The Hackr

Intel Releases EFI Rootkit Scanner After Vault 7 Dump

Intel Security has released a Rootkit Scanner on Wednesday that can identify hidden EFI (Extensible Firmware Interface) firmware rootkits.

And also it allows users to check if their computer’s low-level system firmware has been modified and contains unauthorized code.

A rootkit is a malicious program that runs in the kernel and hides existence of other malicious components and activities.

CIA on EFI Rootkits For Mac

The WikiLeaks Vault 7 documents revealed the CIA was working on two EFI rootkits at the time the files were stolen (allegedly by contractors and hackers).

The first project is named DerStarke, which the CIA describes as an ” Apple EFI implant via flash unlock. ”  DerStarke includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter.

While the second is named QuarkMatter, and is an ” Apple EFI implant via EFI system partition. ”

Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.

EFI, also known as UEFI (Unified EFI), is the low-level firmware that runs before the operating system and initializes the various hardware components during the system boot process. It can have hundreds of programs for different functions implemented as executable binaries.

EFI/UEFI is nothing more than a software interface between an operating system and platform firmware. Malicious code stored inside this software interface is called a rootkit and will execute every time the computer boots up.

Malware authors use rootkits to ensure their malware starts with every PC reboot. And also to reinfect computers that have been cleaned with antivirus software. If detected, rootkits can be removed. However, the hard part is detecting the infection.


Rootkit Scanner as CHIPSEC module

The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries.

CHIPSEC  consists of a set of command-line tools that use low-level interfaces to analyze a system’s hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell.

Furthermore, this new CHIPSEC module allows the user to take a clean EFI from the computer manufacturer, extract its contents.

” We recommend generating an EFI ‘whitelist’ after purchasing a system or when sure it hasn’t been infected, ” the Intel Security researchers said in a blog post.  ” Then check EFI firmware on your system periodically or whenever concerned, such as when a laptop was left unattended. “

Using command-line tool, they use the new CHIPSEC rootkit detection module to create a whitelist of the EFI/UEFI’s binary files. This whitelist is then compared to files found in the user’s current firmware.

To run a new scan, users can dump their current EFI/UEFI firmware. However, this module will extract the EFI/UEFI firmware files from flash ROM memory automatically if the file is not specified.

More in-depth usage instructions are available on the Intel Security McAfee Labs blog.

And EFI firmware updates for various Mac and Macbook versions are available on Apple’s support website.


To comment on this article and other THE HACKR content, visit our Facebook page or our Twitter feed.




It was a hobby I got into a long time ago, hacking cameras. And I am here making posts @TheHackr today!

Chat With Our Bot ☎️

IntroducingTheHackr Chatbot,now anyone can interact with our messenger bot and get daily crunches about Cyber-Security in just a clicks away!