UEFI (Unified Extensible Firmware Interface) security has been a hot topic for the past few years, but, due to various limitations, very little UEFI-based malware has been found in the past. After having discovered the first UEFI rootkit in the wild, known as LoJax, ESET specialists set out to build a system that would enable them to explore the vast UEFI landscape in an efficient way while reliably spotting emerging and unknown UEFI threats.
Finding malware like LoJax is rare – there are millions of UEFI executables in the wild, and only a tiny portion of them are malicious. We have seen over 2.5 million unique UEFI executables, out of a total of 6 billion, over the past two years alone,” explains Filip Mazán, software engineer at ESET, who worked on building the machine learning system.
Starting with the telemetry data gathered by ESET’s UEFI scanner, ESET machine learning specialists and malware researchers devised a custom processing pipeline for UEFI executables that leverages machine learning to detect oddities in the incoming samples. “To reduce the number of samples requiring human attention, we decided to build a system tailored to highlight outlier samples by finding unusual characteristics in UEFI executables,” says Mazán.
As a proof of concept, the researchers tested the resulting system on known suspicious and malicious UEFI executables that were not previously included in the dataset – most notably, the LoJax UEFI driver. The system successfully concluded that the LoJax driver was very dissimilar to anything seen before. “This successful test gives us a degree of confidence that, if another similar UEFI threat emerged, we would be able to identify it as an oddity, promptly analyze it and create a detection system as needed,” comments Mazán.
Besides showing strong capabilities in identifying suspicious UEFI executables, the machine learning approach was found to reduce the workload of ESET analysts by up to 90% (if they were to analyze every incoming sample). Thanks to the fact that each new incoming UEFI executable is added to the dataset, processed, indexed and taken into consideration for the next incoming samples, the solution offers real-time monitoring of the UEFI landscape.
Hunting for UEFI threats using this system, ESET researchers uncovered multiple interesting UEFI components that can be divided into two categories – UEFI firmware backdoors and OS-level persistence modules. “While our UEFI executable processing pipeline has not yet resulted in finding any new UEFI malware, the results it has produced so far are promising,” says Jean-Ian Boutin, senior malware researcher at ESET. The most notable finding is the ASUS backdoor: a UEFI firmware backdoor found in several ASUS laptop models and remediated by ASUS following ESET’s notification.