“Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware

But unlike Thunderstrike 2, the original Thunderstrike virus could only be spread via physical access through the peripherals. The malware could “spread automatically from MacBook to MacBook, without the need for them to be networked”.

This vulnerability, also referred as “Darth Venamis”, is known since September 2014, however it has been partly patched on Apple Macs, thus it helps attackers to hook inside the firmware easily. Once injected, the worm goes after the infected Mac’s option ROM – or the option ROM of peripherals – and lives there, so even if the computer is not on a network, it can be infected easily. “Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable”.

Their worm, which they call Thunderstrike 2, can be delivered to a system the way a lot of malware is: attached to a phishing email or via a compromised website.

If you’re running a uranium centrifuge plant, you definitely don’t want any type of worm in your computer system, especially one that could spread without being detected and destroy without fear of destruction. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters. Any infected machine can transfer the exploits to a Thunderbolt device, which, when plugged into another Apple PC, will run the malicious code.

A week ago LegbaCore published a “bricking demo” video showing a Mac Mini being rendered unbootable due to vulnerable firmware. OROMs can modify the contents of a firmware update on Apple Macs, though they don’t have enough capacity to store and replace PC firmware. These vulnerabilities enabled the researchers to design the unsafe worm.

Apple does not follow Intel’s recommended best practices for protecting their firmware. “Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware”, Kovah notes. It turns out that many serious, known PC firmware vulnerabilities are just as effective on Macs.

On Twitter, Hudson previously asked if you are “vulnerable to the cute kittens of Thunderstrike 2” and his tweet included a picture of a Mac with a cute kitty and a link to “download a cute cat screensaver”. Although Apple “partially fixed” a Mac EFI flaw in June, the researchers said other issues they identified are still unpatched. Apple chose not to implement protections against one flaw that would prevent an attacker from updating OS X code.

The infection of new Thunderbolt peripheral devices means a potential victim may even re-infect a replacement laptop.

For now, the only way for users to detect Thunderstrike 2 attacks, or equivalents, is to do firmware forensics, a service that isn’t on offer to the average user.