Posted on 08/03/2015 10:25:23 PM PDT by Swordmaker
Researchers Trammel Hudson and Xeno Kovah have built a self-replicating Apple firmware malware that can infect peripherals to spread to new computers.
The ThunderStrike 2 malware is the second iteration of the attack forged earlier this year and liberates the requirement for attackers to have physical access to machines.
Hudson says while his proof of concept is deliberately noisy, displaying a logo during boot, a real attack could be made surreptitious through virtualisation or system management mode.
"Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash," Hudson says.
"It can search the PCIe bus and look for removable Thunderbolt devices and write itself into their option ROMs.
"When the infected adapter is connected to a fresh laptop during system boot the option ROM is executed by EFI firmware before the kernel is started and hooks the S3 resume scripted that will be executed when the system comes out of sleep mode."
Once installed Thunderstrike once installed in the boot flash is "very difficult" to remove because it controls the system from the first executed command. Reinstalling the operating system or even replacing the hard drive will not remove it.
The infection of new Thunderbolt peripheral devices means a potential victim may even re-infect a replacement laptop.
Thunderstrike was revealed January as a then unmitigated attack targeting option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).
Apple issued a partial fix in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slow it down for those attackers lacking high levels of resources. ®
YouTube Video on Thunderstrike 2
THANKS to DayGloRed for the heads up!
If you want on or off the Mac Ping List, Freepmail me.
Definitely one to watch out for.
The best news is that although it's a worm, it still requires a TROJAN to deliver it. . . and Apple still warns all users of all the known trojans. It would take an entirely new family of trojans to deliver it, because OS X will recognize all the current families and their variants.
And of course, do not download anything except from authorized site. Keep Gatekeeper turned on.
this is bad, right?
In a way, yes. . . however, I just went over the video and the article with a fine-tooth comb and I found this:
"Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash," Hudson says.
They don't tell us right out that the Trojan that's required to invade the original "infection" machine has to be running with ROOT privileges. No normal Mac user ever runs with ROOT priveleges. . . not even an Administrator runs with ROOT privileges. That ROOT user is one level above Administrator. . . and is inactive on a normal Mac. The Administrator can reach ROOT commands by use of the SUDO command (SuperUser DO) for single command lines. Or an Administrator can activate a SuperUser by creating a ROOT accountonly one is permitted per machineby creating a Root user Name and password. Then logging in as that ROOT user.
The likelihood of anyone downloading a TROJAN as a ROOT user are somewhere between zero and nil. . . unless the user is industrial strength stupid and then some.
Using a root privilege exploit means that the victim is running at normal priveleges. The exploit bumps the software up to the root level. The vcitim is not running at root, as you say, nobody does. But it's not impossible to find exploits to get from normal privileges to root, it just adds one more complication to the attack and one more chance for it to fail...
A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.
The privilege-escalation bug, which was reported ...
The article about thunderstrike is a little vague. It doesn't come out and say they used a privilege escalation exploit, but it implies that it does.
...And I thought that Apple had no worries about viruses at one time.
Bookmark
By default, the root user account on OS X is disabled. You would first have to manually enable it and assign a password.
Ten + years ago, updating a Notion Ink Adam tablet we would causally root our tablet then flash the ROM to allow us to get updates from a web site called Tablet Roms. We were unconcerned about malicious exploits because no one knew of them. How times changed.
You need to read the full details of this hack. Any Mac physically connected to a network can be infected without user interaction. Wired has a much more detailed article on this, but can’t be posted on FR due to copyright issues.
Another more detailed source I read states that this payload can be delivered by physically plugging into a networ, using a USB drive with the payload or an ssd external. It will install without the user having to interact and does not require the user to be root. It is at the hardware level where no checksums are being used, no virus scan is seeing it, and can’t be wiped without reflashing the component.
This was discovered under Windows and them the researchers decided to try MAC because ether use many community hardware components. 3 or 4 out of 5 worked with Mac as well.
That is never what was claimed.....Apple users are less likely to get viruses and worms and malware (etc etc etc) because of the way the system works.
That’s only relevant if you are interested in logging into root normally. A privilege escalation bug does not login, does not need the account to be enabled and does not need a password assigned. As a simple example, I can escalate my privilege on MacOS using sudo with my root account locked out and no password assigned (sudo requires my own password). Let’s say hypothetical malware able to sudo without querying the TTY for my password. That would an example of a privilege escalation exploit.
Also, and though I note the admin/root distinction you mention below, please please, please people, regardless of what OS you run, create separate accounts for admin and daily use. Never do your daily stuff in and admin account - and only provide the admin user/password when prompted if you fully understand what it is you're about to do.
The easiest attack vector under any computer security model is trying to elicit a mistake from a privileged user.
There’s rarely any reason to have an admin account on MacOS. In contrast Windows defaults to an admin account although many actions will trigger UAC. The problem is that the more actions trigger UAC, the more accustomed you will be to pressing ok. Mac is not immune, with its sudo action password popup.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.