CHIPSEC, Intel Security releases detection tool also for CIA EFI rootkits

A few days ago, WikiLeaks announced it is working with software makers to fix the zero-day flaws in Vault7 dump that impacted their products and services. The organization is sharing information on the hacking tools included in the Vault7 dump with them and IT vendors are already working to solve the problems.

In response to the CIA data Leak, Intel Security has released a tool that allows users to check if the firmware of their computers has been modified and contains unauthorized code.

Digging the CIA archive the experts discovered that the hackers of the Agency have developed EFI (Extensible Firmware Interface) rootkits for Apple’s Macbooks.

Developers at the CIA Embedded Development Branch (EDB) group have designed an OS X “implant” called DerStarke that implements a kernel code injection mechanism in a module dubbed Bokor and uses an EFI persistence module called Dark Matter.

The UEFI (Unified EFI) replaces the BIOS in modern computers, it is the low-level firmware that runs just before the operating system during the bootstrap process to initialize the computer.

It is composed of a huge number “applications” that implements different features in modern computers.

A malware running in a stealth way in the EFI is able to bypass any security mechanism and inject malicious code into the OS kernel, it also alsogain persistence on the infected machine, allowing the rootkits to survive reboots, system updates and even re-installations of the OS.

Reading the documents it is possible to discover another project developed by the CIA EDB code-named QuarkMatter that is a “Mac OS X EFI implant, which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.”

The CHIPSEC allow users to compare the above list against the list of binaries that compose the system’s current EFI or against an EFI image previously extracted from a system.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CHIPSEC, Wikileaks)