Putting the spotlight on firmware malware
Firmware malware has been a hot topic ever since Snowden’s leaks revealed NSA’s efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo’s Service Engine or Hacking Team’s UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.
To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.
As of today VirusTotal is characterizing in detail firmware images, legit or malicious. These are a couple of examples of the kind of information that is now generated, please refer to the File Detail tab:
Pay attention to the Additional information tab in this other case, you will see a new Source Details field which gives attribution information for the given file:
100% PE resource match is not required in order to provide some attribution context, e.g.
The new tool performs the following basic tasks:
- Apple Mac BIOS detection and reporting.
- Strings-based brand heuristic detection, to identify target systems.
- Extraction of certificates both from the firmware image and from executable files contained in it.
- PCI class code enumeration, allowing device class identification.
- ACPI tables tags extraction.
- NVAR variable names enumeration.
- Option ROM extraction, entry point decompilation and PCI feature listing.
- Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
- SMBIOS characteristics reporting.
You will notice that this is precisely the Lenovo rootkit case. They are two different BIOS updates for Lenovo S21e laptop systems, the second one removes what was identified as factory-installed malware, taking a closer look at both reports you will notice that the first image contains a NovoSecEngine2 Windows executable in charge of deploying further artifacts onto the target system.
Knowing that this new tool is available, the next interesting step would be to be able to dump your own BIOS in order to further study it by submitting it to VirusTotal, the following tools might come in handy:
Obviously, this has its limitations, the system could be compromised in such a manner that the dumpers are deceived, you should understand that the ultimate ground truth is physically attaching to the chip and electronically dumping the flash memory.
When performing BIOS dumps and uploading to VirusTotal make sure you remove private information, certain vendors may store secrets such as WiFi passwords in BIOS variables in order to remember certain settings across system reinstalls. If you are on a Mac, DarwinDumper will allow you to easily strip sensitive information by checking the “Make dumps private” option.
Premium users of VirusTotal Intelligence and VirusTotal Private Mass API will soon be able to read a follow-up article in Intelligence’s blog in order to understand how all of this information is now indexed and searchable, allowing you to track down advanced actors making use of BIOS badness in order to persist in their targets’ systems.
Incoming search terms