LoJax Malware Continues to Operate 8 Months After Discovery
The conventional wisdom with malware is that you can kill it once and for all by wiping a system and starting from scratch. However, a particularly clever piece of surveillance software tied to the Russian government appears much more resistant. Even replacing drives won’t kill LoJax, which appears to still be operating more than eight months after researchers from Arbor Networks detailed the malware.
Usually, malware becomes of little use once security experts uncover it. LoJax is almost invulnerable, though. It’s common for one piece of malicious software to include components from one or more past malware variants. However, LoJax has a unique origin that makes it incredibly tough to combat.
First detected in 2018, LoJax is a modified version of the commercial LoJack anti-theft software developed by Absolute Software. Specifically, Lojax uses a release from 2008 when the software was known as Computrace. This is a legitimate piece of software that integrates with the UEFI firmware of a computer to help the owner recover it in the event it’s stolen. Even if a thief swaps in a new hard drive, the software reasserts itself from the motherboard firmware. That’s great if you want your laptop back, but it’s also perfect for a sophisticated hacking operation.
The original Arbor Networks report on LoJax pointed the finger at Fancy Bear, a hacking group tied to Russian military intelligence (the GRU). Fancy Bear was also implicated in the firmware exploit that hit routers last year. Lojax uses most of the components from LoJack, but it connects to command-and-control servers operated by Fancy Bear. The attackers can use the tool to monitor the computer with little risk of detection.
Arbor Networks has analyzed new samples of the LoJax trojan that indicate it’s still active. In fact, some of the same command and control servers are in use. This indicates efforts to combat the malware have largely failed. Because of the nature of LoJax, only sophisticated users will know they’ve been infected.
The report also details several domains connected to previously known IP addresses used by the malware. Both ntpstatistics[.]com and unigymboom[.]com point to control servers that connect to infected computers. More than a dozen more IP address and domains appear to be waiting in the wings, too.
The only way to purge the malware is to wipe the hard drive and reflash the motherboard firmware. Although, it’s probably safer to just throw the hardware out. State-sponsored hackers probably have plenty more nasty tricks up their sleeves.
Continue reading
NASA Discovers Vital Organic Molecule on Titan
In the latest analysis, researchers from NASA have identified an important, highly reactive organic molecule in Titan's atmosphere. Its presence suggests the moon could support chemical processes that we usually associate with life.
Paleontologists Might Have Discovered the Largest Dinosaur That Ever Lived
Scientists excavating a new species of dinosaur in Argentina have reported that the specimen might be the largest that ever lived. Even if it doesn't set a record, the animal was much bigger than anything alive today.
Scientists Can Finally Study Einsteinium 69 Years After Its Discovery
In the remnants of atomic explosions, scientists found never-before-seen elements like einsteinium. Now, almost 70 years after its discovery, scientists have collected enough einsteinium to conduct some basic analysis.
The First Black Hole Ever Discovered Might Be Even Larger
Scientists have been looking for black holes ever since general relativity predicted such an object could exist. Cygnus X-1 made history in 1964 as the first likely candidate black hole. Astronomers have revisited Cygnus over the years, and a new analysis suggests the first black hole spotted by humanity might be larger and farther away than believed.