Intel Security, soon to be rebranded as McAfee again, released on Wednesday a scanner that can identify hidden EFI firmware rootkits.
Intel said it decided to release the scanner after the recent WikiLeaks Vault 7 dump, which contained documentation files and manuals on hacking tools stolen from the CIA.
CIA working on EFI rootkits for Apple computers
The WikiLeaks Vault 7 documents revealed the CIA was working on two EFI rootkits at the time the files were stolen (allegedly by contractors and hackers).
The first project is named DerStarke, which the CIA describes as an “Apple EFI implant via flash unlock,” while the second is named QuarkMatter, and is an “Apple EFI implant via EFI system partition.”
While there’s a little more information on the first, the second project appears to have been under active development, as the only information on QuarkMatter was a project objective:
Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant.
EFI/UEFI stands for “Unified Extensible Firmware Interface,” and is a specification evolved from the old BIOS standard. Its role is the same, which is to assist with the initialization of hardware components while booting up the operating system.
EFI/UEFI is nothing more than a software interface between an operating system and platform firmware. Malicious code stored inside this software interface is called a rootkit and will execute every time the computer boots up. Malware authors use rootkits to ensure their malware starts with every PC reboot, or to reinfect computers that have been cleaned with antivirus software.
If detected, rootkits can be removed, but the hard part is detecting the infection.
Scanner available as CHIPSEC module
The scanner Intel Security released is a module for Intel’s CHIPSEC security suite, a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.
This module works in a very simple manner. Users are supposed to download a version of the clean EFI/UEFI firmware from the vendor’s site, or extract an image from newly bought computers.
Using a command-line tool, they use the new CHIPSEC rootkit detection module to create a whitelist of the EFI/UEFI’s binary files. This whitelist is then compared to files found in the user’s current firmware.
When wanting to run a new scan, users can dump their current EFI/UEFI firmware, but the CHIPSEC module will extract the EFI/UEFI firmware files from a computer’s flash ROM memory automatically if the firmware file is not specified. More in-depth usage instructions are available on the Intel Security McAfee Labs blog.
McAfee brand resurrected
In September 2016, Intel sold the majority stake in Intel Security (the former McAfee) to TPG. As part of the deal, TPG got the rights to use the old McAfee brand. The new McAfee company will be valued at $4.2 billion, and Intel will receive $3.1 billion from TPG.
Three days before the deal, John McAfee, the company’s founder, who sold all his shares in McAfee, filed a lawsuit against Intel for the right to use his own name in other business ventures. Despite the sale, (John) McAfee decided to continue with the lawsuit.