BlackLotus Eats Secure Boot For Breakfast And Likes It

Source: Ars Technica BlackLotus Eats Secure Boot For Breakfast And Likes It

How To Own A Computer In Just 80kb

BlackLotus was in the news last year, after some oddities were detected and submitted to VirusTotal.  Those initial detections and further suspicious activity reported to ESET  suggested that this was something new.  The infection seemed exceptionally resilient, surviving reimaging, hard drive replacements and evading UEFI Secure Boot.  It took the experts some time to unravel BlackLotus and determine exactly what is was doing, but they have finally succeeded and the news is not good.

BlackLotus infects your motherboard’s UEFI, more specifically the EFI System Partition which is not protected by the same security features that are found on the SPI chip which you update every time you flash to a new BIOS.  That allows the infection to load before Secure Boot or any of the other security features on your hardware can, which gives it time to pull a nasty trick.   The malware registers it’s own machine owner key as valid, in combination with a shim loader signed by various Linux distributors.   At that point, every reboot fires up the bootkit ensuring the attackers are still able to load in any infections which your antivirus manages to remove.

That is the real use of BlackLotus, the ability to render a machine permanently vulnerable to other malware attacks by granting admin access to processes in order to leverage any other system vulnerabilities present on your system.   There is nothing you can do to remove it if you have been infected, short of tossing your motherboard.  However, keeping your system up to date with patches will limit secondary infections which will protect against the secondary infections which BlackLotus tries to load onto your system.

If you want to terrify yourself, read the full story at Ars Technica where they delve into the technical aspects of this fresh hell.

While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.

Video News

About The Author

Jeremy Hellstrom

Call it,, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!