💀 Worst Computer Virus: BIOS Virus | Motherboard Virus | Lojax | UEFI Rootkit
💀 Worst Computer Virus: BIOS Virus | Motherboard Virus | Lojax | UEFI Rootkit
🔗Get a 14-day free trial with my sponsor Aura and see where your personal information is being leaked online: Aura.com/nico
▶️Special Thanks to Scott from Ask Your Computer Guy: / askyourcomputerguy
Scanners that detect Lojax:
🔗 Aura: aura.com/nico
🔗 ESET Smart Security: www.jdoqocy.com/click-1004721...
💢 Business Inquiries: garrettgateway@protonmail.com
🔐 Unveiling Lojax: The UEFI Firmware Rootkit You Can't Ignore 🔐
Welcome to a gripping exploration of cybersecurity's darkest corners: "Lojax - UEFI Firmware Rootkit Exposed." 🌐🔍
In this eye-opening video, we peel back the layers of one of the most insidious threats to digital security - Lojax, the UEFI Firmware Rootkit that has sent shockwaves through the tech world. 💻🔓
🔥 What Awaits You:
🔹 Unmasking Lojax: Dive deep into the mechanics of Lojax, a devilishly cunning UEFI firmware rootkit. Discover its origin, infiltration methods, and the ominous purposes it serves.
🔹 UEFI Under Siege: Understand how Lojax exploits the Unified Extensible Firmware Interface (UEFI), bypassing traditional security measures to establish a hidden foothold within the heart of a computer's hardware.
🔹 Persistent Menace: Explore the unparalleled resilience of Lojax - it survives reformatting, operating system reinstallation, and even hard drive replacement, making it a formidable adversary.
🔹 Real-world Fallout: Witness the real-world ramifications of Lojax attacks, from corporate data breaches to targeted espionage, as institutions struggle to defend against this invisible invasion.
🔹 Countering the Threat: Join cybersecurity experts as they engage in a high-stakes battle against Lojax, utilizing innovative techniques to detect, prevent, and eradicate this persistent rootkit.
🔹 Lessons for Protection: Gain valuable insights into safeguarding your devices against UEFI firmware rootkits. Learn the importance of regular updates, secure boot protocols, and vigilant cybersecurity practices.
📚 In this illuminating exploration, we'll traverse the evolution of computer viruses - from the early experiments in the labs to the sophisticated malware that challenges cybersecurity experts worldwide. Discover the difference between viruses, worms, Trojans, and ransomware, and gain a clear understanding of how each exploits vulnerabilities to infiltrate systems.
🌐 But it's not all doom and gloom! As we unravel the complexities of computer viruses, we'll also unveil the powerful defense mechanisms and countermeasures that cybersecurity professionals have developed. Discover how antivirus software, firewalls, and behavioral analysis are used to detect and prevent these threats from causing harm.
Don't forget to hit the "Subscribe" button and ring the notification bell to stay informed about our upcoming releases. Empower yourself with the knowledge to defend against lurking digital threats and take charge of your cybersecurity.
🔗 Watch Now: Most Dangerous Virus: UEFI Firmware Rootkit | BIOS Virus | Motherboard Virus
🕒 Video Length: 06:46
📅 Release Date: 08/21/2023
Chapters:
0:00 Intro
0:22 Enter Lojax
0:50 Sponsored by Aura
1:23 UEFI Basics
2:07 What is Lojax
3:00 How Lojax Works
4:17 Prevention
5:40 What you can do
Join us as we shed light on Lojax, a UEFI firmware rootkit that underscores the importance of remaining vigilant in an ever-evolving digital landscape. Let's stand strong against the shadows that threaten our data, privacy, and digital freedom. 🛡️🌐🔒
Download Tron Script: / tronscript
---------------
▶️ Please subscribe: / nicoknowstech
---------------
▶️ Join my Discord: discord.io/NicoKnowsTech
▶️ Support me on Patreon: / nicoknowstech
---------------
▶️ Follow me on:
Instagram - / nicoknowstech
Twitter - / nicoknowstech
▶️ Frequently Asked Questions: • Frequently Asked Quest...
---------------
▶️ Check out my other videos:
Block ALL Ads, Malware Domain, Trackers & More: • Block ALL Ads, Malware...
NKM Minecraft Faction Server Launched: • NKM Minecraft Faction ...
Virus Removal Tutorial: • IBuddy, Idle Buddy, Br...
Can you trust virus scanners? : • Can you trust virus sc...
---------------
#BIOS #virus #trojans #computervirus
During the 80s, we have extra bios chips just in case the bios on our board gets corrupted. We unplug the corrupted chip and just insert the back-up
A modular solution like that would certainly come in handy these days.
This isn't the 80s lol.
@@NicoKnowsTechsadly we have non removeable chips but hey we get the 12 dollar ch341 with soic8 clip
@@Praw-Too-EhleemSo screwed we are "lol"
In the 80s, BIOS wasn't updatable. Edit: I should say it wasn't updatable in-place. They were actual ROM chips, not some sort of eeproms or flash like they use today. Updating to newer BIOS, as you needed to in order to get the early IBM PC to accept high-density floppy drives, or the AT to work right with an IDE controller, involved replacing the actual IC. There was no such thing as corruption, because the programming on the chip could not be altered.
Back in 98 I was an ISP admin with a T1 and since part of my job was network security I noticed we had someone trying to brute force our servers. I responded by trace routing and flooding his IP which was in France. For about a week we went back and forth until I got my rear handed to me when he planted a motherboard virus in my workstation and I had a blank screen after a reboot. Not a blank screen after post but just a plain black screen with no BIOS post or anything. I replaced the motherboard and booted it just to confirm how I was taken down. The new motherboard worked great until reboot and I learned that I was not even close to the best lol
A T1 in 1998? You were a god back then.
If you were part of our ISP I essentially was lol@@NicoKnowsTech
You had their ip and didn't report that person to authorities? May I ask why? I know 98 was a different time but you had proof of their illegal activities.
you know, ive been trying to tell them about this for years, all I ever get is "oh its impossible to hack the bios" when I tell them one of the greatest flaws is making it possible to update the bios from within the OS. Nice video.
You're so right! What is worse is that Lojax doesn't even need the vulnerability of software update. It exploits the exception in the firmware that enables Computrace LoJack to be installed.
@@NicoKnowsTech btw malwarebytes can eliminate and detect it and remove it
@@franciscohorna5542 I wish, but unfortunately Malwarebytes does NOT have write capability on firmware and does not use a driver capable of scanning volumes on the SPI flash.
@@NicoKnowsTech a friend of mine was able to remove this with malwarebytes here he told me
It would be good if every mainboard came with 1 factory installed firmware in ROM and 1 which can be updated and a switch on the mainboard which will overwrite the writable one with the only-readable one. That would pretty much solve the problem.... 5:59 not sure why you think over-writing the firmware actually over-writes the firmware. I'm pretty certain updating the firmware is a function OF the firmware. So the installed (infected) firmware can prevent it being fixed.
I remember reading about some security focused mobo years ago that had a read only version of the mobo firmware stored on a separate chip. All it did was remain there and if anything went wrong you could press a physical button on the mobo while the computer was on and it would wipe the chip the mobo used and then copy itself to that chip. It would put back the firmware at purchase as the chip itself couldn't be updated. Then after that was done you could update the firmware again to the current standards. But it always had that back up stored. Why don't I hear about anything like that now?
That exists on certain mobo models. ASUS has such a model and so did Gigabyte years ago. It is called DualBIOS.
Back then BIOS used to be seperate system that used to be completely detached from main OS. In those days only BIOS used to control OS but didn't let OS controll it. But modern firmware systems like asus bios update utility allows you to update BIOS through OS. An OS should never controll BIOS only BIOS should controll OS.These big companys are making systems unsafe in the name of simple service providebility.
Not really true. The flashing procedure you are referring to here is still controlled via integrated BIOS flash utility in the motherboard. You just invoke the process in Windows but then it restarts and the flashing itself is done by the motherboard subsystems. This is a great advantage over old BIOS utilities because they really flashed IN Windows and the process could freeze and damage the computer.
@@speed_rider362 it still deponds on how BIOS is invoked. If BIOS is invoked by sending some data, then it is safe and you are right. But if bios is invoked through some programmatic-way by OS software, & if designed to extensively interact with BIOS then it is likely to be exploited. A bi directional programmatic control access on eachother(BIOS, OS) is not good, thats what i meant
Maybe there are technical limitations I'm not aware of, but if I had been in charge of designing BIOS(s) for computers, I would have required that a PHYSICAL jumper be present on the motherboard for the BIOS to be overwritten or updated. Users would be able to change settings, which would be stored separately, but the BIOS itself would be untouchable unless the jumper was physically in place. And to prevent users from just leaving it in place, the system would refuse to boot if the jumper was in place, forcing them to remove it. Additionally, there would be a copy of the BIOS that the system ships with, in ROM, and there would be a PHYSICAL jumper on the motherboard that would cause the system to completely wipe the BIOS and restore it from the ROM copy. Sure, that copy might be outdated, but better to go back to an old version and then run an update than to be stuck with compromised firmware. When I think of most computer developers' (hardware and software) attitude toward security, I imagine a guy who removes his front door for convenience and then spends countless hours trying to figure out how to prevent burglars from coming in the opening where his door used to be.
Not quite that easy as both your operating system and IME updates the UEFI with vulnerability updates and new signed drivers signatures. From what I understand. Not a tec expert, but it's a bit more complicated that the good old bios that's for sure.
@@jackeriksen6753 So by trying to add security features, they've actually introduced a huge security vulnerability? Yeah, that sounds about right...
If you already have a back up of your bios firmware, then you can physically remove the bios chip and either delete and re write it , but I guess for most people the easiest option would be to re place the MOBO
Exactly. Most users would not be able to perform that. Some tech shops could... But most don't and many that can don't acknowledge the existence of said threats.
@@NicoKnowsTechkind of sad that many boards end up in ewaste that can be fixed easily, thats why bios flashback is a MUST
@@309electronics5for real. wish laptops had a backup bios as well that could be switched to via a physical switch should the primary one fail
A lot of modern motherboards have flashback bios where you can flash your bios from usb. All you need is the motherboard and a PSU.
Most modern BIOS chips can be flashed from a DOS/Linux boot USB drive, no need to remove it physically. Overwriting the firmware with a safe factory image would get rid of a BIOS virus.
all of these “secure boot”, uefi and so on, when a simple jumper on the mainboard would prevent in a unavoidable way the corruption of bios.
You are absolutely correct!
Almost all bios chips have a write protect pin so theoretically you could solder a wire to it with a switch or jumper and make it write protected
@@robsonrobbi1763 it’even worst. so the mainboard producer speak about security but don’t give us a 1 cent perfect protection?
Motherboard companies should release bios writer kit for this kind of virus.
I never understood why it's even possible to change the UEFI firmware directly from the OS. It's anyway dangerous and shouldn't be done. Most people don't even know what a bios chip is, so the best security measure would just be a physical switch that flips the bios chip from read only to read/write. You'd only really ever need to flip that switch in case of doing a firmware update.
"If that doesn't work, most users will have to replace their motherboard and that's going to be expensive." Nah, you just de-solder the chip, erase it and write over it.
Correct. Most replacement chips can be purchased pre-programmed with the factory UEFI.
not everyone have the luxury to get that kind of stuffs
Talk about completely missing the point. If you let everyone choose: desolder and potentially ruin it, or just buy a new one. Guess what the overwhelming majority of not tech-savvy users will choose.
Would be interested in hearing 1 person who has opted for physically removing and/or replacing the BIOS. Nobody denying it CAN be done. Point is-- is it worth doing? Step up if you have done this with recent model. Especially laptop. Or something like a Surface. That takes some $$GEAR, as well as practiced physical skill and specific knowledge. Good luck if you don't do that for a living or at least serious hobby.
@@jdmayfield88 I am in the field and yes it does take some skill and effort to solder remove/replace BIOS IC, but it can be done by most people without even removing the chip using a programming clip. It's a lot easier than most people think. The BIOS is usually an 8 pin SOIC chip and removing it isn't always necessary. You can buy a CH341 USB programmer for less than $20, which you can use to program your BIOS and can learn how to use it watching YT videos. Many times you can program the chip without even removing it from the board using the programming clip that comes with it. A decade ago, all the computers in my house got hacked with some kind of UEFI virus. At the time, I read that this was a new virus spotted in the wild. I knew I had this virus because even after replacing the HD and installing an OS, the problem still existed. My daughter and wife were also experiencing problems on their laptops. Long story short, I reprogrammed all the BIOS's, reinstalled OS's and all problems were gone. I went one step further though, I installed Linux instead of Windows. My only regret is I wish I did that a long time ago. All my computers run so much faster with Linux. In fact, my wife's laptop is so old (Windows 7), you wouldn't even be able to install Win10 on it; yet, it runs like a new computer using Linux. When I re-did the BIOS's, I removed them, programmed them and soldered them back in. It just seemed easy enough at that time because I do own the equipment, however, recently I had to rewrite a BIOS on a recent model HP laptop, but this time I used the clip instead; and did it with no issues. If you do this, you need not worry about damaging anything. Just make sure the computer is powered down. Hook up the clip in the right direction (pin 1 - pin 1) and using another computer with the USB programmer, attempt to read the chip. If you can read what is in the chip with no problem, writing the chip shouldn't be a problem. Save the data that you read in the buffer to a file so you have a backup in case the new BIOS doesn't fix the problem. If you go to badcaps dot com you can ask them for a BIOS for your model computer; they will be happy to help you.
In the late 90s / early 2000s there were viruses, that would brick your Motherboard. Then the manufacturers would build Motherboards with writeprotection, which is a jumper on the board that had to be removed physicaly from the Mainboard, if you wanted to update/overwrite your BIOS. Is this still a thing, or nowadays everything has to be solved with software?
Some manufacturers allow writing to cache and then auto restarting to write during post. This is why some motherboards can be updated via Windows Update. The way Lojax writes directly from Windows is via the hardware/software barrier being bypassed through a vulnerability in how Computrace LoJack works. Thanks for your comment!
@@NicoKnowsTech Thank you for your reply.
I’ve been waiting for a video about this topic for a long time
I’m happy you found me.
@@NicoKnowsTech one question while you’re here how can I use kaspersky even though it’s not available in my region?
@aranamanj3401 VPN to a country that allows it then try to download and install it.
@@NicoKnowsTech ok I’ll try
@@NicoKnowsTechI tried it worked one last question as a free av how well do you think it’ll protect me (I don’t pirate games or movies or software btw)?
If the used software bricked bios force-flashing it with an incompatible bios and manufacture of the bios, can manufacture-specific method for the model of the device to force booting into flash mode and re-flash the bios from USB that actually works instead of stucking it into powered off motherboard.
Back in 1999 I got the Chernobyl virus on my BIOS chip, I ended up having to scrap the motherboard and drives as I could not get a ready flashed BIOS
I bet that was a nightmare. Thanks for sharing your experience.
@@NicoKnowsTech I took me 3 months to find out what was happening, Windows 98 seemed to eating its own files, I would re-install and all would be good for 4 or 5 days and then the same issue, it turned out to be infected by a CD-ROM of samples that was given to me by a friend, he contacted me to ask if I was having any issues.
well i did reflash mine... shops stop changing motherboards. kkkk i did manager to get ands on a another one to copy bin file.... work very well until enter in celeron III 300mhz overclocking to 450. but that is another story :)
You can also just use an EEPROM programmer such as the CH341A and clip over the BIOS chip to wipe and then overwrite it with known good firmware. (They are $8-15 and the companion software is free) Much cheaper than a new motherboard. This procedure is commonly used when the motherboard has an incompatible BIOS for the CPU and by crypto miners when they flash the wrong BIOS onto a GPU to fix it.
The only problem with that is, I'm absolutely incompetent when it comes to soldering. And I don't really have any old hardware I'd dare to learn it on.
People who do this… talk about having no life’s
These kinds of attacks are USUALLY DONE by these SATANIC NAZI WANNABE POWER HAPPY CONTROL FREAK HUMAN GIVEN government JOB TITLED TERRORIST TYRANT CRIMINALS. Who may do the ATTACK themselves or HIRE a HACKING GROUP TO DO IT SO THEY HAVE COMPLETE DENIABILITY and CAN BLAME THE HACKING GROUP.
The BIOS manufacturers are the issue. Obviously you write BIOS updates to every byte. Who does not do this? Who do WE want to avoid?
At this time AMI and ASUS are doing pretty well about this... Insyde and others are a bit behind the curve.
Maybe do a feature on Monkey C. A little known virus from the 90s. A variant of Monkey A/B. If infected on a system with a hard drive that has flashable firmware. It modifies it so each time you shut off the machine it bumps the speed of the drive from 5% to 10% each time. So after 3 or 4 boots you have a crashed drive. We took it in mid 90s and broke the every time it reboots part. We were able to overclock the drive.
Great idea!
@@NicoKnowsTech It is what lead to hard drives not having flashable firmware about in 96.
Yeah I was a rookie in IT back then. The golden age of hard drive rootkits and boot kits.
In 2023 I'm still unable to cope with the fact I got a virus on my 486 bios back then. Multiple tests proved my 486 became at least 60% slower. Things evolved so fast at that time that it was easier to get a 133mmx than fixing it.
Seems like a win for the intel.
Rootkits certainly exist as I already heard about those more than 20 years ago when I was still using an Amiga computer. So anyone claiming those don't exist, are just lying.
I remember having to reflash corrupted bios's after CIH infections before the millennium, now we have the management engines, the micro operating systems that most users are unaware of built into to their motherboard chipsets just waiting to be be exploited, giving the facility to hack the machine when its switched off but plugged in.. NSAkey anyone?
So true! Particularly in Intel Core processors. They have a micro kernel running a tiny linux OS called "Minix"
@@NicoKnowsTech Hello Minix! Not at all linux (not even a little bit). It's it's own OS. Back in my early Linux days, I ran across Minix. Back then, it was just another take-off home-brew OS like Linux was, only it did not gain much support. Decades later, turns out it's been baked into the actual hardware of a number of CPU's, running silently as a (mostly) independent computer (like TPM). Strange how things in life work out sometimes. I ran Minix experimentally back then to see if I liked it and would fit my needs and/or wants. It didn't. But, I could see how it could be useful if documented and properly secured, like iDRAC. Maybe that was the idea? Really useful to be able to inerface on a pre-boot BIOS/UEFI level on a remote machine. Companies pay high-dollar for this functionality, for servers. Damn awesome to remote in to a machine that hasn't even booted yet, like you are physically at the console. Much better than having to have someone drive out 10's, 100's, or 1000's of miles and the downtime in-between. They... probably should have said something about first though. I suspect it was not actually authorized to drop Minix computer into the CPU, but was initially a selling point, didn't make the sale, but unintentionally snuck in because they had a blueprint, and it was in the blueprint due to a deadline. Not many people gonna catch that. Not like it looks like a whole separate computer piggybacking alongside the CPU in silocone.
this is extremely informative, thank you.
Glad it was helpful!
How convenient that Aura, the "sponsor", can detect it.
Between us... Kaspersky can as well but it is such a controversial topic and I'm still a small KZheadr.
@@NicoKnowsTech I wasn't intentionally dissing.. and btw, I use Kaspersky - maybe I'm the one that needs dissing! ;)
@@DJPalsyP LoL it's lively comments like yours that keep me motivated!
Been building computers since I was 13-14 years old I’m now turning 40 in December and honestly ESET Antivirus has been the best I’ve used in all those years, glad it’s on the recommended list and detects this lojax virus I also make sure in device security that everything is enabled and secure boot is enabled in my UEFI BIOS
You are darn right!
Totally agree
Virus in firmware can 100% evade any attempts to detect from hardware on which it runs Mind firmware - BIOS or UEFI contains code for Intel MEI and AMD ?PCP? MEI doesn't even run on what you think is your processor and have more then 100% of your computer control It can control more, then you know exists (like SMM, which is compete gibberish to most), VMs and that is even higher then hypervisor, and everything else we all are unaware exists in our computers
ESET's good, also I've been using AVG-Free which works well too. On another note, why do hackers depicted in media/videos are always wearing a hoodie? Are they all hacking in chilly rooms? lol
BIOS !== [U]EFI; // Like CPU !== HDD or SSD POWERON --> (nvram) BIOS --> (drive) [U]EFI --> (drive) OS That is the order of things.
when you figured it out, it is not virus it is a feature, hardware backdoors are more dangerous.
You clearly get it!
never heard of this one that's scary to be honest goanna have to look into enabling secure boot superb video as always thank you for bringing this info to us it may not be a widely used virus but it is still nice to be aware of it
Keep in mind that Secure Boot is a MS key signature and will not remove the rootkit that infected your firmware bootloader. It will just ignore binaries that were not signed by that key.
Is there no backup ROM chip for BIOS, that is burnt dring manufacturing and can not be manipulate? And use it to recover original BIOS during any BIOS related issue, with some key combination pressing. Wipe out the secodary BIOS chip and rewite it from the backup one?
Some motherboards allow roll-back but it really comes down to whether or not the update will overwrite enough of the SPI flash to at least break the rootkit
Does Lojax infect legacy type BIOS chips? And if so, does it write to both BIOS chips on dual BIOS systems? My "stone age" BIOS can reflash from a backup chip if a BIOS update goes wrong. The latest update for my old machine was released in late 1990's...
Lojax does not affect legacy/BIOS. This particular threat is specific to UEFI
... or they could have the uefi/bios flash chip easily replaceable as is the case with the microprocessor and ram (on desktops at least).
Not a bad idea tbh
Thank goodness mobo manufacturers now have option to install BIOS without turning the machine on, and also BIOS Flashback.
Very enlightening
There are also other ways of deleting it, not only updating the BIOS through the UEFI interface. You can also (if you have the tools) flash the BIOS using another computer directly onto the chip, either by using an adapter or desoldering the chip completely and flashing that way. Not really the easiest but might be cheaper than replacing some motherboards.
You are absolutely right! I wish more people had your knowledge and insight in the repair industry.
Many pre-2000's computers had a socketed BIOS flash chip. Ahh the good ol' days. heh
This method would be the only route, if the EFI virus is clever enough to pretend of updating itself, and produce a clean copy when asked for the eeprom contents, if the update is attempted after it’s loaded in memory. I remember back in the 90s, a friend of mine had bricked his motherboard, because of a power loss during the BIOS update. Thankfully at the time I had the exact same motherboard, and I took advantage of the “shadow RAM” option, where it copies it to RAM during boot time and never access it again until the next reboot, so I hot swapped the BIOS chips and I reprogrammed his. I know it was risky, but he was willing to replace mine in case of a failure, so there was no issue :)
@@skesinis- Or could have used an inexpensive EEPROM flasher to re-write the BIOS chip. Nowadays they use soldered on SPI chips for the BIOS and UEFI which are difficult to desolder and reprogram. Nevertheless your friends method was pretty clever. ;)
The Read Write everything program can have malware on itself? Can it be used to change only things like usb device names on generic no name flash drives?
It can be used for a wide variety of firmware level changes.
Great video Niko, very informative and myself love cybersecurity and the ever evolving threat landscape. Thanks!
OMG thank you! You have an amazing beard!
in intel fpt tool is available and can rewrite bios but for it u need a full working bios file and u say erase empty space in such case after bios update data that's means ur serial no Windows key and others vanish for it lenovo bios update do in the same manner( lcfc or commonly known thinkpad) but its implementation cost is high as in case need other storage which store data solution for this is using device guard in bios and already almost every platform its implemented as name boot guard in intel platform
What manufactures overwrite empty volumes ? list please!!
Working on it! Thanks for your comment.
Desoldering the BIOS chip, then erase it and reprogram it with original firmware. After all of that solder it back.
You are 100% correct. Unfortunately, the average end user lacks your training and experience to perform this operation. What's even more saddening is that most tech shops are not capable of performing micro soldering services.
@@NicoKnowsTechwhy are they even tech shops then? Scammy tech shops
Yes, but most experts with a hot air station might not have a copy of their firmware on speed dial... And how do you download 'safely' after getting hacked? By the time you get back from the library - IF you could download files at your library - you then need to DO the work, and fix the problem. So about a day... ...meanwhile once that hacker has your login, he only needs a moment to change your passwords if he even wants to, usually they're after the value OF your data, and your computer going down is a fault of your own. Sure, you can smash the trojan horse by ditching your hard-drive, but every moment you are not fighting back with a working computer is a win for them... Best bets are to use linux for the internet-intensive work, and have windows for proprietary shizz. And two (or three) of everything also helps, so when one breaks - the other can save the day!
@@Vilvaran you are right. What a lot of repair shops have been doing is buying a pre-programmed chip. They sell for around $10 to $15
I am currently using a no-brand Chinese mobo for 2011-v3 Xeon processors. It tooks a strangely long time to boot and the bios not only has uncommon configuration options for the time (which suggests it got modified), it is also not capable of Secure boot. I'm scared.
I am wondering if you have CosmicStrand. I was talking with ESET today about it. Scan with one of ESET's virus scanners. It is the only AV scanner that can scan your UEFI and BIOS and can detect all known UEFI rootkits. If you come up clean, then great but without secure boot you are at risk so I would recommend keeping ESET. Here is my link: www.anrdoezrs.net/click-100472156-14462142
Fortunately, ESET scan didn't detect anything. But man... is this 100% reliable? Also, I plan to use Linux on this machine. How can I protect myself while using Linux?
@@rafael_freeman This threat doesn't affect Linux. For now you should be good to go. ESET's NOD32 works on Linux but if you are not installing things from unofficial repositories or running copy and pasted curl commands and such... you should be okay.
@@NicoKnowsTech I feel way more relieved knowing that. I intended to use Linux for ordinary tasks, so yea, I'll probably stick with official repositories only. Thanks man! I really appreciate your attention
Hi, i think i have this type of virus. Can it be stored in another sector (hardware) of the PC? For example in the GPU memory or in the integrated memory of the processor? because I have been trying different solutions for 1 month and I understand that I would need to rewrite the uefi bios... but my fear is spending money on that and that the virus is also somewhere else... i have this virus on 3 Pc 1 notebook and my phone and my girldfriend phone. Any help would be greatly appreciated.
Would password protecting the BIOS work, say BIOS is always read only, and the only way you can write changes to it would be inputting a password so that it sets it in a read/write mode?
As far as we know, that theoretically could. I am working on part two which covers some other things that can be done to protect against this type of threat.
@@NicoKnowsTech looking forward to it
I would not be surprised if it will turnout the NSA itself forced american hardware designers to leave the vulnerability.
Wouldn't be out of character for them that's for sure.
Thanks bro, this is very useful 👌
Welcome 👍
Hello Nico. I highly appreciate your content . Can you please make a video on ducktail/similar info stealer malwares and how to remove it. That would be really helpful. TIA
I have been wanting to do a video dedicated to stealers. Great idea!
good luck in getting your bios to boot, and when it does it shows up for about 2 seconds then reboots.
2:19 Press F for bent pin in LGA socket
Can you do a video on Port Spoofing? it would be invaluable against port scanners and waste time. There was one tool that opened all ports on your machine, but redirects traffic to just 1 of them. One guy used nmap to try to find legitamate ports, but the port scan took over 8 hours and spat out a 200MB file of all the attack vectors. All but 1 of the open ports are just honeypots, so unless that hacker is hellbent, its pointless to attack that victim that way.
What a great idea! I was thinking about making a honeypot video using raspberry pi 4
Well if you do, I look forward to seeing the video.
About 2 years ago I had a computer that was running slow! I reformatted the entire drive and it still ran slow, about 1/2 speed. Two days I had figured that AMD processor had a bad oscillator and I had to buy a new one. So redid my BIOS with upgrade to the processor that was coming, and It was normal.
Is everything working better now Mick?
@@NicoKnowsTech It is ok, but now on a different machine that has a disk error and the controller is and disk is ok! Microsoft sent out BAD CODE!
So that's why the y BIOS will not update no matter what we do. Are there any other options other than replacing the mother board?
Did you already try tripping the bios?
@@NicoKnowsTech The fact that you even suggested this shows your lack of understanding of the issue. Yes you CAN fix it, but you will need to obtain an external programmer (Something like a XGecu TL866 or similar), or take the motherboard to a real service centre that can do this for you. Note that not all flash roms are writable by default, there is usually a pin that controls if the IC is read-only (called "Write Enable") and is usually controlled by the chipset meaning that a manual flash with an external programmer will require the ability to de-solder the IC from the motherboard.
It would be good if every mainboard came with 1 factory installed firmware in ROM and 1 which can be updated and a switch on the mainboard which will overwrite the writable one with the only-readable one. That would pretty much solve the problem.... 5:59 not sure why you think over-writing the firmware actually over-writes the firmware. I'm pretty certain updating the firmware is a function OF the firmware. So the installed (infected) firmware can prevent it being fixed.
I agree with you. Regarding overwriting the firmware... updates USUALLY but not always (I'm looking at you Insyde Software) perform their updates during boot from the UEFI interface when the rootkit is not running so can usually be performed. Certain updates that run as an EXE from Windows or via Windows Update can potentially be interupted if the operator of the rootkit/RAT makes it happen. Great insight!
@@NicoKnowsTech something else that wasn't talked about in the video: hacking the firmware of peripherals is very much possible as well, especially HDD and SSD are great targets - see the Snowden documents. The scariest firmware story is actually: BadBIOS. ( sorry for the original repeat comment, but I thought the other commenter might like to know/think about this too/maybe comment on it - he/she seemed to be more knowledgeable than average).
@@autohmae Excellent points. I'm going to take your advice in an upcoming video! Thank you!
@@NicoKnowsTech be aware, BadBIOS was a story which could not be confirmed, but it's by a pretty famous security researcher. But it's so far out there, people trust mostly him, but don't know if they can believe this.
Dude, i think this just happened to me. I could tell the entire story on the hacker getting acess to my steam even tough i have 2fa(only way he could do that was by getting acess to my computer and/or browser that had my account already logged in) but let just focus on the part where it says i have 2 keyboards and 2 mouses in the bios. While at the same time every keyboard that i plug on the computer "does not work" (in fact it does, if i launch virtual keyboard and click the caps lock and scroll lock the Light on the keyboard will turn on/off) and recently while i was in the bios it screenshoted it out of nothing. I did a bios update but it did not fix it.
Flip off virtualization support in the bios and then run a scan with ESET. If it detects a UEFI threat then we have something. If it comes back clean then you have something else... Something more dramatic but easier to clean.
@@NicoKnowsTech well, it came back clean. Now i'm truly lost because i was so certain that it was a bios virus
It's good news. It was likely a Trojan that steals login info from your browser. Have you run my virus removal tutorial?
Simple jumper would completely get rid of this entire class of malware. Critical firmware should not be writeable at all times! Just during an update. Why is it not done this way? I have no idea. BTW. Replacing you MB just to get rid of firmware malware is not needed at all. Just take it to your local electronics repair shop and tell them what the deal is. Unless it is some extremely obscure and unknown board, they should be able to reprogram entire FLASH chip without any problems. Depending on how your particular shop does things, you may or may not lose Windows license key stored within the firmware (which is not a big loss TBH) and/or mess up board's serial number.
It is Microsoft!
Back in the old days, people were smarter and knew the importance of jumpers. Nowadays, they simply expect people to be dumb and enable updates/rewrites all the time because they know most people never heard of a jumper in their life. I know technicians who have never heard of a jumper before when I ask them. Same as keyless entry on cars, those keys send out the open-door signal 24/7 just for the convenience of the owner. But anyone with a transceiver can copy that signal and replay it near the car and drive off with it. Same story in everything nowadays. Due to stupidity and lazyness of the users, security gaps are introduced and people need to install security updates to patch these vulnerabilities daily, just in case a hacker may gain entry to your system. Just lock the door on everything and only open it when needed, this is the best security you can have, not the other way around (have the door open at all times and constantly need a guard at the door to stop everyone from entering).
Is the virus really in hardware? I know there is part of the disk that is used for UEFI. Called EFI or System partition. Not all windows resets clean out the EFI partition.
Yes, there is... however UEFI is stored in the SPI flash; a chip on the motherboard. EFI on a drive is Extensible Firmware Interface which is used for talking to the motherboards that are using UEFI.
LoJax has been around since 2018, and is very well documented, so why all the fuss now?
2016 actually and it's popping up all over dark web market places and normal users' motherboards lately.
the intro is fire
Awe thanks
não aguento mais esses hackers
Would a bios flashback clean this type of virus?
It could. The rootkit payload is dropped onto one of the SPI flash volumes wherever it finds space. If it is dropped onto a volume partially used by the REAL bios, then updating or flashing it will indeed delete the malicious code as well. IF two things happen: if the virus is on a presumed empty vollume AND the update skips what it assumes are empty volumes then the update may skip it and leave it there
so use legacy bios and MBR ? The unified part is gone in legacy right ?
It wouldn't really make a diference. Its best to simply verify that you don't have a UEFI rootkit and prevent one from infecting your stuff. Scan with ESET. There are links in description.
watching this makes me afraid of getting a virus
Don't worry. Got a soluton in part 2. Working on it now
5:56 doubt any of these companies will listen
Would be a combined effort for sure. So far this video attracted the attention of some cyber security firms that I will mention in part 2
Nico did you make a video on clientpcspeedup
No, but I will tell you how to remove it. Run a full scan with RogueKiller by Adlice Software: www.adlice.com/roguekiller/ Thanks for watching my content!
replace motherboard? i reflash bios w programmer.. done by the way there is also a h61 or h81 motherboards w chinese virus also.. not many.
Exactly! Unfortunately most end users do not have your skillset. You are also correct about the motherboards floating around in the Chinese market. I am covering some of those soon.
this must be why I have 2 AMD /asrock am4 motherboards that died with bad bioses in 2 weeks
Got a CH341 programmer, therefore Lojax doesn't exist. BIOS? SPI flash? GOOD! How many legs does it have, 8? Great. Put the clamp on it, flash the BIOS from any kind of machine, even from a Raspberry PI. There's also no need to ask the manufacturer to empty the flash before a new BIOS flash is done. I do use those rom holes for specific files that take little to no space or just for PCI Option ROMs. The only thing we really need is a better clamp, I got a phone with a Winbond W25Q16CV, it is soldered against a shield, if you look for F-07C you'll see the board and how crammed it is, therefore the need for a better bios clamp.
We need more people like you speaking up about this.
Can Malwarebytes detect Lojax? I started installing ESET and it wanted me to un-install Malwarebytes before it completed the installation.
At this time, Malwarebytes has no UEFI scan component. It could THEORETICALLY detect its payload upon download if it was distributed to the victim directly. Unfortunately, Lojax is usually distributed as a secondary payload by a trojan downloader or direct attack. IF the Lojax payload was not modified in anyway it is possible that Malwarebytes would detect it but in modern times most payloads are slightly modded in order to change its signature. Hard to say. Malwarebytes is pretty good at removing conventional software rootkits though.
@@NicoKnowsTech Thank you for that information. I'll un-install Malwarebytes and install ESET and do a scan. I'm not having any computer problems at the moment but just wanted to scan for it, this Lojax scares the crap out of me. Thanks!
Broke hackers and admins accessing virtual machines
pretty much
In 92 i infect my father computer by infected floppy and from that time my career started….; i gave up in 2010. Become normal c/c++ programmer
Have you tried a prescription of penicillin to see if the virus clears up? 😅
LoL
Can you explain how it works?
I am going to live stream how it works soon. If you miss the live stream it will still be viewable on the channel.
Nice intro xDDD
4:45 wrong, you can use a flasher tool or manually flash the bios chip on ur pc with a programmer
Correct, however what was said was "most users." Most users lack that skillset
@@NicoKnowsTech I see
Since the beginning of 2023 we have been seeing a concerted attack on our mail server (MSA port 587) coming, mostly, from hundreds of US domestic IP addresses. Because TLS negotiation is involved, these can not be spoofed addresses, but must be proxies, or rather potsies owning infected Microsoft Windows computers. We will be fine, but those hundreds of PC owners are screwed. Question is: Are they old XP, Vista, or -7 systems, or is there a flaw in -11? ISP's have not responded to our alert.
Hey there. Sounds like either botnet attacks or a new reflection attack. Last year there was a vulnerability in Plex that allowed hackers to bounce traffic off people running Plex servers with remote access to attack others.
@@NicoKnowsTech It is definitely a sophisticated attack. Weeks on followed by weeks off. hundreds of submit attempts with impossible (long) fantasy user names, followed by submit attempts using possible real user account, like "sales", or "info". There seems to be an element of exhaustion about it, but since our defenses are fully automated, ours never get tired and never let their guard down. It is just that in the process we have now firewalled off some 10% of US domestic internet connections, knowing full well that they are not the source of the attacks. But we need Potsies on the internet just as much as we do hackers (not), so we are fine denying them access to our systems. Since our physical efforts to effectively block these attacks are zero, we figure "they" will give up before we do.
I got one fixing someone's oc it was sime wierd chines that imbeaded it self into the motherboard it self and it was unfixable by the time i relised i had used a usb druve in it and used it on another pc lost both pcs and the usb soon as they hook up to the insternet flreash install new drive bios update and nothing stopped it soon as i went on like it take me to chines web site and start installing what ever it wanted i never seen anything like it in my 35 years of fixing selling giving pcs away
OK now I am really scared...
Understandable. What antivirus do you use?
@@NicoKnowsTechAvast Free Anti-virus.
Or you can buy a new bios chip program it in other pc then remove the infected bios with hot air then solder back the new chip wirh the new bios...
True facts.
just dont update bios from dodgy sites or apps.self inflicted if you get this,can it actually molest the hdd
I wish that was true.
Im fighting with this monster virus.Any method for remove this rootkit without reflash bios ?
Which bios virus do you have? What did ESET come back with after the scan?
Are you find solution
Swap the mobo mate😂 you can also replace the uefi chip no need to replace the whole board
These UEFI rootkits have nothing to do with BIOS.
You're 100% correct. Due to the fact that the majority of viewers are unfamiliar with the acronym "UEFI" I had to occasionally use BIOS and UEFI interchangeably, but you are right. The only thing linking BIOS to UEFI is the SM_BIOS (aka SPI flash) chip used.
Many also call the firmware setup program "BIOS", which is also wrong. BIOS == Basic Input/Output System. In the context of IBM PC compatible computers it means the software interrupt driven API that is loaded from the ROM chip of the motherboard when the computer boots. It is thanks to the BIOS that writing own operating systems for IBM PC compatible computers is so easy. Sadly UEFI makes everything much harder. Because UEFI does not have runtime services, the operating system has to have drivers for every possible I/O device, which is not possible for indie operating system developers, for obvious reasons. There are only two known viruses that actually corrupt the BIOS chip and they only work on specific motherboard models. BIOS is so small that there is simply not enough space for any sophisticated viruses. UEFI is a different thing, because a typical UEFI ROM is something between 32 and 128 megabytes in size. x86 compatible CPUs always begin the execution from memory address FFFF:FFF0 (that address always has the contents of the ROM chip) and usually in that address there is a far jump to the actual bootstrap code. All the virus needs to do is to save its own code to somewhere in the ROM chip (with UEFI there is always plenty of free space available) and replace the destination address of that far jump with the beginning address of the virus code.
malwarebytes protects and prevents lowjax it worked for friend of mine it protected and removed lowjax from his laptop
When was this? I am on the team that tracks reported cases of Lojax infection.
reason I ask is because Malwarebytes has made it very clear to us that they have no intention of adding UEFI firmware scanning capability to their products.
@@NicoKnowsTech a few days ago and malwarebytes told me on facebook they protect from lowjax
Meanwhile Linux users ROTFLOL because most home installations of Linux happen with secure boot disabled but nobody gets "in-feck-ted with... Lo-Jax"‼️🤣😂
I love Linux and run it on most of the boxes in my home. Linux machines get infected a lot as well... just by more complex rootkits. We were breaking linux yesterday with a new rootkit. Impressive capabilities.
"dangerous"
🔗Get a 14-day free trial with my sponsor Aura and see where your personal information is being leaked online: Aura.com/nico
A _hardware_ virus, I presume. If they can access the BIOS chip, they can BRICK your motherboard, yes? 🥶 Just for insurance purposes, where can I get a replacement BIOS chip for an ASUS TUF B450M PLUS Gaming board, in the event I get bricked? 🤢
They are pretty reasonable and available on the reseller market. If you have experience in soldering electronics its a quick fix. www.ebay.com/itm/BIOS-CHIP-ASUS-PRIME-B450-PLUS-/303745464248?_ul=IN
The TUF model: www.ebay.com/itm/303745448939?mkcid=16&mkevt=1&mkrid=711-127632-2357-0&ssspo=CH4h2E-lQIC&sssrc=2047675&ssuid=&widget_ver=artemis&media=COPY
@@NicoKnowsTech EXCELLENT! 😁 I didn't think eBay sold loose BIOS chips! 👍
Ummm.. UEFI exists on the boot drive. BIOS exists on the motherboard. For UEFI based systems, BIOS initially runs, searches drive storage for UEFI then passes control to it. UEFI can be cleanly re-written easily enough by someone who knows how. BIOS, well if it is overwritten maliciously-- good luck with that. UEFI still depends on BIOS. But it lives on a drive, not the motherboard. Now you may have an embedded drive on the motherboard, but it is still basically an SSD-- a writable drive. As long as you can boot to an external drive (such as a USB Windows 10 installer, for example) you can just rewrite the EFI partition where "UEFI" lives. Obvi, not for most end-users. Most techs don't know this either, and a lot of dis-information out there. I have yet to find one I can't just rewrite. However scaled-down though, (U)EFI relys on BIOS of some sort to get going. Infected BIOS may not let you re-write the BIOS. Up to the rules put into it. Here's a decent article. But don't believe the hype about (U)EFI "being on the motherboard." Even if it is, it is still on a writable drive. www.computerworld.com/article/2826910/goodbye-bios--hello-uefi.html
Mmm... almost completely correct. UEFI is stored in non-volatile memory on the motherboard and is capable of directly loading the operating system from the hard drive. This is necessary for features such as Secure Boot to function.
@@NicoKnowsTech I think you are referring to the SoC firmware bootloader(s). This seeks out the EFI partition on a drive. Whether that drive is "embedded" or "attached" is immaterial. It shows as a drive, and if an EFI partition is found at the correct location, then passes control to the mini-OS located in the EFI partition. Secure Boot is checked previous to this handover to the EFI OS (if enabled). A hash is taken from the drive to be compared to a hash stored in the TPM module, which is actually a tiny, very specialized computer that is at least theoretically isolated from the rest of the computer, logically. The TPM may be embedded, actually soldered to the motherboard, or it may be removable as a physical unit. In either case, most of the TPM exists on it's own chip, although some CPU's actually have the TPM physically embedded within the CPU (though still theoretically logically isolated as a separate, tiny, specialized computer). Previous to the handover to the EFI OS, yes it is under control of something that is part of the UEFI spec. Saying it lives in NVRAM is no different than saying the BIOS lives in NVRAM, the EFI partition, or the main OS (i.e. Windows or Linux, for example). Unless you are running on antiquated mechanical drives, or a phonograph, you are running on NVRAM of some sort or another. In any case, the SoC only contains the bare-essentials for finding, validating, and transferring control to EFI. EFI contains more elaborate drivers needed for various tasks, and ultimately transfers control to a larger OS (i.e. Windows 10, PE, RE, Linux) regardless of media type-- only limited by the drivers contained in EFI. This lives on a drive.
Is this the same as LogoFail?
The Legend Nico Knows Tech with another upload keep up the great work champ
Thanks Mark! You're such an awesome subscriber and supporter. You keep me motivated.
gears of war virus
I can't remove my hackers please help
Thought you called the FBI 🤥
But, how is the virus getting in the bios?
Combination of DXE drivers, a valid certificate, RWEverything and the hardware compatibility of LoJack being exploited.
@@NicoKnowsTechif your bios is write protected is this still a thing?
Depends. If it's a desktop I would say yes potentially. If it's a laptop then no.
👌👌
this look like blacklotus for me.
Precisely. We are getting to that soon.
THIS SHIT IS WORST THAN FATE 💀
Pretty much
Oh Damn!!! This is Actually good to know!.... i love you Daddy ;) When we Playing again ;) Leo!
Thanks! We should game soon!
@@NicoKnowsTech well im planning on doing Rust.. Forced Wipe and all that!! Not sure what Server though!..
@@LeoElla79 tell me when and where!
This has been well done on my system... So I understand that it is hard to repair(unfortunately not I wont be able to). Just flashed BIOS, no luck. Thing is... If they reach get into my BIOS, how can I know if all the other componenets, such GPU, CPU... get these kind of scripts/malware? Fuck me. Any suggest Will be aprecciated.
Scan with ESET. If it comes back no results there, then you do not have one of these.
@@NicoKnowsTech Oh my man.. aprecciate that. Im going try It. Thank you.
@@NicoKnowsTech Hello. Well ESET scan dont show any bad results on whole system. Does ESET scan show if BIOS is corrupted too?
This is was cool until the dude said the only thing you can do is replacing the motherboard and that can get expensive, like ok this made this lame af
Nico I have a friend that's been trying to reach you but his malware actors block all communications that can help him , if I hear back from you I'll give you his contact info or his mothers
Okay.
Guys what she do exactly??
In the school, we learned that BIOS is ROM, which means it's read only. No one can modify it. Since when the ROM became RAM?.
I try to avoid making absolute statements. I would argue that if it is truly read-only then how was it programs and how is it ever updated?
Well... BIOS is stored on a chip. That chip contains memory. That memory doesn't have to be read-only. "ROM" has a number of different implentations, but is generally only intended to be written to once. But there is no limitation preventing manufacturers from using re-writable memory, and generally it is better that is writable so it can be updated. Sometimes for features, sometimes to eliminate security exploits. How that is protected is completely dependent on the manufacturer. Way back when, ROM was the only option, which is where that idea came from. True ROM is basically baked-in and can only be written to one time, then is read-only from there onward. But usually this is not the case anymore. Once EFI came around (and then UEFI), this model moved most of the "firmware" to the (or a) boot drive. But even BIOS-only systems have been re-writable for the most part for years, even decades. But all of that is up to whoever designs and/or manufactures the individual system. There is no specific point in time when the shift from ROM to writable memory suddenly became a thing. It's been a gradual shift in the industry since the Windows 98 era and before. But it is not RAM. RAM loses it's contents shortly after power is cut. Generally it's referred to as Non-Volatile RAM (NVRAM) but there are many possible implentations of this. For example, Solid-State Drives. Likewise, the actual chips in an SSD have different kinds of nvram, but the idea is the system doesn't actually care about that-- it just see's a drive that it talks to the same as any mechanical drive. But BIOS is not necessarily like that-- it is seen as a block of memory, not necessarily partitions and so forth. But so can your mechanical drive and/or SSD be accessed this way, and on some level, _is_ accessed this way-- as a chunk of "memory". Just not as RAM. But inversely, RAM was a popular way to make fast drives you could boot from, like an SSD. But they had to maintain power, as once a RAM Drive loses power, it loses it's contents. Because RAM is volatile. TL;DR Gradually, over time.
Hey Nico! I hope you respond to this. I tried running Tronscript on my Windows 11 computer through your video. This one: kzhead.info/sun/oMx-pNSjbZqFpZs/bejne.html It worked very well and fixed some problems that I'd had before. But later I noticed that Windows Update is not working and I also cannot download any apps from the Microsoft Store. I've looked everywhere for a solution but couldn't fix the issue. I think you're the one who can help me. Please do respond! I'd much appreciate it. Thanks!