First Firmware Worm attacks Apple Mac

It was created by a pair of security researchers – Trammell Hudson, who discovered Thunderstrike, and Xeno Kovah. We know that the NSA is working hard on firmware hacking, and you can be sure that China’s army of hackers is interested. “Macs are virtually virus proof”.

The researchers previously used LightEater when they presented “How Many Million BIOSes Would you Like to Infect?”

This vulnerability, also referred as “Darth Venamis”, is known since September 2014, however it has been partly patched on Apple Macs, thus it helps attackers to hook inside the firmware easily. That’s the part of the firmware that runs just after the PC is turned on, checking hardware and launching the load process for the operating system. Kovah also mentioned that usually EFI and UEFI are derived from the same reference implementation and also share the similar vulnerabilities. It was the first time anyone had demonstrated a Mac bootkit – malware that launches ahead of the operating system, from the moment the PC starts, and is hidden from security tools, most of which don’t delve so deep inside Macs’ innards. Attackers need only a few seconds to remotely infect Mac firmware. Thunderstrike 2 is very apparently named after the original Thunderstrike worm, which was shown off at the Chaos Computer Congress in Germany earlier this year.

Attackers might choose to infect a target via a phishing email and malicious site. The worm is capable to spread automatically from MacBook to MacBook. The worm then writes its malicious malware on the computer’s “bootflash firmware”, giving it complete access to the computer. The worm would then spread to any other computer to which the adapter gets connected. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters.

A week ago LegbaCore published a “bricking demo” video showing a Mac Mini being rendered unbootable due to vulnerable firmware. But Apple, for unknown reasons, has decided to ignore best practice from Intel. Further proving the vulnerability and bringing it to attention, a group of researchers have built on that exploit, resulting in Thunderstrike 2. “Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip” to get remove the malware. This attack does not require physical presence.

Apple was notified about the flaws, but naturally the vulnerabilities are not discussed within Apple’s description of Mac’s Thunderbolt interface and Thunderbolt peripherals. Although Apple “partially fixed” a Mac EFI flaw in June, the researchers said other issues they identified are still unpatched.

For now, the only way for users to detect Thunderstrike 2 attacks, or equivalents, is to do firmware forensics, a service that isn’t on offer to the average user.