Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak (pcworld.com)

Posted by BeauHD on from the better-safe-than-sorry dept.

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

1 of 159 comments (clear)

  1. Yeah right by Anonymous Coward · · Score: 5, Interesting

    Intel already has a backdoor called "Intel Management Engine Interface" that can't be disabled, even if you disable Windows drivers or run Linux, it's built into the BIOS that cannot be disabled.

    The UEFI/EFI itself is another layer of bullshit that makes it such a hassle to dual-boot or run non-windows OS. Try installing Linux Mint on an HP laptop and even the latest version requires you to log into the UEFI partition and rename/move the image file just so you can get grub to show up during boot (without hitting hot keys).

    How do I know that Intel's utility's not going to replace it with the Microsoft version in the name of "security"?

    How do I know your replacement image, if that's how it works - is not going to be Intel's compromised BS that allows even more access than the fucking Intel Management engine?