& ltp& gtHacking Team公司的数据泄漏事件曝光了一个UEFI rootkit实例。据报道，该UEFI rootkit的危害性十分巨大，其能够在操作系统每次启动前获得系统控制权，且几乎所有杀毒软件无法探测到其存在。作为一种新形式的rootkit，其并不为人们所熟悉，甚至连信息安全从业人员对其基本机理也缺乏足够的感性认识与理性认识，更不用说对其进行有效的检测了。针对上述现状，本文对Hacking Team的UEFI rootkit进行了分析与定位尝试。分析阶段，本人成功在实验机器上植入了该UEFI rootkit，对该rootkit的实现原理及危害性有了直观的认识。通过分析该rootkit的源代码，本人发现rootkit模块与目标系统的UEFI固有模块间的交互远少于系统固有模块之间的交互，且rootkit模块中包含过多的条件判断语句。根据上述分析结果，本文提出了一种基于软件聚类思想的UEFI rootkit定位方法。该方法利用UEFI模块间的交互情况以及各模块中条件语句的数量对UEFI中所有模块进行了聚类。本人在9款被植入该rootkit的UEFI ROM上进行定位实验。实验结果显示，本方法能够从包含上百个模块的UEFI ROM中将rootkit模块定位至只包含个位数模块的簇中，大大缩小了检测范围，极大地推动了对该rootkit的检测工作的进行。& lt/p& gt & ltp& gt关键词：UEFI rootkit软件聚类分析定位方法检测& lt/p& gt

& ltp& gtHacking Team&rsquos data leakage incident exposed a UEFI rootkit. According to some reports, this UEFI rootkit is extremely harmful. It will gain the system control every time before the operating system starts, and few anti-virus software can detect it. As a new form of rootkit, it is not well known to the public, and even information security practitioners are lacking in knowledge about the rootkit&rsquos mechanism both perceptually and rationally, let alone detect the rootkit effectively. Considering all the facts talked above, we did some analysis and tried to locate the Hacking Team&rsquos UEFI rootkit. In the analysis phase, we implanted the rootkit into an experimental machine, and thus got some intuitive knowledge about the rootkit&rsquos mechanism and its harmfulness. After reviewing the rootkit&rsquos source code, we found that the interactions between rootkit modules and target system&rsquos UEFI inherent modules are much weaker than those between UEFI inherent modules, and the rootkit modules contain too many conditional statements. Based on those analysis, the paper proposed a locating method inspired from software clustering to locate the UEFI rootkit. The method extracts interactions between modules and every module&rsquos conditional statements numbers as clustering&rsquos features to divide all the modules into several clusters. Nine different kinds of UEFI ROM are used to evaluate the effectiveness of the method. The results show that among hundreds of modules, the method is able to locate the rootkit modules into a cluster which contains only single-digit modules. The method significantly narrows the detection scope, thus promoting the detection work against Hacking Team&rsquos UEFI rootkit considerably.& lt/p& gt & ltp& gtKey Words: UEFI rootkitsoftware clusteringanalysislocating methoddetection& lt/p& gt

[1] Steve Ragan. Hacking Team responds to data breach, issues public threats and denials[EB/OL]. http://www.csoonline.com/article/2944333/data-breach/ hacking-team-responds-to-data-breach-issues-public-threats-and-denials.html. 2016年4月17日访问.

[2] D. Vincenzetti and V. Bedeschi. REMOTE CONTROL SYSTEM V5.1[R]. Milano: Hacking Team, 2008.

[3] 糜旗,宗俊珺,徐超.BIOS Rootkit的实现技术[J].计算机与现代化，2013& #4011): 175.

[4] Claudio Guarnieri. Detekt[EB\OL]. https://github.com/botherder/detekt. 2016年4月23日访问.

[5] Darlene Storm. Free tools to find out if your computer is infected with Hacking Team malware[EB/OL]. http://www.computerworld.com/article/2951561/

cybercrime-hacking/free-tools-to-find-out-if-your-computer-is-infected-with-hacking-team-malware.html. 2016年4月17日访问.

[6] WikiLeaks. Hacking Team[EB/OL]. https://wikileaks.org/hackingteam/emails/

emailid/19702. 2016年4月19日访问.

[7] Vincent Zimmer, Michael Rothman and Robert Hale. Beyond BIOS: Implementing the Unified Extensible Firmware Interface with Intel’s Framework[M]. California: Intel Press, 2006:2-10.

[8] Vincent Zimmer, Michael Rothman and Suresh Marisetty. Beyond BIOS: Developing with the Unified Extensible Firmware Interface 2nd Edition[M]. California: Intel Press, 2010:7-8.

[9] Vincent Zimmer, Michael Rothman and Suresh Marisetty. Beyond BIOS: Developing with the Unified Extensible Firmware Interface 2nd Edition[M]. California: Intel Press, 2010:206-222.

[10] Techopedia. BIOS Rootkit[EB/OL]. https://www.techopedia.com/definition/

15943/bios-rootkit. 2016年4月18日访问.

[11] Icelord. BIOS RootKit: Welcome Home, My Lord!...?[EB/OL]. http://blog.csdn.net/icelord/article/details/1604884. 2016年4月18日访问.

[12] Marco Giuliani. Mebromi: the first BIOS rootkit in the wild[EB/OL]. http://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/. 2016年4月18日访问.

[13] WikiLeaks. Hacking Team[EB/OL]. https://wikileaks.org/hackingteam/ emails/emailid/19702.2016年4月19日访问.

[14] Hacking Team. REMOTE CONTROL SYSTEM GALILEO FAE Group Demo Guide[R]. Milano: Hacking Team, 2015.

[15] Unified EFI, Inc. Unified Extensible Firmware Interface Specification Version 2.5. 2015:135-138.

[16] Intel Corporation. Intel Platform Innovation Framework for EFI Firmware Volume Specification Version 0.9. 2003:15-20.

[17] Ilfak Guilfanov. On batch analysis[EB/OL]. http://www.hexblog.com/?p=53. 2016年4月29日访问.

[18] Intel Corporation. EDK II Module Writer’s Guide Revision 0.7. 2010:52-58.

[19] Microsoft Corporation. Overview of x64 Calling Conventions[EB/OL]. https://msdn.microsoft.com/en-us/library/ms235286.aspx. 2016年4月22日访问.

[20] Wikipedia. Globally unique identifier[EB/OL]. https://en.wikipedia.org/ wiki/Globally_unique_identifier. 2016年4月29日访问.

[21] Lucian Constantin. Hacking Team’s malware uses a UEFI rootkit to survive operating system reinstalls[EB/OL]. http://www.pcworld.com/article/ 2948092/

security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html.2016年4月29日访问.