The spyware Remote Control System (RCS) developed by Hacking Team contained a pre-loaded BIOS rootkit for Unified Extensible Firmware Interface (UEFI) enabling it to be hidden in infected systems.
The invisible infection was revealed after the source code of its malware was leaked companys last week. The Remote Control System (RCS) remained on the infected computers even if the owners formatted them, or even if they completely changed the hard drive.
Although spyware was primarily designed for Insyde BIOS (a popular notebook BIOS), it could work smoothly on AMI BIOS, according to Trend Micro security company.
A leaked Hacking Team PowerPoint reports that initial infection appears to require physical access to targeted systems. But it could be done with other techniques, Trend Micro reports, following a preliminary analysis of the leaked presentation, as well as a hacking team's BIOS rootkit tool.
"A slide show by the Hacking Team claims that a successful infection requires physical access to the target system. However, we can not rule out the possibility of remote installation ", writes Philippe Lin, senior engineer of Trend Micro.
“An attack scenario for example would be: The attacker gains access to computer προορισμού, κάνει reboots στο UEFI shell, πετάει την BIOS, και την εγκαθιστά με το rootkit BIOS, πραγματοποιεί ξανά flash στο BIOS, και στη συνέχεια κάνει μια τελευταία επανεκmovement on the target system.”
EUFI SecureFlash, the BIOS update whenever there is a security update and password setting for the BIOS or UEFI, can be a precaution in this type of attack, according to Trend Micro.
The motherboard firmware is a very attractive target for hackers because it is easy for hack, the infection remains invisible and often impossible to remove.