Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

Conundrum

[Dunbal]

I no longer trust Intel. Therefore why would I run this?

Re:Conundrum

[JonWan]

Wait.... he has a low ID?

Yes! Front Row!

Re:Conundrum

[Dunbal]

Young puppies will never understand that it's impossible to insult an old person by trying to make them feel old. To us this is an advantage, not a disadvantage. It's not me who is wrong, it's you. But you'll only realize it when you reach my age :)

Re:Conundrum

[choovanski]

I know, right? Danged whipper-snappers are so easy to impress these days.

Re:Conundrum

[Junta]

My chance to shine has been ruined.

Re:Conundrum

[akita]

Ahah

Re:Conundrum

[barc0001]

Because they were probably compelled by some sort of behind the scenes bullshit to do this on behalf of the CIA and now that the cat's out of the bag they (the CIA) figure it's probably better to be able to poison the ability for the exploit to work than to let the bad guys (different groups depending on who you are) have a go unhindered.

And they're right. They're utter bastards but they're right.

Re:Conundrum

[Xtacy]

i know eh :)

Re:Conundrum

[timelorde]

I've played this game before. I always lose.

Re:Conundrum

[Dunbal]

Actually if you think about it...

Those who have the most to hide would be the first ones in line to rush to patch...

Re:Conundrum

[msk]

Indeed.

Re:Conundrum

[Highdude702]

So use this patch(read injector) to make you feel at ease while the patch makes sure you're definitely infected. but with a password for login, so the low level criminals cant just come play when they want. they have to pay to play(buy credentials).

Re:Conundrum

[peetm]

Is anything 1000,0000 low?

Re: Conundrum

[Zero__Kelvin]

Well, if that were true then everyone older than me would be right even though they are in diametrical disagreement. The same in inverse for those younger than me. Would you care to re-postulate?

Re: Conundrum

[TheOuterLinux]

Or they gave them something they've been working on that looks like a patch, but is a unfixable root kit. Honestly, unless it's something we can all look at to know for sure there's no backdoor, it's crap. Linux, Linus, and Lynis are all you need to know. When they say Linux, I honestly think they mean Android and are generalizing. For goodness sake, Google knew about Dirty Cow but didn't fix it until December 2016.

Re:Conundrum

[lsatenstein]

I can't trust any cpu. All CPU has room for microcode patches, An instruction does not work right? Well, here is a boot time microcode patch to fix that instruction or to add an instruction. That added instruction could circumvent security by blocking interupts.

But if Intel released chipset manuals

[WillAffleckUW]

Then how can I trust Intel's code to detect rootkits?

Same applies for Motorola and AMD.

Mistake

[sexconker]

When will people admit that [U]EFI was a mistake?

It's too much code at too low a level, and it's too easy to manipulate. I for one would rather pay a nominal fee to have a new ROM chip sent to me. Remember when you could just pop those babies in and out? Remember when we had jumpers to protect and reset BIOS, boot sectors, etc.?

Yes, [U]EFI has good features and goes far beyond what BIOS can do, but so what? Outside of supporting hardware and booting to the point of OS handoff, the BIOS (either BIOS proper or [U]EFI) is supposed to be as minimal as possible. BIOS has been hacked to hell to support all sorts of shit like that at the behest of the various motheboard manufacturers. If we just had a newer BIOS developed by a central body that didn't try to completely reinvent the wheel as a helicopter, we'd be much better off.

Re:Mistake

All I want is a jumper to nuke the write line. Is that too much to ask?

Re:Mistake

[Narcocide]

I've been saying it was a mistake all along! Nobody ever listens to me!

Re:Mistake

[Proudrooster]

Yes, UEFI is a poorly implemented, bad idea, and full of never ending critical vendor security flaws. When you can extract the code, change it, compile it, and put it back, that is scaarrry! I have personally extracted the code from APCI table in the UEFI, tweaked it, compiled it, and put it back. UEFI is a security hole like no other. It can access all the hardware, including memory and the network without the host O/S having any idea.

To quote Linux: EFI is this other Intel brain-damage (the first one being ACPI).

Now root kits can hide after reboot and re-install. UEFI was supposed to make us secure, but all it accomplished was trying to lockout Linux from PC hardware.

Re:Mistake

UEFI is a bad alternative to what we already had that worked better: BIOS. Not all progress is good. Let it go.

Re:Mistake

[sjames]

Hear! Hear!

UEFI is a "solution" looking for a problem. It truly has nothing to offer. We don't need a badly implemented mini-OS to load the real OS.

What we really needed was a simple 64 bit clean minimalist firmware to put the system into a known good standard condition, then load a stub and jump to it.

Re:Mistake

[grep+-v+'.*'+*]

When will people admit that [U]EFI was a mistake?

(from below) but all it accomplished was trying to lockout Linux from PC hardware.

Microsoft: SUCCESS! What?? A misteak? ... You clearly don't work here. Begone, open-source heathen!

Re:Mistake

[xvan]

And that's different from bios updates besides available space exactly how?

Re:Mistake

[SuricouRaven]

Don't blame Intel for the constant problems of ACPI. It was a good design, as initially envisioned.

Blame Microsoft. The Windows ACPI support is really, really awful, but every non-server motherboard is designed and tested for windows - linux testing is an afterthought, if at all. Same for laptops. An ACPI implementation designed and tested for Windows is likely to go very wrong if confronted with an OS that actually does ACPI properly. A common problem is invalid values in those ACPI tables (Probably why the above poster was fiddling with them) - Windows ignores a few values, and just assumes defaults, so some mainboards and laptops pass testing on Windows even though the wrong values or just all-zeros are written in. When linux reads and tries to act on those tables, it usually hangs the system.

My own desktop has an issue something like that, which I got around by just putting 'acpi=off' on the kernel options.

Re:Mistake

[AmiMoJo]

Seems like you have never heard of Secure Boot. It's part of the UEFI spec that adds the security you are missing. With it enabled, screwing with parts of the firmware will break the chain of trust.

People hated it because it can be used to lock a machine to booting only Windows, but most implementations allow you to install your own keys.

UEFI reduces the attack surface compared to the old BIOS. That's one reason it boots faster - it does so much less.

Obviously Libreboot would be even better, but UEFI is still way better than the BIOS.

Re: Mistake

[Zero__Kelvin]

The only thing you didn't mention is that this is quite intentional on the part of Microsoft as they work closely with the vendors, and deviating from their published standards for market advantage was one of Gates' classic scumbag moves.

Re: Mistake

[Zero__Kelvin]

Actually I don't find it scary by any stretched of the imagination. I DO find it scary that I live in a world where people read Slashdot and find this scary though.

Re: Mistake

[Zero__Kelvin]

You should actually learn quite a bit about the history of PCs and computer architecture in general, as well as UEFI itself, then get back to us.

Re: Mistake

[sjames]

Actually, I know a great deal about it including being one of the first to use boot code tracing on a PC and work on the CoreBoot project (back when it was still LinuxBIOS). My first hack on BIOS itself was to convince an XT clone to accept a V20 CPU.

The biggest problems with BIOS were it's attempt to be an Input Output System as well as a startup firmware and severe limitations on it's ability to handle large drives.

The rest is a solution looking for a problem.

Now, would you like to make a substantial claim against my position rather than a frivolous claim that I don't know the subject matter or were you just blowing smoke?

Re: Mistake

[Zero__Kelvin]

Why would I bother. According to your claim you ashtray know why BIOS is a thing if the past and why that is a good thing. You said you are an expert, right?

Re: Mistake

[sjames]

In other words, you haven't a clue?

I agree a BIOS replacement was needed. EFI wasn't it. I have a worn out sock that needs replacing too, but you won't see me hopping down the street with my toes stuck in a bowling ball.

If you think EFI was the right answer, defend your position.

Re: Mistake

[Zero__Kelvin]

You are saying 'right' and implying perfect. I never said UEFI is perfect. I said we have it for a reason, and since you didn't come up with a better one ... "expert" though you are ... this is what we have and it is fine.

Re: Mistake

[sjames]

You need to read the thread again starting from the top. Either you are posting to the wrong thread or you're having a far more in-depth discussion in your own head than is implied by the actual posts here.

All you have said here is that you believe *I* should review the history of BIOS and that you will not defend your position (whatever it may be). Your post above was the first time in this thread you even claimed we have EFI for a reason (but you haven't stated one to me yet).

Re:Mistake

[sexconker]

Secure boot doesn't protect shit beyond making you unable to boot to unsigned shit. The firmware is still as buggy and exploitable as fuck. And now wvery fuckign peripheral has firmware being talked to and running shit pre boot!

Are you retarded? You think UEFI presents a SMALLER attack surface? And you think that's why it boots faster? Hint: It doesn't boot faster. It may warm boot Windows faster, but that's got nothing to do with UEFI vs. BIOS. BIOS can achieve the same thing because the "fast booting" you're seeing is mostly due to skipping shit and not making devices available. Intel boards for example have 2 or 3 levels of fast booting, with warnings telling you that USB won't be available until OS handoff, you'll need to hold the button for 5 seconds or pull power to revert if you can't get into the OS, etc. It's akin to skipping POST and ignoring devices for boot / OROM consideration in BIOS.

Re:Mistake

[sexconker]

Does Windows 10 even support BIOS mobos that don't have partial/faked EFI support?
Looking forward, everything is fucked. UEFI everywhere, Windows 10 everywhere, IME/PSP everywhere.
BIOS implementations can be insecure as fuck too, but there's typically the option to lock the BIOS to prevent this. Modern enthusiast/gamer boards have a dual BIOS option which lets you toggle a good copy of the BIOS if the current one fucks up or you bork it with overclocking settings. Older MSI boards used to have 2 physical chips, but I'm fairly certain that the toggle is completely physical now, so you could still be fucked. Theoretically the toggle control would be very low level and represent a very small attack surface, so it shouldn't be hard to implement securely. But I haven't seen a modern gamer board with a physical jumper to write protect shit in a while, so while you have the option to toggle to a known-good BIOS, you'd only ever do that if you knew your current BIOS got fukt.

Re:Mistake

[sexconker]

Dump the chip? Or use EEPROM (they're all EEPROM now anyway) and write a trusted version yourself?

Re:Mistake

[AmiMoJo]

UEFI is much better than the BIOS for peripheral firmware. The BIOS runs x86 code directly. UEFI has a virtual machine running bytecode. At least you have a chance of securing that, with the BIOS you can't do anything.

Re:Mistake

[hummassa]

LMFTFY:

Number of BIOS updates I've ever installed on my computer: 0.

Number of BIOS updates I've knowingly installed on my computer (bear in mind, your vendor could have it pre-installed, the NSA could install it on transit to the store, the evil maid on the hotel could have installed it while you were at the pool, etc)

Number of processes from the BIOS still running after the boot process finished: 0.

Number of processes from the BIOS that I know that are still running after the boot process finished (you don't think a spy process from the BIOS would be visible to your OS's pstools, do you?)

So how do I install it?

[Snotnose]

Link leads to github, which I've never used. Reading the manual I need to install Python using pip. Never heard of pip. Google says it's a Python package manager. Whee.

Then I have to compile some C programs. OK.

Then I have to shutdown my system using funny flags I've never seen before. Before doing this I hope I've printed out a few pages of the manual, because the next few steps are wat do when the system won't boot.

Then I can run it.

OK, I'm technically competent. I'm kinda surprised I've had this laptop for 2 years and have yet to install Python. Oh well, not a problem. I've also got a C development system, that's easy enough. And I'm smart enough to print out the 2-3 pages of important info before shutting down my system in a funky way.

So yeah, I can install and run this. But how about grandma? She has no chance. Besides the fact she's been dead for 10 years or so, she would never be able to figure this stuff out.

What we need is a .msi file we can install that, when run, says yay or nay that the CIA/NSA/KGB/Chinese/whomever has infected your firmware.

Re:So how do I install it?

[WillAffleckUW]

Pretty sure one is posted at www.cia.gov/rootkit/EFI.msi

Re:So how do I install it?

in addition you have to trust the tool to detect any newer rootkits that did not get disclosed by intel/cia leak.
not sure i trust intel any more than cia

Re:So how do I install it?

[enrique556]

Yeah, msi file yep, for our windows 10. So we can download it, install it, go to our start menu, scroll past the PowerJelq(tm) ad that popped up in our pinned list since the last windows update, and check if anyone's been dicking with our system without our consent.

Re:So how do I install it?

[AHuxley]

We need a nice GUI version for Mac and Linux users.

Re:So how do I install it?

[SuperKendall]

No need for a Windows GUI I guess because you can just assume there is a rootkit up your EFI.

Re:So how do I install it?

[AHuxley]

Most Windows 10 users got their OS for games, GPU support and directx 12.
Interesting to the CIA and NSA as a way in to record interesting people in that home.
The need for a Linux and Mac GUI is the ability to test and see results as they might get a change in their computer via the Automated Implant Branch (AIB).
That could automate gov malware been pushed down into Linux or Mac OS to avoid any software firewall or other unexpected security settings.

Re:So how do I install it?

[Snotnose]

Reading the manual I need to install Python using pip. Never heard of pip. Google says it's a Python package manager. Whee.

Subtly seldom works here. I have to install Python to get a thingie I need to install Python. If this isn't a Whiskey Tango Foxtrot moment I don't know what is.

The whole set of instructions for installing/running this tool are dead on arrival for 99% of /. readers, let alone the general population.

Re:So how do I install it?

[Highdude702]

Well if they use a .msi How will the linux and OSX users run it? Oh you run windows so thats the only OS that exists.. got you!

Re:So how do I install it?

[Highdude702]

Us other 1% though. This is comedy gold for us. We were smart enough to either except our 3 lettered overlords of the internet or cripple the UEFI itsself. Also if youre that concerned build a firewall with old verifiable non backdoored hardware(looking at the 1990 IBM server in my closet) and monitor your traffic in and out. Block everything that isnt absolutely needed. 65535 ports is overkill anyways. nobody needs that many O.o

Re:So how do I install it?

[Vairon]

If they had only provided an MSI installer containing this program would you have really trusted it and ran it? At least by releasing the source code, we can look at it and verify what we are running before we do so.

Re: So how do I install it?

[Zero__Kelvin]

Your post shows a complete lack of understanding of the situation. You cannot run an MSI file because that requires you have booted Windows already, at which point all bets are off as any malware you may be infected with is already running.

What does it mean

when Intel builds a separate computing environment into their processors and chipsets, designed to operate out of control or view of the user, and then offers this EFI rootkit detection tool? Can you trust Intel?

Re:What does it mean

[zlives]

no

Re:What does it mean

[AmiMoJo]

It's open source and relatively small, so sneaking stuff into it will be hard. But what do you have to lose by running it anyway? At worst it ignores the NSA rootkit, but you are no worse off than before.

What if I'm running an AMD board?

[clonehappy]

You insensitive clods!

Yeah right

Intel already has a backdoor called "Intel Management Engine Interface" that can't be disabled, even if you disable Windows drivers or run Linux, it's built into the BIOS that cannot be disabled.

The UEFI/EFI itself is another layer of bullshit that makes it such a hassle to dual-boot or run non-windows OS. Try installing Linux Mint on an HP laptop and even the latest version requires you to log into the UEFI partition and rename/move the image file just so you can get grub to show up during boot (without hitting hot keys).

How do I know that Intel's utility's not going to replace it with the Microsoft version in the name of "security"?

How do I know your replacement image, if that's how it works - is not going to be Intel's compromised BS that allows even more access than the fucking Intel Management engine?

Yet Lower Level

My understanding (perhaps somewhat dated) is there is modifiable code inside Intel CPUs as well. Does the CIA/NSA/whoever have the capability of silently changing that microcode so as to make their task easier (perhaps as simple/complex as detecting when certain encryption code is running, and changing the results to be cryptographically weaker)? Or is this old stuff that no longer applies?

Re:Yet Lower Level

[Snotnose]

Yeah, Intel has "secure boot" firmware in their CPUs that provide something called UEFI. They don't release the source code. If compromised it's even worse than a root kit. Do I need to mention the NSA/CIA/KGB/Chinese/Random hacker group has a 50/50 chance of already hacking it?

If you don't trust Intel you are kinda screwed

[Sycraft-fu]

So obviously Intel makes popular CPUs, as well as other components, in computers. If you run a system with any of those, well then they could have a back door in them and there's nothing you could do. However it goes further than that: The Intel C Compiler is EXTREMELY popular for writing software (in Windows and Linux) because it generates really optimized code. It could, of course, insert back doors in to binaries without the knowledge of the person compiling it. So you'd have to scrap anything written using it.

Really, it isn't feasible. If you are so paranoid you think Intel is spying on you or helping others spy, your probably have to go hide in a cave because there is just nothing you can really do to eliminate all risk.

At some point, you have to stop being a member of the AFDB brigade and just accept that ya, there's some risk in trusting, well, anyone but you have to and just leave it be. You also have to accept that you aren't protecting nuclear secrets, the kind of attacks against you are not the spy-agency level.

Re:If you don't trust Intel you are kinda screwed

[Dunbal]

Or just buy an old 386 and run MD-DOS.

Re:If you don't trust Intel you are kinda screwed

[Highdude702]

How do you know I'm not protecting nuclear systems? Have you used one of the Intel backdoors to search my system for trade secrets?

Re:If you don't trust Intel you are kinda screwed

[LienRag]

Well, they do have a backdoor: IME/AMT...

Never.

[waspleg]

This is part of the long slow march back to locked down shitty platforms and completely closed hardware. This is the phone/appliance-ification of your shit.

People don't understand the freedoms they're losing. By the time they realize it it will be far too late (it pretty much already is at this point). Even the term "walled garden" doesn't make it sound as bad as it is.

What really gets to me is it takes talented, highly educated people in niche fields to create this shit and they're selling out hardcore to some of the worst evils imaginable and giving no fucks (the over arching cultural imperative, at least in America, of "I got mines").

It's a shame there aren't more RMS style zealots; maybe even some with billions of dollars to throw at preserving and perpetuating freedom.

Re: Never.

[Zero__Kelvin]

What the hell are you talking about? Locked down platforms have NEVER been the norm.

Re:Not A Mistake

[Highdude702]

I have no problem buying a new computer. But I want control of my hardware. I replace shit whether its broken or not. Just to give me something to play with. But I remember the days when you didnt have to play the "Lets break this part to make the system work right" game..

What about "secure boot"?

[peppepz]

What about UEFI's "secure boot"? Wasn't it designed to prevent this kind of boot exploits, while incidentally making it a pain in the backside to run non-Microsoft OSes? So, was the executable image of the CIA exploit signed? By whose key?

Re: Not A Mistake

[Zero__Kelvin]

I am a Linux advocate, but I have to say this is a ridiculous claim. Linux boots on UEFI just fine.

Re: Not A Mistake

[Zero__Kelvin]

You are confusing UEFI and Secure Boot

Re: Not A Mistake

[elgaard]

Eventually you can get Linux to boot on UEFI just fine. But it is harder than before.

It used to be that you could just put a DVD in a computer and click OK to install Linux, and that was it.

Now people people ask me for help when Linux installation fails. Usually the installation seem to succeed, but the computer cannot boot. I usually install Boot-Repair on a live USB disk, boot the computer and fix it. Boot-Repair is a nice toot but really, it should not be necessary.
    And sometimes it does not work. Early versions of the Intel NUC would fail starting Ubuntu because if expected the executable to be named uefi.exe, not grub.exe. Intel fixed it in a later firmware version. But it is telling that they created something so complex, that not even Intel could get it right.

It ia REALLY this...

[martinfb]

It is really another tool developed by Intel for the CIA to make hacking even easier!

All this hype is to just get you to install it!

GOTCHA - AGAIN!!!