The spyware Remote Control System (RCS) developed by Hacking Team contained a pre-loaded BIOS rootkit for Unified Extensible Firmware Interface (UEFI) enabling it to be hidden in infected systems.
The invisible infection was revealed after it was leaked source code of the company's malware last week. The Remote Control System (RCS) remained on the infected computers even if the owners formatted them, or even if they completely changed the hard drive.
Although the spyware was primarily designed for Insyde BIOS (a popular laptop BIOS) it could also run on AMI BIOS without problems, according to the security firm Trend Micro.
A leaked Hacking Team PowerPoint reports that initial infection appears to require physical access to targeted systems. But it could be done with other techniques, Trend Micro reports, following a preliminary analysis of the leaked presentation, as well as a hacking team's BIOS rootkit tool.
"A slide show by the Hacking Team claims that a successful infection requires physical access to the target system. However, we can not rule out the possibility of remote installation ", writes Philippe Lin, senior engineer of Trend Micro.
“An attack scenario for example would be: The attacker gains access to computer target, reboots into the UEFI shell, dumps the BIOS, and installs it with the BIOS rootkit, re-flashes the BIOS, and then does a final reboot on the target system.”
Precautions in this kind of attacks can offer UEFI SecureFlash, updating the BIOS whenever a security update is available, and setting a BIOS or UEFI password, Trend Micro reports.
The motherboard firmware is a very attractive target for hackers because it is easy for hack, the infection remains invisible and often impossible to remove.
