UEFI rootkit
(Also HPP)
UEFI rootkit definition
A UEFI (Unified Extensible Firmware Interface) rootkit is a type of malware that infects the firmware of a computer’s motherboard, specifically targeting the UEFI firmware. UEFI is a replacement for the traditional BIOS (Basic Input/Output System) and provides low-level software that initializes hardware during the boot process and enables communication between the operating system and the hardware components.
After the UEFI rootkit infiltrates the firmware, it gains persistent and stealthy control over the system. Unlike traditional rootkits that infect the operating system, UEFI rootkits reside in a privileged position within the computer’s firmware, making them very difficult to detect and remove.
Once installed, a UEFI rootkit can manipulate the system’s boot process, allowing it to load malicious code even before the operating system starts. This early access level grants the rootkit full control over the compromised system, enabling it to intercept and modify system calls, steal sensitive information, disable security measures, or even install other malicious software.
See also: BIOS rootkit
UEFI rootkit prevention
Protecting against UEFI rootkits requires a multi-layered approach:
- Regular firmware updates. Keep the UEFI firmware updated with the latest patches and security fixes provided by the manufacturer.
- Secure boot. Enable Secure Boot in the UEFI settings, which verifies the digital signature of the firmware, preventing unauthorized modifications.
- Use password protection. Set a strong password for accessing the UEFI settings to prevent unauthorized changes to the firmware.
- System monitoring. Use intrusion detection systems and behavior-based monitoring tools to detect suspicious activity at the firmware level.
- Trusted hardware. Ensure that the hardware components are sourced from reputable providers to minimize the risk of pre-infected firmware.