In the meantime, you can find ESET's full paper on LoJax here, and a blog post from Arbor Networks published in May offers more background information on LoJax.
We'll update this post if we hear back from either company. After seeing complaints that Microsoft accidentally let this rootkit function by making an exception in Windows' defenses for LoJack to use, we reached out to them too.
We reached out to Absolute Software to learn more. At every reboot, the hacked chip checks to make sure that Windows malware is still present on the hard drive. Remember when researchers didn't find a new problem with Intel's Management Engine every few months? Or when the Meltdown and Spectre vulnerabilities were unique? Now that one UEFI rootkit has been found in the wild, it's reasonable to expect that more will be discovered. Fancy Bear’s UEFI code works as a bodyguard for the the counterfeit LoJack agent. But these problems are never limited to a single exploit. There is an upside: ESET said the malware it discovered exploits a vulnerability in older chipsets that shouldn't be present in any motherboards using chipsets with an integrated Platform Controller Hub. The only alternative to reflashing the UEFI/BIOS is to replace the motherboard of the compromised system outright." Our device manufacturer partners embed Persistence technology into the BIOS or firmware of computers, netbooks. But if you need more clarity, choose a manufacturer below to see which models are supported. It is definitely not a procedure that most computer owners are familiar with. Our device manufacturer partners embed Persistence technology into the BIOS or firmware of computers, netbooks, tablets, and smartphones during the. Probably Absolute Persistence is already embedded in devices made by the world’s leading manufacturers before they leave the factory. This is a delicate operation that must be performed manually. In the case we described above: in order to remove the rootkit, the SPI flash memory needs to be reflashed with a clean firmware image specific to the motherboard. "There are no easy ways to automatically remove such a threat from a system. Not all of these partners ship their laptops with LoJack pre-installed, but many of them do, and those devices could be at risk of being targeted by LoJax because of it. The utility's website lists everyone from Apple and Microsoft to Acer and Toshiba as partners. The first problem results from the near-ubiquity of LoJack-it's easier to name a company with which Absolute Software hasn't partnered than to list all of the ones it has. LoJax is very worrisome for two reasons: the sheer number of devices it could target and the difficulty associated with removing it from a system. Department of Justice blamed the group for the Democratic National Committee (DNC) hack that occurred before the 2016 presidential election. Some of those ought to sound familiar the U.S. The company attributed LoJax to a hacking group known as Sednit, APT28, Fancy Bear and others. ESET dubbed this particular instance LoJax (the only thing security researchers may like more than discovering new threats is giving them clever names) and said it's been found in systems in the Balkans, as well as Central and Eastern Europe. A rootkit is software used to give someone access to a PC without detection.