CHIPSEC, Intel Security releases detection tool also for CIA EFI rootkits

After CIA leak, Intel Security releases CHIPSEC, a detection tool for EFI rootkits that detect rogue binaries inside the computer firmware.

A few days ago, WikiLeaks announced it is working with software makers to fix the zero-day flaws in Vault7 dump that impacted their products and services. The organization is sharing information on the hacking tools included in the Vault7 dump with them and IT vendors are already working to solve the problems.

In response to the CIA data Leak, Intel Security has released a tool that allows users to check if the firmware of their computers has been modified and contains unauthorized code.

Digging the CIA archive the experts discovered that the hackers of the Agency have developed EFI (Extensible Firmware Interface) rootkits for Apple’s Macbooks.

Developers at the CIA Embedded Development Branch (EDB) group have designed an OS X “implant” called DerStarke that implements a kernel code injection mechanism in a module dubbed Bokor and uses an EFI persistence module called Dark Matter.

The UEFI (Unified EFI) replaces the BIOS in modern computers, it is the low-level firmware that runs just before the operating system during the bootstrap process to initialize the computer.

It is composed of a huge number “applications” that implements different features in modern computers.

A malware running in a stealth way in the EFI is able to bypass any security mechanism and inject malicious code into the OS kernel, it also alsogain persistence on the infected machine, allowing the rootkits to survive reboots, system updates and even re-installations of the OS.

Reading the documents it is possible to discover another project developed by the CIA EDB code-named QuarkMatter that is a “Mac OS X EFI implant, which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.”

Now the Advanced Threat Research team at Intel Security has designed a new module for its existing CHIPSEC open-source framework that is able to detect malicious EFI binaries.“CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities.” reads the description of the framework.”It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual (chipsec-manual.pdf).”CHIPSEC is a collection of command-line tools that use low-level interfaces to analyze a system’s hardware, firmware, and platform components.The new CHIPSEC module allows the user to take a clean EFI image from the manufacturer, extract its contents and build a whitelist of the files it contains.

The CHIPSEC allow users to compare the above list against the list of binaries that compose the system’s current EFI or against an EFI image previously extracted from a system.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CHIPSEC, Wikileaks)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.