Intel Security has released a Rootkit Scanner on Wednesday that can identify hidden EFI (Extensible Firmware Interface) firmware rootkits.
And also it allows users to check if their computer’s low-level system firmware has been modified and contains unauthorized code.
CIA on EFI Rootkits For Mac
The WikiLeaks Vault 7 documents revealed the CIA was working on two EFI rootkits at the time the files were stolen (allegedly by contractors and hackers).
The first project is named DerStarke, which the CIA describes as an ” Apple EFI implant via flash unlock. ” DerStarke includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter.
While the second is named QuarkMatter, and is an ” Apple EFI implant via EFI system partition. ”
EFI, also known as UEFI (Unified EFI), is the low-level firmware that runs before the operating system and initializes the various hardware components during the system boot process. It can have hundreds of programs for different functions implemented as executable binaries.
EFI/UEFI is nothing more than a software interface between an operating system and platform firmware. Malicious code stored inside this software interface is called a rootkit and will execute every time the computer boots up.
Malware authors use rootkits to ensure their malware starts with every PC reboot. And also to reinfect computers that have been cleaned with antivirus software. If detected, rootkits can be removed. However, the hard part is detecting the infection.
Rootkit Scanner as CHIPSEC module
The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries.
CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system’s hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell.
Furthermore, this new CHIPSEC module allows the user to take a clean EFI from the computer manufacturer, extract its contents.
Using command-line tool, they use the new CHIPSEC rootkit detection module to create a whitelist of the EFI/UEFI’s binary files. This whitelist is then compared to files found in the user’s current firmware.
To run a new scan, users can dump their current EFI/UEFI firmware. However, this module will extract the EFI/UEFI firmware files from flash ROM memory automatically if the file is not specified.
More in-depth usage instructions are available on the Intel Security McAfee Labs blog.
And EFI firmware updates for various Mac and Macbook versions are available on Apple’s support website.