The New BIOS Hack That Bypasses Every Antivirus

00:00

Imagine a computer virus that you cannot remove even by wiping a hard drive completely or

00:05

removing it all together.

00:07

Surely that can't be possible, right?

00:09

Well, you might want to sit down for this one.

00:11

There is a recently discovered exploit, it was discovered a couple months ago, that your

00:16

computer is very likely to be vulnerable to.

00:18

It's being called LogoFail, and it actually is a collection of several exploits having

00:24

to do with your computer's BIOS firmware.

00:26

To understand what the big deal is, let me give you a quick primer on firmware-level

00:30

malware, which is kind of like the big final boss of malware.

00:34

You see, regular malware and viruses, we kind of all know how they work.

00:38

They usually install themselves and embed themselves in the operating system or in some

00:42

files, that gets autorun when the computer starts up, and then does whatever, tracking

00:47

or stealing.

00:48

If there's different levels of ways these viruses hide themselves, for example, rootkits

00:52

might literally be starting up before anything else in the operating system, so it can't

00:57

really be detected.

00:59

Or fileless malware is another example where it doesn't even have any files themselves

01:04

on the drive, it kind of runs as a script that starts a process along with the operating

01:09

system.

01:10

But at the end of the day, you could wipe the drive and get rid of these.

01:13

But the firmware, which is like embedded code within hardware itself, that is not stored

01:19

on the drive anywhere.

01:20

For example, we've all probably heard of the BIOS.

01:22

These days, it's technically the UEFI, but everyone calls it the BIOS, that's what I'm

01:26

gonna call it.

01:27

Anyway, that is gonna be stored on a physical BIOS chip on the motherboard, and that's why

01:32

it can run even if there's no drive installed on the computer.

01:36

So in cases where the firmware is infected by malware, because that firmware code gets

01:41

loaded before any other software, the operating system, drivers, anything else, then there's

01:46

literally nothing that can stop it.

01:47

It can do anything from reinstalling malicious files onto the drive repeatedly every time

01:53

at boot up, or starting a process that is malicious that the operating system can't

01:59

even see it all, therefore you can never detect it.

02:02

And unfortunately, this LogoFail set of exploits does allow malware to infect the firmware

02:08

itself.

02:09

So first, let me give you a quick overview of how this LogoFail thing works and why it's

02:12

so bad, and then I can go into a bit more details.

02:15

So you know when you boot up your computer, you're usually gonna see a logo of some kind.

02:19

Maybe it's the manufacturer of the motherboard, or if it's a branded computer, you'll see

02:24

the computer manufacturer logo comes up.

02:27

And also, oftentimes, the BIOS may allow a user to actually customize what logo shows

02:32

up, what image does.

02:33

Well turns out, a company called Binarly discovered that the image parsers, which is like the

02:39

bits of software that loads these images, they apparently have lots of exploits, and

02:45

they're used by basically all the BIOS software companies.

02:48

And the big takeaway is that a bad actor could create image files, regular image files, that

02:54

are encoded in such a way that when the bits of software load the image onto the BIOS,

03:02

it can trick it into doing a lot more stuff, including just rewriting the firmware to have

03:07

malicious code in there and doing whatever they want.

03:10

And the reason this is especially bad is because, yes, there are actually technologies, such

03:14

as Secure Boot, that are specifically designed to ensure that BIOS data is not manipulated

03:22

on startup.

03:23

But apparently, they do not usually check the image files, which is how this is allowed

03:29

to get through.

03:30

So what would happen is you'd get infected with malware one way or the other, usually

03:34

the typical way you download a file unknowingly.

03:36

And instead of running a stealer or installing pop-ups or whatever, it will replace the image

03:43

that gets loaded by the BIOS, and then your firmware is hacked.

03:47

And then literally nothing will be able to detect it.

03:49

Before I get into the details though, something else that's vulnerable is your personal data,

03:53

which is where today's sponsor comes in, Aura.

03:55

Sketchy data brokers out there collect and sell your information to scammers, spammers,

04:00

and anyone else who may want to target you.

04:01

I'm talking about your full name, email, home address, health records, your relatives.

04:06

It's all out there.

04:07

But that's where Aura comes in.

04:08

For example, it can show me which data brokers are selling my info, and automatically submit

04:13

opt-out requests for me.

04:14

Cleaning up all this info not only reduces the amount of spam coming my way, but protects

04:19

me from hackers who might leverage this info to try and access my accounts, or even send

04:24

personalized phishing attacks.

04:26

I was even surprised when it showed me that the collected public info out there even included

04:31

what kind of car I drive.

04:32

I was not expecting that.

04:34

But Aura also has a ton of other features, such as antivirus, a VPN, password management,

04:39

parental controls, even identity theft insurance, all in one place, instead of needing a bunch

04:44

of separate apps.

04:45

And even if you have one or two of these tools already, you could be still leaving doors

04:48

open to bad actors.

04:50

But Aura is always on, so you can have peace of mind and focus on the other important stuff.

04:55

To get started and protect your info, you can go to Aura.com/ThioJoe to start your two-week

05:00

free trial.

05:01

Link is also in the description.

05:03

And with all that being said, let's continue.

05:05

So in terms of more details about how the malware actually replaces the logo file, there's

05:10

three main attack vectors that they could choose to use.

05:13

And importantly, for two of these, it does not require the attacker to have physical

05:18

access to your computer.

05:20

It can be remotely hacked, like any other virus.

05:23

So I've seen people say, "Oh well don't worry, they have to have physical access to your

05:26

computer."

05:27

No, they do not.

05:28

The first strategy they can use is to replace the file in the so-called EFI System Partition.

05:33

You see, these days, the UEFI, which is basically like an advanced version of the old BIOS,

05:38

but people still call it the BIOS.

05:40

Anyway, in addition to having the firmware, which boots up and can do stuff, they also

05:45

usually load supplemental data onto the hard drive in a special EFI partition.

05:52

It's very small, about a hundred megabytes.

05:54

And this will contain info about how to boot individual operating systems.

05:59

So if you have a multi-boot system, usually it's all going to be stored in one place.

06:03

And this EFI partition will have stuff like the boot loaders for the operating systems,

06:08

but may also contain those logos.

06:10

So what happens is you get some kind of malware that infects your computer, and either by

06:15

tricking you into running it as admin, or it does a privilege escalation attack, it

06:21

gets the ability to simply write the malicious image file to this EFI partition.

06:27

So it's literally just a matter of copying a file over.

06:30

So what happens is the BIOS on startup will see that logo and load it, and try to display

06:37

it, but it has that malicious code, and then it'll manipulate the BIOS firmware, so it

06:42

doesn't even need that logo again to run.

06:46

It'll already be embedded in the firmware, and that's why if you erase the drive, it

06:50

doesn't help anymore.

06:51

Now, typically this EFI system partition is protected by something like Secure Boot.

06:56

That's what it does.

06:57

It makes sure that none of these files are manipulated, different than the officially

07:01

signed versions.

07:02

But apparently it turns out that there are sections of the EFI partition that are not

07:08

checked.

07:09

They're part of unsigned blocks.

07:10

So it doesn't check everything.

07:11

Apparently the logo is part of that oftentimes.

07:14

Next, the second attack vector would be through a malicious BIOS update file.

07:19

So usually a computer is going to have a way where the user can update a BIOS file one

07:25

way or another.

07:26

And sometimes this even includes a tool that allows you to take a firmware update file,

07:33

and run it from within the operating system.

07:35

As it's already running, you don't even have to reboot, and it'll update the firmware directly

07:39

from within the OS.

07:40

And usually this isn't really a problem security-wise, because the existing BIOS will check that

07:45

the new BIOS file is signed correctly, and hasn't been tampered with, and then only will

07:51

it install.

07:52

But again, apparently part of these files are not actually checked, and don't have to

07:56

be signed, including a logo file.

07:59

So what malware could do is take a legitimate BIOS update file, and replace the part that

08:06

doesn't get checked, and replace that image file only in that part.

08:10

So the actual code part, which used to be assumed to be the only part that matters security-wise,

08:17

it won't be changed, and the BIOS will load everything from that file, including the image,

08:22

and then that's when it'll get infected.

08:24

Now there is a third attack vector that does actually require using physical access.

08:30

And in that case, we'd use something called a SPI Flash Programmer, where you literally

08:34

connect pins and stuff.

08:36

That is pretty advanced.

08:37

In that case, you'd go directly to the hardware level and replace the file in there.

08:42

That's probably not going to happen usually.

08:44

And if someone has physical access to your computer, you're kind of screwed anyway.

08:47

But it is an option nonetheless.

08:49

Now I'm sure at this point most of you are wondering how you can tell if your computer

08:52

is vulnerable, and what you can do to protect yourself.

08:55

And first of all, it's probably easier to go over who is not vulnerable.

08:59

First of all, Macs are not vulnerable.

09:02

Even Intel-based Macs are not.

09:03

That's because the Apple Silicon Macs don't use UEFI at all, and the Intel-based Macs

09:10

have the image hard-coded in such a way that there is a check including on the image, so

09:15

you can't replace it.

09:16

Next, there are some Dell devices that are apparently not vulnerable because they use

09:20

an additional type of technology, not Secure Boot, but it's called Intel Boot Guard.

09:25

Which actually is supported on most computers, but Dell has it configured in a special way

09:31

where it also checks the image portion, whereas for a lot of computers, even if it does have

09:38

Intel Boot Guard, they don't check the image.

09:40

So apparently a lot of Dell computers are safe because it is covering the image.

09:45

Next, from what I've read, MSI motherboards are also not vulnerable because they don't

09:49

allow the user to change the logo, and the logo is included as part of the signed block

09:56

of Intel Boot Guard.

09:57

Although I haven't been able to find any official confirmation from MSI about this.

10:02

And then again, MSI did have their Intel Boot Guard hardware keys leaked last year.

10:07

So I mean, it's still better than nothing I guess.

10:10

In any other cases besides those though, it is probably good to assume that you are vulnerable.

10:15

The good news is that as far as I know and have read, there haven't been any instances

10:21

of this being actively used yet, but that doesn't mean that it won't be.

10:25

And as for how to protect yourself, well, really the only true solution is to update

10:30

your BIOS to the latest firmware, assuming that your system manufacturer created a BIOS

10:35

update to cover this.

10:37

By now, most motherboard and system manufacturers should have released a BIOS update if they

10:44

were going to on more recent software.

10:46

They said typically by early Q1 2024.

10:49

Though again, for older systems, they might take longer if they're going to do it at all.

10:53

For example, if you look at recent BIOS updates from ASUS and Gigabyte, they specifically

10:59

mention these BIOS updates as patching the LogoFail exploit.

11:03

So that's something you would want to look for for your system.

11:06

Although you always do have to be cautious when updating the BIOS, if you screw it up

11:11

like turning off the computer in the middle of it, it could really mess up your system.

11:16

So if you really don't know what you're doing, maybe just look on the manufacturer's website,

11:20

see if they have any detailed instructions on how to do it, or maybe ask one of your

11:25

friends who's good with computers to do it.

11:27

It's not super tough, but it's just that if it does go wrong, it can go really wrong.

11:32

So yeah, it's pretty scary and especially that not a lot of people probably know about

11:36

this, but at least now you do and you can potentially address it.

11:39

So I would be curious to know what you guys think.

11:41

Are you going to bother updating the BIOS or just take the risk?

11:44

We can just talk about that down in the comments.

11:46

Thanks again to Aura for sponsoring this video.

11:49

If you want to protect your data and take advantage of all the other features it has,

11:52

go to Aura.com/ThioJoe for a two-week free trial, link in the description.

11:57

So if you enjoyed this video, be sure to give it a big giant thumbs up for the YouTube algorithm.

12:00

And if you want to keep watching, I made a video recently about some very tricky malware

12:04

techniques hackers are using to even target programmers and Linux users.

12:08

Usually you think they're pretty safe, but no.

12:11

So I'll put that link right there you can click on.

12:12

Thanks so much for watching and I'll see you in the next one.