Intel Security responds to EFI rootkit malware, updates detection tool


Intel Security has launched a new security tool that can scan the firmware of systems targeted by exploits detailed in WikiLeaks’ Vault7 ‘Year 0′ dump last week.

Chipsec has been updated in response to what Wikileaks has called the largest store of confidential documents and tools from the US Central Intelligence Agency (CIA) in history. 

The dump contains details on tools for exploiting zero-day vulnerabilities, including malware that can infect the firmware of computer systems, remaining invisible to the host operating system and even able to survive a hard disc reformat and OS reinstall.

The new module within Chipsec scans the UEFI (Unified Extensible Firmware Interface) which replaces the BIOS in modern computers, to verify the integrity of EFI firmware executables on potentially impacted systems. According to Intel Security, Chipsec is a framework for analysing the security of PC platforms including hardware, system firmware (BIOS/UEFI) and platform components.

“Following recent WikiLeaks Vault7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society,” said Intel Security’s Christiaan Beek and Raj Samani in a blog post following the leak.

“As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.”

The tool works by comparing the current UEFI to a known good copy residing on a whitelist. The firm recommends generating an EFI whitelist after purchasing a system or when you are sure it has not been infected.

Beek and Samani added that in the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced.

“It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection,” they said.

“If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.”

The Chipsec tool can be found on GitHub.

This article originally appeared at scmagazineuk.com

[relatedYouTubeVideos relation=”postTitle” max=”1″ class=”horizontal center bg-black”]



Source link

Please follow and like us: