Network Security

Intel Security responds to EFI rootkit malware, updates detection tool

Intel Security has launched a new security tool that can scan the firmware of systems targeted by exploits detailed in WikiLeaks' Vault7 ‘Year 0' dump last week.

Chipsec has been updated in response to what Wikileaks has called the largest store of confidential documents and tools from the US Central Intelligence Agency (CIA) in history. 

The dump contains details on tools for exploiting zero-day vulnerabilities, including malware that can infect the firmware of computer systems, remaining invisible to the host operating system and even able to survive a hard disc reformat and OS reinstall.

The new module within Chipsec scans the UEFI (Unified Extensible Firmware Interface) which replaces the BIOS in modern computers, to verify the integrity of EFI firmware executables on potentially impacted systems. According to Intel Security, Chipsec is a framework for analysing the security of PC platforms including hardware, system firmware (BIOS/UEFI) and platform components.

“Following recent WikiLeaks Vault7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society,” said Intel Security's Christiaan Beek and Raj Samani in a blog post following the leak.

“As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.”

The tool works by comparing the current UEFI to a known good copy residing on a whitelist. The firm recommends generating an EFI whitelist after purchasing a system or when you are sure it has not been infected.

Beek and Samani added that in the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced.

“It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection,” they said.

“If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.”

Mark James, IT security specialist at ESET, told SC Media UK that the UEFI BIOS has been a place of interest for a while. If infected it allows the attacker to inject code in places that may not be so easily accessed from normal methods. It also could allow re-injection after hard drive wipes, something that is often identified as “a clean way to start again”.

“The end user may not have the means to identify or even understand these threats and even if they did, cleaning them is another matter altogether,” he said.

James added that in theory a simple rewrite of the BIOS should remove the infected firmware.

“Writing the firmware these days is a lot easier than in previous years and with the right software anyone could do it. Businesses need to consider all attack vectors no matter how small or insignificant they appear to be.

“Any tools that could be used to strengthen your defences should be used and incorporated sooner rather than later. It's better to have it in place and not need it than to wish you had implemented after a serious breach, multi-layered defences are the only way you will thwart the bad guys.”

The Chipsec tool can be found on GitHub.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.