Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

OS X remote malware strikes Thunderbolt, hops hard drive swaps
The Register ^ | 4 Aug 2015

Posted on 08/03/2015 10:25:23 PM PDT by Swordmaker

Researchers Trammel Hudson and Xeno Kovah have built a self-replicating Apple firmware malware that can infect peripherals to spread to new computers.

The ThunderStrike 2 malware is the second iteration of the attack forged earlier this year and liberates the requirement for attackers to have physical access to machines.

Hudson says while his proof of concept is deliberately noisy, displaying a logo during boot, a real attack could be made surreptitious through virtualisation or system management mode.

"Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash," Hudson says.

"It can search the PCIe bus and look for removable Thunderbolt devices and write itself into their option ROMs.

"When the infected adapter is connected to a fresh laptop during system boot the option ROM is executed by EFI firmware before the kernel is started … and hooks the S3 resume scripted that will be executed when the system comes out of sleep mode."

Once installed Thunderstrike once installed in the boot flash is "very difficult" to remove because it controls the system from the first executed command. Reinstalling the operating system or even replacing the hard drive will not remove it.

The infection of new Thunderbolt peripheral devices means a potential victim may even re-infect a replacement laptop.

Thunderstrike was revealed January as a then unmitigated attack targeting option ROMs to load malware by replacing RSA keys in Mac extensible firmware interfaces (EFIs).

Apple issued a partial fix in the ensuing OS X patch run blocking it in version 10.10.2. Option ROM updates coupled with Boot Guard mitigations also slow it down for those attackers lacking high levels of resources. ®

YouTube Video on Thunderstrike 2


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; malware; thunderstrike
Navigation: use the links below to view more comments.
first previous 1-2021-34 last
To: Swordmaker

For anyone who is unfamiliar with Mac Gatekeeper, here is a link explaining it...

http://www.macobserver.com/tmo/article/how-to-secure-your-mac-with-os-x-gatekeeper


21 posted on 08/04/2015 8:27:20 AM PDT by aMorePerfectUnion ( "Forward lies the crown, and onward is the goal.")
[ Post Reply | Private Reply | To 5 | View Replies]

To: palmer
There’s rarely any reason to have an admin account on MacOS.

Opinions vary. Mine is you should never use an admin-level account as your day-to-day login. OS X may have features that protect you from yourself if you don't, but it's still poor practice and explicitly separating admin from regular users helps enforce the point of what you're doing.

22 posted on 08/04/2015 9:36:25 AM PDT by kevkrom (I'm not an unreasonable man... well, actually, I am. But hear me out anyway.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: kevkrom

I agree with you. There are many times I would have toasted my system and had to restore from time machine were it not for file permissions while running as unprivileged.


23 posted on 08/04/2015 9:42:43 AM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 22 | View Replies]

To: palmer
Using a root privilege exploit means that the victim is running at normal priveleges. The exploit bumps the software up to the root level. The vcitim is not running at root, as you say, nobody does. But it's not impossible to find exploits to get from normal privileges to root, it just adds one more complication to the attack and one more chance for it to fail...

The claim was this was a "remote" attack. . .,It is not except in the sense that it can be exported with a device in which case the new machines are toast. But if it requires being downloaded by someone with high privileges who gives it permission to install and run, that doesn't qualify it as being "remote."

24 posted on 08/04/2015 1:37:17 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 8 | View Replies]

To: palmer
The article about thunderstrike is a little vague. It doesn't come out and say they used a privilege escalation exploit, but it implies that it does.

Thunderstrike 2 Worm can infect your Mac without detection— but requires Root access— MacDailyNews, Forbes Report, August 3, 2015

“Trammell Hudson, an employee of high-tech hedge fund Two Sigma Investments, created something of a storm late last year with his Thunderstrike exploit on Apple Macs,” Thomas Fox-Brewster reports for Forbes. “t was the first time anyone had demonstrated a Mac bootkit – malware that launches ahead of the operating system, from the moment the PC starts, and is hidden from security tools, most of which don’t delve so deep inside Macs’ innards. It’s probably the most surreptitious, devilish kind of malware one can get onto a PC, effectively granting an attacker total control over the computer.”

“There was one major barrier to exploitation outside of labs, however: it required physical access to the target PC,” Fox-Brewster reports. “But now Hudson has collaborated with self-proclaimed ‘voodoo’ researchers Xeno Kovah and Corey Kallenberg, Mac bootkits can now be delivered from anywhere on the planet. They could also jump between machines over infected Thunderbolt devices, creating a ‘firmworm.'”

“To get that bootkit up and running, there are numerous paths a malicious hacker could take. The one the trio will show off at the Black Hat security conference in Las Vegas this week will assume the attacker already has root control over the machine. Getting to that point is not the simplest of tasks on Apple Macs, but an Oracle Java or Adobe Flash exploit would do the trick,” Fox-Brewster reports. “In the video below, Hudson shows how an attack can jump from OROMs, to the BIOS, and back to the OROMs, primed to infect another Mac.”


25 posted on 08/04/2015 2:36:41 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 9 | View Replies]

To: palmer

The Forbes article seems to think that achieving ROOT access is a trivial matter, it really isn’t. However, a really determined hacker could conceivably find a way.


26 posted on 08/04/2015 2:42:18 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Swordmaker

This sounds analogous to the USB malware.


27 posted on 08/04/2015 4:12:53 PM PDT by SunkenCiv (What do we want? REGIME CHANGE! When do we want it? NOW)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
The Forbes article seems to think that achieving ROOT access is a trivial matter, it really isn’t. However, a really determined hacker could conceivably find a way.

It is trivial if there is a vulnerability. As I pointed out on the other thread I ran a trivial test on my system and wrote a file that I had no permission to write. I could have overwritten any file I wanted. That is probably already fixed but I don't have auto-updating.

The real point isn't whether privilege escalation is difficult or not. It is that the escalation is one extra step needed for more the hacker to completely take over. For years Windows never needed that extra step so it was easier for hackers to take over. Now they protect most critical system stuff with UAC. But they are late to do what Unix has had for decades.

28 posted on 08/04/2015 4:17:50 PM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Swordmaker
The one the trio will show off at the Black Hat security conference in Las Vegas this week will assume the attacker already has root control over the machine.

That's the extra step. But like I showed it is not impossible. My own machine has a trivial to exploit escalation vulnerability and I bought and updated it about a month ago.

29 posted on 08/04/2015 4:19:50 PM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 25 | View Replies]

To: SunkenCiv
This sounds analogous to the USB malware.

You're right, it is. Any port into a computer is an access. . . especially if it gives access to re-programable chips. The Thunderstrike is especially egregious because the devices and even the adaptors that plug into it have reprogramable chips IN THEM where the malware can be stashed!

30 posted on 08/04/2015 4:54:13 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 27 | View Replies]

To: palmer
It is trivial if there is a vulnerability.

It is trivial only if the vulnerability is exploitable. I've seen many vulnerabilities that were not exploitable or innocuous even if exploitable.

31 posted on 08/04/2015 4:55:38 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Swordmaker
Sukiyaki (Ue o Muite Arukou) - Kyu Sakamoto
32 posted on 08/05/2015 12:19:52 AM PDT by Liberty Valance (Keep a Simple Manner for a Happy Life :o)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Michael Martin Murphey - Geronimo's Cadillac

33 posted on 08/05/2015 12:28:06 AM PDT by Liberty Valance (Keep a Simple Manner for a Happy Life :o)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Swordmaker

Ouch.


34 posted on 08/05/2015 12:29:19 AM PDT by SunkenCiv (What do we want? REGIME CHANGE! When do we want it? NOW)
[ Post Reply | Private Reply | To 30 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-34 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson