Understanding the Threat of Low-Level Malware Implants
When an attacker successfully runs malicious code within the System Management Mode (SMM), it opens up the possibility of injecting a persistent malware implant into the Unified Extensible Firmware Interface (UEFI). However, the success of this infiltration depends on the platform’s configuration, with newer protective features like AMD’s ROM Armor acting as a barrier to unauthorized access to the SPI flash memory where the UEFI is stored.
While ROM Armor and other security mechanisms like Platform Secure Boot aim to safeguard the UEFI environment, not all computers are equipped with these defenses. In the absence of such protections, attackers can exploit vulnerabilities to bypass Secure Boot, a security feature intended to verify the integrity of the operating system boot process by permitting only signed bootloaders to run.
By circumventing Secure Boot, attackers can introduce a boot-level rootkit, known as a bootkit, which executes before the operating system kernel initializes. This clandestine infiltration allows attackers to assume control of the entire system, enabling them to conceal processes and files from conventional endpoint security solutions operating at the OS level.