Rootkits are one of the nastiest malware that hides in the system without any detection and gains unauthorized access over the system to perform a wide range of illegal acts. Good computer usage habit should be enough to protect you against most of the threats. However, if you suspect that your computer is under the control of a rootkit, it’s time to finish it.

Let’s get started with Tiger rootkit scanner.

Installing Tiger

Tiger isn’t a part of the default Linux packages. Run the following command(s) according to your own Linux distro.

• Ubuntu

sudo apt install tiger

• Debian

sudo apt-get install tiger

• Arch Linux

sudo pacman -S git base-devel
git clone https://aur.archlinux.org/tiger.git

cd tiger
makepkg -sri

• Generic Linux instruction

Grab Tiger –

git clone https://git.savannah.nongnu.org/git/tiger.git

Install Tiger –

cd tiger/
sudo ./install.sh

Checking for rootkits

Tiger doesn’t offer much customizability, for example, running the “rootkit scan” only. It will perform all of its tasks on the whole system.

Run Tiger –

sudo tiger

Once the process is complete, it will show the report log location.

Reviewing the Tiger report

Review the Tiger report –

sudo -s
cat /var/log/tiger/security.report.xxx.xxx-xx:xx

What to do if any rootkit found

The report will notify you where the rootkit is present. Depending on the condition, you should perform a clean re-install of your system. This will allow you to have a clear system without any rootkits. Learn more about installing Ubuntu MATE or Ubuntu.

The post Tiger – Rootkit Checker for Linux appeared first on Linux Windows and android Tutorials.

According to ESET, this threat actor integrated the rootkit in the SPI flash module on the target computer. This allows the rootkit persistence over the system even if components like the OS and/or hard drive are replaced. That’s a very powerful ability and dangerous.

The security researchers gave the rootkit a nice name – LoJax. The name came from the malicious samples of the LoJack anti-theft software.

Signed drivers for accessing the firmware

According to the security researchers, there were 3 different types of tools on the victim’s computers where 2 of them gathers the details about the system firmware and creates a copy of the system firmware by reading the SPI flash memory module.

The last one then injects the malicious module inside the gathered firmware copy. Then, the modified copy is flashed to the SPI flash memory. Thus, ultimate persistency for the malware.

For reaching the UEFI settings, all the tools present in the rootkit uses the kernel driver of the RWEverything – a tool giving the power to modify all the settings and firmware of almost ALL the hardware. The driver comes up with a valid certificate and that’s the catch.

According to ESET, the patching tool uses various techniques for abusing the misconfiguration of the system or even bypass the SPI flash memory write protections. If the write operations are denied from the system, then the rootkit exploits a 4-years old race condition vulnerability in UEFI (CVE-2014-8273) for bypassing this defense.

The ultimate target of the rootkit is just dropping the malware into the Windows system and making sure that it integrates in the OS every time the system boots.

Defense against LoJax

Despite using advanced methods, LoJax is easily defendable with the currently available methods. First of all, make sure that you enable “Secure Boot” mechanism. This ensures that everything that’s loaded in the system firmware comes up with a valid certificate. LoJax isn’t signed, so it won’t be able to load due to “Secure Boot”.

Another very crucial thing is to make sure that your motherboard has the latest version of firmware. For upgrading your motherboard firmware, check out the official website of your motherboard vendor. After upgrading to the latest version, the firmware should fix and tighten the protection for the SPI flash memory module.

If your system has the latest firmware, you can reflash the firmware. It involves downloading the latest firmware package from motherboard vendor’s website and applying it again. Different motherboard vendors provide different ways of reflashing/updating the firmware.

LoJax is a threat for high-value targets, so general users shouldn’t be afraid of it just yet. Make sure that you take the necessary steps to tighten your system security and you’re good to go!

Cheers!

The post LoJax – First UEFI Rootkit in the Wild appeared first on Linux Windows and android Tutorials.