Security researchers from ESET (known for their popular NOD32 Antivirus) have found a frightening new rookit called LoJax which is capable of infecting the UEFI itself. This means that any antivirus product available today won’t be able to remove the infection. This UEFI infection cannot be removed by just removing the hard drive or reinstalling the operating system. The only two ways to remove this UEFI rootkit is by reflashing the UEFI firmware or by changing the motherboard itself if flashing is not possible.
According to ESET security researchers, you can protect your computer’s UEFI firmware using a simple method – by enabling Secure Boot option in the UEFI in the following manner:
- First of all you have to make sure that you are using UEFI and not the legacy BIOT to boot into Windows operating system. For this, you can download and run a small program I have quickly put together called DetectFirm. This will show whether your computer is using legacy BIOS or UEFI mode. If you are using BIOS mode, then there is no need to make any changes.
- If you are using UEFI mode to boot into Windows, then you can reboot your PC and press F2 or F10 repeatedly at boot in order to enter the UEFI options screen. Make sure you have disabled legacy compatibility mode, make sure you are using a password to protect UEFI options, only then you can switch to the Security section and enable Secure Boot option. After this, you can press F10 to save and reboot your PC.
However, if LoJax has infected your system, then you can still remove it by flashing UEFI with latest firmware available from your computer or motherboard manufacturer. But flashing of UEFI or BIOS firmware should always be done by experienced users. If you have never done this, then you should consult PC repair experts to do it for you.
You can read more about LoJax rootkit from https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax-1.pdf.