A rootkit used by Hacking Team avoids destruction even in the cases of hard disk scrubbing and removal.
It's been an interesting few weeks for the security scene, after a treasure trove of data belonging to Milan-based Hacking Team, which provides surveillance tools and spyware to government agencies and law enforcement globally, blew apart the firm's operations in a recent cyberattack which led to a 400GB corporate data leak online.
While the CEO of Hacking Team David Vincenzetti spoke out against the cyberattack, claiming his company was misunderstood and "they are the good guys," a number of security firms may beg to differ.
The 400GB cache is being rapidly assessed by researchers as it contains source code and proof-of-concept exploits of previously unknown zero-day vulnerabilities which could be used to spy upon victims and hijack their machines.
The use of this type of rootkit means that even if a victim's infected machine undergoes a hard drive format, buys a new HD or reinstalls the Windows operating system, the tools are once again implanted to resume their tasks.
The rootkit has primarily been designed for Insyde BIOS, a popular BIOS vendor for laptops, however, Trend Micro speculates the code is likely to work on AMI BIOS as well.
A slideshow produced by Hacking Team and available to view through leaked emails claims that infection requires physical access to the target machine. If an attacker gains access to the machine, they must reboot the system into the UEFI shell, dump the BIOS, install the rootkit, reflash the BIOS and then reboot once more to complete installation. Files have to be copied from an external source, such as a USB key loaded with the UEFI shell.
As explained by the researchers:
"Three modules are first copied from an external source [..] to a file volume (FV) in the modified UEFI BIOS. Ntfs.mod allows UEFI BIOS to read/write NTFS file. Rkloader.mod then hooks the UEFI event and calls the dropper function when the system boots.
The filedropper.mod contains the actual agents, which have the file name scout.exe and soldier.exe. This means that when the BIOS rootkit is installed, the existence of the agents are checked each time the system is rebooted."
If the agent does not exist, the scout.exe agent is reinstalled.
A tall order, but once the rootkit is in place -- with or without the technical support provided by Hacking Team -- standard scrubbing methods and even replacing the hard drive simply won't work.
While the materials say physical access is needed, Trend Micro's researchers "cannot rule out the possibility of remote installation." The company recommends that users set up BIOS passwords, enable UEFI SecureFlash and update the BIOS when security patches are available to limit the risk of infection.