FYI - New BIOS rootkit in wild

Don’t get too excited.
It isn’t widely found and it’s extremely difficult to create.
And therefor, to date the only hardware that’s been found affected is a very specific BIOS/firmware that was compromised many years ago, so it can be assumed at this time that because the malware is so difficult to write, the only reason why the current example in the wild exists is because the creator didn’t have to write the compromise itself… only how the malware is installed.

It is noteworthy as only the second instance known to exist that compromises the UEFI/BIOS in a way that can’t be addressed.
You can detect the compromise, but you can’t prevent it.



Which is why I prefer to choose Mainboards which don’t need Redmond to update the UEFI/BIOS …

  • I got caught out by a Lenovo G505s Laptop – it needs Windows to update the UEFI/BIOS …

My preferred Mainboards have the ability to update the UEFI/BIOS via an image written by me to a USB stick.

  • My newest Mainboard has a built-in network stack which may or, may not, be advantageous – by default, the network stack is disabled, which may well be helpful …

Your avoidance of MSWindows would work only because it’s a current minor weakness in the author’s design, in this case likely because its victims are very specific (diplomats the PRC consider “opposition” running on MSWindows).

Don’t be mislead by the use of a Windows executable in a Windows Startup folder,
When I described how difficult it would be to re-write this exploit to affect other hardware, the idea of using a Windows executable and getting that executable to be activated on bootup are not what I was referring to…
Porting the executable to something that would execute on Linux is likely trivial, and figuring out a way for it to execute on bootup in a Linux machine even more so compared to today’s Windows 10 (If permissions restrictions isn’t a problem on Windows, I doubt it would be a serious issue if the hacker wanted to target Linux).



Reading the Ars Technica article, the following was mentioned:

That leaves company researchers to speculate that the attackers who installed the malicious firmware had physical access.


With the USB key and a few minutes alone with a targeted computer, an attacker could start it up, configure it to boot from the USB key, and allow it to work its magic.


  • Either the USB device was able to access the UEFI/BIOS directly or;
  • The attacker entered the UEFI/BIOS and applied the UEFI image on the USB device by means of the update mechanism built into the UEFI/BIOS itself …

In both cases, if the UEFI/BIOS is setup with password protection, the chances of the 2nd case being successful are few and far between and;

  • For the 1st case, depending on the UEFI/BIOS implementation, there is an implementation dependent chance that it’ll also fail to be successful.

[HR][/HR]Bottom line:

  • For the case of mobile devices such as Laptops, always protect the UEFI/BIOS with a strong password

You’re focusing on the part of the article that describes what Kaspersky Labs doesn’t know, and is speculating.
I don’t know how their software works, so I don’t know for sure how reliable their logs are to be confident the files necessary to execute a firmware update remotely didn’t happen… or downloaded a file that could be used to do the firmware update. Logs typically can only show so much or might not show enough because the more details are collected the more load is placed on the machine.
One thing this part of the article does showcase though is the lack of security for MSWindows USB ports by default… It’s possible to apply a more secure policy or glue those ports so they’re unusable.

There’s a lot in this part of the article that might contain blind spots.

Getting back to my last post…
I had suggested that the only reason why the attack victimized MSWindows is that the target victims were running Windows, and that there is little that’s required to easily adapt the attack against other OS including Linux…
All which is a bit off-track when talking about whether physical access is required to execute the attack.


Natalya and Eugene Kaspersky are Russian mathematicians specialised in cryptography who founded Kaspersky Labs – you can find Bruce Schneier’s articles (on my Browser, 3 pages) related to Kaspersky here: <>.

  • Yes, their biography leads to a certain amount of mistrust in those countries who fear Russia but, the renown and abilities of Russian mathematicians is well known and often respected …
  • And, they’ve openly admitted that, they cooperate with the Russian, US American, Brazilian and, European secret services in the area of computer security and cyber-criminality …

[HR][/HR]BTW, the Kaspersky anti-virus products have been my personal choice for the protection of Redmond and Android machines for the last 15 years …

I personally agree that Kaspersky products have been quite good, and fairly consistently the AV ranks in the top 3 consistently in most evaluations.

I also note that the Russian government spy services have leaned heavily on Kaspersky which has been publicly resisted.
I also note that it was a Kaspersky product that was compromised by a Russian spy service that enabled them to primarily eavesdrop but also plant malware… all observed by the CIA. This was revealed by the CIA dump on Wikileaks a few years ago(It’s still all there in public view for anyone to look it up).

I still believe that Kaspersky Labs is itself a reputable company but it’s also under really heavy pressure by Russian hackers funded by the state


Eugene graduated as an engineering mathematician from the KGB University – he also studied cryptography and computer science …