This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LoJax detection by Central/EndPoint

Hi,

does the Central / EndPoint detect the Maleware "LoJax"?

Regards,

Andreas



This thread was automatically locked due to age.
Parents
  • Hello Andreas,

    please no cross-posts.
    your question is very short and seemingly simple. But - I'm not sure why you ask it.
    With all kinds of malware out there why LoJax? Because it's in the headlines right now, or because you feel at risk? No scorn intended - do you know what LoJax is and what it does?

    If malware isn't already installed on a computer it has to get on it somehow. More often than not even the most sophisticated threats need a working supply chain and unless it's a targeted attack security software usually disrupts this chain before the actual malware is about to get downloaded or delivered.

    Christian

  • Hi, LoJax ist the firt in BIOS-Maleware in the wild.

    See https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

    Does Sophos search BIOS-rootkits?

    Andreas

    P.S. Yes, I feel at risk.

  • Hello Andreas,

    the first in BIOS-Maleware
    not generally BIOS but UEFI. I'm neither Sophos nor a security researcher or expert. Just a potential victim.

    It sounds scary, sure - but almost all malware that made it into the headlines sounded scary at that time. In the wild is, BTW, not synonymous with epidemic or even pandemic, it's just beyond the POC stage. Basically the result of LoJax is a piece of software that can communicate with C&C servers, download more malware and make sure it's executed. To gain foothold is only one step, to take advantage of it another. This is advanced technology not (yet) a available to script kids. If I were able to pick the locks of Fort Knox I wouldn't be interested in getting into your house. Remember Stuxnet?

    As said, I'm not Sophos. Sure it'd be possible to inspect the BIOS - but then, if you find something this would mean an attacker made it past all defences - and you're likely faced with a dedicated and sophisticated adversary. This will likely change over time, UEFI malware might become more common despite all the proactive security measures, and security software will come up with remediation. Even detection isn't as simple as searching for the string 0xDEFACED and it takes more than a few hours to develop a reliable scanner.

    Christian

    P.S.: Zu Tode gefürchtet ist auch gestorben

Reply
  • Hello Andreas,

    the first in BIOS-Maleware
    not generally BIOS but UEFI. I'm neither Sophos nor a security researcher or expert. Just a potential victim.

    It sounds scary, sure - but almost all malware that made it into the headlines sounded scary at that time. In the wild is, BTW, not synonymous with epidemic or even pandemic, it's just beyond the POC stage. Basically the result of LoJax is a piece of software that can communicate with C&C servers, download more malware and make sure it's executed. To gain foothold is only one step, to take advantage of it another. This is advanced technology not (yet) a available to script kids. If I were able to pick the locks of Fort Knox I wouldn't be interested in getting into your house. Remember Stuxnet?

    As said, I'm not Sophos. Sure it'd be possible to inspect the BIOS - but then, if you find something this would mean an attacker made it past all defences - and you're likely faced with a dedicated and sophisticated adversary. This will likely change over time, UEFI malware might become more common despite all the proactive security measures, and security software will come up with remediation. Even detection isn't as simple as searching for the string 0xDEFACED and it takes more than a few hours to develop a reliable scanner.

    Christian

    P.S.: Zu Tode gefürchtet ist auch gestorben

Children
No Data