Pierluigi Paganini January 31, 2016

VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes.

VirusTotal has recently announced the launch of a new malware scanning service for firmware images. The intent is to allow users to identify malicious firmware images.

Threat actors could exploit vulnerabilities in firmware to hack systems or inject malicious code. The revelation about the NSA catalog confirmed the existence of software implants used by the NSA for surveillance activities.

BIOS is the firmware component most targeted by hackers, threat actors could exploit it to malicious to hide their malware, avoid detection and gain persistence on the infected machine.

“Firmware malware has been a hot topic ever since Snowden’s leaks revealed NSA’s efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo’s Service Engine or Hacking Team’s UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.” Google-owned VirusTotal explains in a blog post.

Malware deployed in firmware can survive reboots and system wiping.

“To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.”

Malware deployed in the firmware can survive reboots, system wiping and reinstallations, and avoids antivirus scanning, which leads to persistent compromise.

The new service launched by VirusTotal performs the following tasks:

• Apple Mac BIOS detection and reporting.
• Strings-based brand heuristic detection, to identify target systems.
• Extraction of certificates both from the firmware image and from executable files contained in it.
• PCI class code enumeration, allowing device class identification.
• ACPI tables tags extraction.
• NVAR variable names enumeration.
• Option ROM extraction, entry point decompilation and PCI feature listing.
• Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
• SMBIOS characteristics reporting.

As explained in the blog post, users can extract the UEFI Portable Executables and use the service to analyze the image identifying potential Windows Executables used to inject malicious code.

“What’s probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness. These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image.”

Users can view details on the firmware they have submitted for scanning by clicking on the Additional information tab, which also has a new Source Details field. The File Detail tab will also provide various details on the characteristics of the submitted firmware image.

Users are invited to remove any private information from BIOS dumps before uploading them to VirusTotal.

Pierluigi Paganini

(Security Affairs – Virus total, firmware)