Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

Conundrum

[Dunbal]

I no longer trust Intel. Therefore why would I run this?

Re:Conundrum

[barc0001]

Because they were probably compelled by some sort of behind the scenes bullshit to do this on behalf of the CIA and now that the cat's out of the bag they (the CIA) figure it's probably better to be able to poison the ability for the exploit to work than to let the bad guys (different groups depending on who you are) have a go unhindered.

And they're right. They're utter bastards but they're right.

Mistake

[sexconker]

When will people admit that [U]EFI was a mistake?

It's too much code at too low a level, and it's too easy to manipulate. I for one would rather pay a nominal fee to have a new ROM chip sent to me. Remember when you could just pop those babies in and out? Remember when we had jumpers to protect and reset BIOS, boot sectors, etc.?

Yes, [U]EFI has good features and goes far beyond what BIOS can do, but so what? Outside of supporting hardware and booting to the point of OS handoff, the BIOS (either BIOS proper or [U]EFI) is supposed to be as minimal as possible. BIOS has been hacked to hell to support all sorts of shit like that at the behest of the various motheboard manufacturers. If we just had a newer BIOS developed by a central body that didn't try to completely reinvent the wheel as a helicopter, we'd be much better off.

Re:Mistake

[Proudrooster]

Yes, UEFI is a poorly implemented, bad idea, and full of never ending critical vendor security flaws. When you can extract the code, change it, compile it, and put it back, that is scaarrry! I have personally extracted the code from APCI table in the UEFI, tweaked it, compiled it, and put it back. UEFI is a security hole like no other. It can access all the hardware, including memory and the network without the host O/S having any idea.

To quote Linux: EFI is this other Intel brain-damage (the first one being ACPI).

Now root kits can hide after reboot and re-install. UEFI was supposed to make us secure, but all it accomplished was trying to lockout Linux from PC hardware.