- Feb 4, 2016
A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012.
Bootkits are malicious code planted in the firmware (sometimes targeting UEFI) invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.
They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).
Persistence on the EFI System PartitionThe bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement.