New bootkit can bypass Windows protection

Few CISOs worry about Unified Extensible Firmware Interface (UEFI), a technology built into motherboard chips to help secure the loading of an operating system.

It’s a tempting target for threat actors but until now, only one UEFI bootkit that persists in the EFI System Partition (ESP) has been seen.

However, researchers at ESET have discovered a new one, which, they say in a report, could have been used by a threat actor since 2012 for espionage.

Dubbed ESPecter. it bypasses Windows Driver Signature Enforcement to load its own unsigned driver. It originally used Master Boot Record (MBR) modification for persistence, before moving to attack to modern UEFI systems.

“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded,” say the researchers. “This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup. This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C (command and control) server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.”

Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, says the report, over the last few years ESET has seen various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot. “This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal.”

The ESET report follows the release of a report in September by Kaspersky about the discovery of a UEFI bootkit that loads the FinSpy/FinFisher/Wingbird surveillance toolkit.

ESET isn’t sure how the operator of ESPecter disables Windows Secure Boot. One possibility is the attacker has physical access to the computer and manually disables Secure Boot in the BIOS setup menu. Another is that Secure Boot was already disabled on the compromised machine (for example, the user might dual-boot Windows and other OSes that do not support Secure Boot).

To fight threats similar to the ESPecter bootkit, ESET recommends IT managers ensure all computers

  • use the latest firmware version;
  • are properly configured and Secure Boot is enabled;
  • proper privileged account management is used to help prevent adversaries from accessing privileged accounts necessary for bootkit installation.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now