Successful attacks against firmware are rare but provide hackers with one thing they covet most: persistence.
Advanced attack groups have already accelerated their capabilities in finding ways to burrow into the BIOS and EFI as noted by the Snowden leaks’ description of the NSA’s attempts to develop malware implants for the BIOS. Further, last year’s disclosure by Kaspersky Lab of the Equation Group’s espionage platform, and specifically a persistence module that targets the firmware of a number of leading hardware vendors, demonstrated how resourced attackers could gain undetectable and perpetual persistence on machines.
These capabilities aren’t limited to nation-state attackers; last summer’s hack of the controversial Italian surveillance software maker Hacking Team also revealed the malware vendor had a UEFI BIOS rootkit at its disposal.
White-hats on the research side have also peered inside the BIOS and UEFI and have begun building tools that help ferret out BIOS rootkits.
VirusTotal this week joined the fray when it announced support for firmware files. Until now, the Google-owned online malware scanner has allowed organizations to upload files and get back a report describing whether leading security tools detect anything suspicious.
“As of today VirusTotal is characterizing in detail firmware images, legit or malicious,” VirusTotal said in its announcement.
A number of sample reports published by VirusTotal list files contained in submitted images and whether they were distributed by the hardware vendor. Such source data is invaluable in determining whether files were inserted by a third party, either along the supply chain or whether the firmware was hacked.
“What’s probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness,” VirusTotal’s Francisco Santos said. “These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image. Additionally, the tool will highlight which of these extracted PEs are Windows targeted, i.e. they will run on the Windows OS itself rather than on the UEFI pseudo-OS.”
VirusTotal said the new tool supports:
- Apple Mac BIOS detection and reporting.
- Strings-based brand heuristic detection, to identify target systems.
- Extraction of certificates both from the firmware image and from executable files contained in it.
- PCI class code enumeration, allowing device class identification.
- ACPI tables tags extraction.
- NVAR variable names enumeration.
- Option ROM extraction, entry point decompilation and PCI feature listing.
- Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
- SMBIOS characteristics reporting.
Santos said a number of tools could help organizations dump their own BIOS and submit to VirusTotal. Organizations are also advised to remove private information, such as passwords, before submitting.