When traditional methods like formatting the Hard Drive or uninstalling software prove ineffective against a stubborn virus, the challenge becomes even more daunting. A newly uncovered exploit, affecting all Windows and Linux devices, has revealed a significant vulnerability. Known as LogoFAIL, this series of exploits targets the computer’s BIOS firmware, posing a severe threat to system integrity. To comprehend the gravity of this exploit, it is essential to explore the fundamentals of firmware-level malware, the mechanics of LogoFAIL, ways to identify susceptibility, and strategies for protection.
The Basics of Firmware Malware.
Firmware-level Malware is considered the worst piece of malware in general. Typically speaking, most end users know how ordinary viruses operate. They’re installed into the operating system or files that are then autorun by the computer when turned on, then perform the programmed task, whether that is stealing or tracking. However, there are numerous methods that viruses use to hide themselves. For example, Rootkits generally start before anything else in the operating system, which means that any antivirus software cannot detect it. Or “Fileless Malware” that does not have any files themselves on the drive, rather it runs as a script that starts a process along with the operating system. If users are unable to remove the virus on their computer, formatting the Hard Drive is the last resort.
However, the firmware itself is not stored on the drive anywhere else. You may have heard of the UEFI. Generally speaking, it is known as the BIOS. This is stored on a physical chip on the motherboard. Which is why it can run even if the motherboard does not have a drive installed on the computer. In cases where the firmware is infected by malware, nothing can stop it. This is because that firmware code is loaded before any other software, OS, drives, or anything else. Firmware Malware can do anything from repeatedly reinstalling malicious files on every startup, or start a malicious process that the operating system cannot detect. This exploit unfortunately allows malware to infect the firmware itself.
LogoFAIL & How it Works.
When booting your computer, you typically see a logo of some sort. This consists of the manufacture of the motherboard. Oftentimes, the BIOS may allow the user to customize what logo appears such as an image. However, a company known as Binarly discovered that the image parsers that load these images have many exploits, and are used by all BIOS companies. The takeaway is that someone can create malicious image files encoded so that when this software loads the image onto the BIOS, it can rewrite the firmware Including malicious code. This is especially alarming because programs such as Secure Boot are specifically designed to ensure that BIOS data is not exploited on startup. However, these programs do not check image files. This likely starts when users unknowingly download a malicious file. As a result, the image is replaced and your BIOS is hacked. In terms of how this malware replaces the logo file, there are three main methods. Two of these do not require physical access to your computer. Like any other virus, it can be remotely hacked. Many people argue that this exploit should not be considered alarming because someone needs physical access to your computer. No, they do not.
EFI Partition.
The first strategy that can be used is to replace the file in the “EFI System Partition.” In addition to having the firmware, which boots up, supplemental data is also loaded onto the hard drive in a special EFI Partition. The size is approximately 100 MB which contains the directions on how to boot individual operating systems. This EFI Partition will have boot leaders for the operating system and may contain those logos. This malware will infect a computer by tricking the user into running it as an administrator or performing a privilege escalation attack where it gets the ability to write the malicious image file to the EFI Partition. What happens is the BIOS will detect and load the logo but load the malicious code. The BIOS firmware will be manipulated to where the logo isn’t needed to run. It’ll already be embedded in the firmware, which is why erasing the drive will not resolve anything. This is why the EFI System Partition is protected by Secure Boot which scans for manipulated files or is different from officially signed versions. However, different sections of the UEFI Partition are not checked.
BIOS Update Tools.
The second attack vector would be through a malicious BIOS update file. Computers typically have a way for users to update a BIOS file. This can often include tools that allow users to take a firmware update file, and run it within the operating system. As it’s already running, there is no need to reboot, and it’ll update the firmware directly from within the operating system. In terms of security, this isn’t a problem. Because the existing BIOS will check that the new BIOS file is signed correctly, and hasn’t been tampered with. Only then will it install. However, some of these files are not checked and do not need to be signed, This includes the logo file. What malware can do is take a legitimate BIOS update file, replace what is not checked, and replace that image file in part. The actual code which used to be assumed to be the only part that mattered security-wise, won’t be changed, and the BIOS will load everything from that file, including the image, where it’ll get infected.
Physical Chip Flashing.
There is a third attack vector that requires physical access which is used by an SPI Flash Programmer, where you connect pins. Not only is it advanced, but it is very unlikely considering it consists of replacing files on the hardware. Nevertheless, it is still an option.
“Am I Vulnerable?”
Macs and Intel-based Macs are not vulnerable to this exploit. This is because Apple Silicon Macs do not use UEFI, and Intel-based Macs have the image hard-coded in a way that there is a check included on the image, meaning you cannot replace it. Some Dell devices are not vulnerable to this exploit because they use Intel Boot Guard. While most computers support this Dell has this technology configured specifically to also check the image, whereas a lot of computers that even have Boot Guard will not scan the image file. Since Dell’s configured Boot Guard checks for a tampered image file, a majority of Dell computers are not vulnerable. From my understanding, MSI motherboards are also not vulnerable because they do not allow the user to change the logo, which is also a part of the signed portion of Intel Boot Guard. However, I have not found any reputable source confirming this. In any other cases besides those mentioned above, it is safe to assume you are vulnerable. As of my knowledge, there haven’t been any cases of this exploit being actively used yet. However, that doesn’t mean it will not be in the future.
How to Protect Yourself.
Assuming your system manufacturer patched this exploit in a BIOS update, it is safe to update your BIOS to the latest firmware. Most motherboard and system manufacturers have likely released a BIOS update if they were going to on the most recent software. It is estimated to be by early Q1 2024. However, it may take longer for older systems to be patched. For example, recent BIOS updates from ASUS and Gigabyte mention these BIOS updates as patching the LogoFAIL exploit. When updating, it would be wise to look for notes on recent exploits that may have been patched. Additionally, it is imperative to remain cautious. The slightest mistake can corrupt your system. If you do not know what you are doing, it would be wise to check the manufacturer’s website for detailed instructions.
