily choices that you use like,\Non your personal computer, to be fully
Dialogue: 0,0:39:22.73,0:39:28.27,Default,,0000,0000,0000,,secret?\NA: Well... {\i1}laughing{\i0} I could say an
Dialogue: 0,0:39:28.27,0:39:33.27,Default,,0000,0000,0000,,alternative platform, but... {\i1}laughter{\i0}\Nbut yeah, if you have
Dialogue: 0,0:39:33.27,0:39:37.23,Default,,0000,0000,0000,,a modern Intel CPU and you have
Dialogue: 0,0:39:37.23,0:39:43.14,Default,,0000,0000,0000,,Secure Boot enabled and you have, you\Nknow, all of the latest UEFI firmware
Dialogue: 0,0:39:43.14,0:39:50.38,Default,,0000,0000,0000,,updates, that's kind of the best you can\Ndo to be safe for... against that kind of
Dialogue: 0,0:39:50.38,0:39:52.88,Default,,0000,0000,0000,,attack.\NQ: I have... I have my like this...
Dialogue: 0,0:39:52.88,0:39:57.06,Default,,0000,0000,0000,,Herald: Number 1 please.\NQ: So, going back to the LoJack
Dialogue: 0,0:39:57.06,0:40:05.90,Default,,0000,0000,0000,,configuration file vulnerability. Is the\Nconfiguration file on the operating system
Dialogue: 0,0:40:05.90,0:40:10.22,Default,,0000,0000,0000,,file system?\NA: No no no, the... In fact it's... there is
Dialogue: 0,0:40:10.22,0:40:15.66,Default,,0000,0000,0000,,not a separate configuration file, the\Nconfiguration is embedded inside the
Dialogue: 0,0:40:15.66,0:40:19.27,Default,,0000,0000,0000,,executable. So it is embedded into\Nrpcnetp.exe.
Dialogue: 0,0:40:21.06,0:40:25.68,Default,,0000,0000,0000,,Herald: Unfortunately, we are already out\Nof time. So please thank our speaker
Dialogue: 0,0:40:25.68,0:40:26.47,Default,,0000,0000,0000,,again.
Dialogue: 0,0:40:26.47,0:40:29.60,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:40:29.60,0:40:34.63,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:40:34.63,0:40:53.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!