LightEater malware attacks uEFI BIOSes
I've been wondering about UEFI BIOSes myself for a while now, sure they look and work great, but an uEFI BIOS is an OS on its own, and as such rather vulnerable. At the security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments.
An unpatched BIOS can easily be infected with malware or a virus. Motherboards from companies like Gigabyte, Acer, MSI, HP and Asus are at risk, especially if you are not updating your BIOS on a regular basis towards the latest revision (and let's be frank here, who does ?).
As betanews writes the following on the topic, Introducing the vulnerability, Kallenberg and Kovah said:
So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit!
The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure.
We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.
The vunerability is something that has already been exploited by the NSA, but the researchers are encouraging businesses and governments to take the time to install BIOS patches that plug the security hole.
Senior Member
Posts: 25214
Joined: 2007-08-23

Even without digital signing the image had to be original, meaning oproms can be inserted but nothing modified/injected (my understanding at least).
But Eeproms programmed with Aptio V (X99) are now signed with an AMI keycode.
In order to flash a malicious image you would quite literally need to be standing at the machine with a hardware SPI flasher in your hand.
So yeah...I think we can relax for now. lol
Senior Member
Posts: 13042
Joined: 2003-05-11
Same here, im still running the 1004 BIOS on mine, theres 2x newer, but its working fine.
Senior Member
Posts: 1443
Joined: 2014-07-22
Hi guys, sorry i am really noob to this uefi and new systems. I didnt build this system, and didnt install main OS either. Have win7 and win8.1(installed later) dual boot. Asus Z87-Deluxe with 1405 Bios
I looked msinfo32 and found only 2 lines about bios.


And i gone to bios and searched secure boot option, it was saying "Enabled", and security Key "loaded" (not sure exact option name). All two options grayed out. And below there is another option that takes me to KEY options.
Am i safe now?
Thanks.
edit: learned how to take bios screenshot, so here are the images of those options.
And i saw that my main SSD win7 OS is not labeled as UEFI at main bios screen. After inserting my USB stick i saw UEFI label on it , but not on main SSD.
http://i.imgur.com/oZcdeoL.png
http://i.imgur.com/B1xZz9m.png
http://i.imgur.com/klSBJbD.png
UEFI really didn't take off until a good while after Win7 shipped, and from what you say here it appears you have a standard bios and do not have a UEFI system. (Pay no attention to the UEFI markings on your USB stick--that's just advertising...

Chances of ordinary people running into something like this even with a standard bios is very remote. This is the kind of thing you see in a targeted attack, usually espionage at the corporate level. But even there it is not at all common--at least as far as detection goes...

Senior Member
Posts: 22472
Joined: 2008-07-14
I wasn't worried any way. They made a huge deal about "BIOS virus" more than a decade ago, and how many were actually found "in the wild" since then? The only ones I know, were created by "security" companies and never released onto the web. They also required physical access to the system.
Senior Member
Posts: 8890
Joined: 2010-08-28
Mine (F10) is from September 5th 2014 which is the latest.
Guess it needs an update aswell.