Computer viruses are a serious threat to computers these days. Companies spend billions of dollars every year to make their products as secure as possible. Still, consumers and companies lose billions because of damage caused by computer viruses and trojans. Continuous efforts are necessary to reduce vulnerability. Replacing the BIOS with the comparatively more secure UEFI is one such step. However, computer experts have discovered the first major UEFI virus which is known as “LoJax”. In this post, we will share everything you need to know about this rootkit virus. We will also share some tips which you can use to keep your computer safe from it.
Before we get into details we would recommend you to know the difference between both Terms: BIOS and UEFI. BIOS stands for Basic input-output system and UEFI stands for Unified Extensible Firmware Interface. Both of them are specifications for a software program that helps the computer’s firmware to connect with the OS. BIOS is pretty old and you still find it on most computers, UEFI is the new standard and will slowly displace BIOS. We have covered the topic UEFI in detail where we shared everything you need to know about the UEFI.
Why is the virus named “LoJax”
ESET cyber experts discovered this virus and named it “LoJax” because it uses the part of LoJack. LoJack is an anti-theft software that allowed users to track their computer location. Developers designed the LoJack in a way that it works even if the user reinstalls windows or even changes the hard drive which is common practice by thieves. Experts also believe that it was created by the Sednit group which is also known with common names like Fancy Bear, APT28, STRONTIUM, and Sofacy.
Fact: LoJax isn’t the first UEFI rootkit in the wild. In 2015, a hacking team uses the UEFI/BIOS rootkit to keep their malicious Remote control system installed in their targets’ systems.
How LoJax affect the UEFI?
Security Experts at ESET explained the working of LoJax in a conference where they said that they found the 3 different types of tools in the victim’s computers. The following are the functionalities of these 3 tools.
- The first tool Gather and dump system settings into a text file.
- The second tool read the contents of the computer’s Serial Peripheral Interface (SPI) memory where the UEFI is located. Then it saves the content into a file as a firmware image.
- The 3rd tool installs the LoJax into the malicious UEFI module by embedding it into a saved image. Then it writes the maliciously modified UEFI module into SPI flash memory.
How to protect your computer against LoJax?
There are many tips that you can use to protect your computer against LoJax and other types of cyber-attacks. The following are some of the most effective tips to protect your computer against LoJax.
If your computer has UEFI, then we would recommend you to enable the Secure Boot mechanism which ensures that only validated system components load at the time of the boot. Since LoJax is not signed, so Secure Boot will act as your first line of defense against LoJax.
Make sure that your computer’s motherboard has the latest firmware from the manufacturer. The patching tool will protect your computer against the LoJax.
If you want extreme protection then we would recommend you replace your motherboard with the latest generation as LoJax only affects the older chipsets. However, we would also recommend you to check the compatibility of your new motherboard with other hardware of your computer.
LoJax is not a threat for you unless you have some high-value data on your computer, it is designed for high-value targets.
What should you do if your computer is infected with LoJax?
If your computer is infected with LoJax then you can do two things right now to remove the infection. The first thing is to reflash the SPI Flash memory where the UEFI is stored as this is where the LoJax also targets the SPI Flash memory. The process is complex and it also varies from one motherboard to another. So we would recommend you contact your manufacturer and ask them for help. The second step is to replace your motherboard, as we said before, make sure to check the compatibly of your new motherboard with your computer’s hardware.
Can I remove the LoJax by reinstalling the OS and replacing the HDD?
LoJax works similarly to the LoJack and it is impossible to remove the LoJax virus by re-installing the OS and replacing the hard drive. The only way to remove the LoJax is by following the steps mentioned in the above section.
Conclusion: Scan your computer
LoJax is not like other viruses as other viruses can be removed by following the conventional ways but LoJax by Sednit group has its own league. You can use the good malware removal software like Spyhunter which has a built-in UEFI scanner that will tell you if your computer is infected or not. If it is infected then follow the steps we mentioned in the guide to remove the LoJax. Also, make sure to enable the Windows Firewall and other security measures to protect your computer against other threats. Let us know what you think about the LoJax in the comment section below. Also visit our website for tech updates, reviews and guides.