Black Lotus Bootkit

As far as I understood it, it runs from the UEFI partition, which happens before any OS is loaded. But the actual payload appears to be specific to Windows. It could theoretically be coded for FreeBSD too.
 
Ogis said:
Old bios machines is not affected. That's why I hate new and "modern" technologies. All my pc are 15-20 years old. Yes. I'm a caveman :)
Click to expand...
EFI is already 18yo.
SirDice said:
It may not be vulnerable to this malware, there's certainly other malware that can infect the BIOS.
Click to expand...
Exactly. There's even no difference about how difficult can be since the implementations quite are similar.
 
elgrande thanks for the link. Interesting stuff.

As always, I go to "how does it initially get installed on the target system?" The article says "...starts with the execution of the installer"
How? Malicious content on a web page? A user opening an email with a PDF "Invoice for services" or "Your bank account has been compromised, hit this link to correct"?

Does Windows automatically mount the UEFI partition, always? I've seen *nix systems that by default do not mount it, but if a user needs to actually update it, they are told to mount it.
 
mer said:
elgrande thanks for the link. Interesting stuff.

As always, I go to "how does it initially get installed on the target system?" The article says "...starts with the execution of the installer"
How? Malicious content on a web page? A user opening an email with a PDF "Invoice for services" or "Your bank account has been compromised, hit this link to correct"?

Does Windows automatically mount the UEFI partition, always? I've seen *nix systems that by default do not mount it, but if a user needs to actually update it, they are told to mount it.
Click to expand...
Yeah, that part is not really good described, or fortunately there is no special attack vector for the installer yet. Guess they may also try to access a companies O365 admin center an "roll out" the installer to the clients.
 
  • Like
Reactions: mer
As for the UEFI partition, I guess by judging all what has been done here, the bootkit installer gonna find a way to write to the EFI partition once it is admin.
 
  • Like
Reactions: mer
Been a time since I digged into UEFI secure boot stuff, but I think the key somehow is the MOK (machine owner key). What stuck in my mind is that this MOK is something on which Microsoft has its hands on. They "sign" it to be accepted by Secure Boot. The MOK itself "authenticates" a bootloader. For black lotus they seem to have obtained a valid MOK for their replacement bootloader (which replaces the original Windows one). Sounded to me like they achieved this by a equivalent of hash collision, but only for signatures (which is the most scary part imho).

Disclaimer: I for sure did not use all the technical correct terms here, I hope I could describe how I believe this works.
 
  • Like
Reactions: mer
mer said:
elgrande thanks for the link. Interesting stuff.

As always, I go to "how does it initially get installed on the target system?" The article says "...starts with the execution of the installer"
Click to expand...
That was strange to me, too. But it says, the first thing the installer needs to do is elevate it's priviledges to "admin" by executing a certain system call.

mer said:
How? Malicious content on a web page? A user opening an email with a PDF "Invoice for services" or "Your bank account has been compromised, hit this link to correct"?
Click to expand...
Probably.
And probably it could then elevate via the unfixed security flaw in the X server which I am watching for two months already with nothing happening? (No idea, just evil guessing...)

elgrande said:
Been a time since I digged into UEFI secure boot stuff, but I think the key somehow is the MOK (machine owner key). What stuck in my mind is that this MOK is something on which Microsoft has its hands on. They "sign" it to be accepted by Secure Boot. The MOK itself "authenticates" a bootloader. For black lotus they seem to have obtained a valid MOK for their replacement bootloader (which replaces the original Windows one). Sounded to me like they achieved this by a equivalent of hash collision, but only for signatures (which is the most scary part imho).
Click to expand...
What I understood, there is a known breach in the secure uefi boot, that has been fixed a year ago. But the old flawed boot loaders cannot be revoked because lots of people are still using them. So it is still possible to boot with such a flawed loader, and that is what they're doing.
 
PMc but why they’d have to revoke all in order to only revoke the black lotus one?
And how could they even revoke remotely from the UEFI devices?
 
elgrande said:
PMc but why they’d have to revoke all in order to only revoke the black lotus one?
And how could they even revoke remotely from the UEFI devices?
Click to expand...
It's not "the black lotus one". The installer downloads the bootloader directly from Microsoft - at least that is what is described in Your link:
In online versions, Windows binaries are downloaded directly from the Microsoft symbol store.
Click to expand...

As far as I understand it, this is all about that uefi security where people are not allowed to boot anything that is not signed by microsoft, and therefore consider themselves safe.
But since such a machine can never boot FreeBSD, this whole thing is of no interest to me anyway. (But for these people we are evil because we are free to modify our OS.)

Apparently this is what the uproar is about: that these people have given up their freedom (and are paying money for that), and now have to discover that they didn't get safety in return.

The whole thing isn't intellegible to me in any other way - because the other question: <how in hell can the damn thing install itself in the uefi partition to begin with?> gets grossly neglected. I mean, if somebody can do unsolicited installs on my machine, I would consider it compromised rightaway.

The other funny thing is that it needs a reboot to engage. In my shop machines do not reboot - and if one does, that is an issue and will be analyzed (and fixed).
 
Ogis said:
Yes, you are absolutely right. That's it. New technology is absolute crap. With rare exceptions. I'm not going to play by the rules imposed by the capitalists.
Click to expand...
I guess money is the root of all evil in each political system.
That‘s why the „free“ in FreeBSD has two meanings.
 
Have you heard about Coreboot or Libreboot?

Ogis said:
Yes, you are absolutely right. That's it. New technology is absolute crap. With rare exceptions. I'm not going to play by the rules imposed by the capitalists.
Click to expand...
I think innovation is important because without innovation we would be living in the Stone Age.
 
You must log in or register to reply here.
Back
Top