Putting the spotlight on firmware malware

Firmware malware has been a hot topic ever since Snowden’s leaks revealed NSA’s efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo’s Service Engine or Hacking Team’s UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.

To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.

As of today VirusTotal is characterizing in detail firmware images, legit or malicious. These are a couple of examples of the kind of information that is now generated, please refer to the File Detail tab:
https://www.virustotal.com/en/file/3afb102f0a61f5a71be4658c3d8d3624e4773e36f64fd68a173f931bc38f651e/analysis/  [1]
https://www.virustotal.com/en/file/4db9177af43a958686b9367f19df90023acf3189c388497a8a7d1d8cb3f7f0e0/analysis/  [2]
Pay attention to the Additional information tab in this other case,  you will see a new Source Details field which gives attribution information for the given file:
100% PE resource match is not required in order to provide some attribution context, e.g.

The new tool performs the following basic tasks:

  • Apple Mac BIOS detection and reporting.
  • Strings-based brand heuristic detection, to identify target systems.
  • Extraction of certificates both from the firmware image and from executable files contained in it.
  • PCI class code enumeration, allowing device class identification.
  • ACPI tables tags extraction.
  • NVAR variable names enumeration.
  • Option ROM extraction, entry point decompilation and PCI feature listing.
  • Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
  • SMBIOS characteristics reporting.

What’s probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness. These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image. Additionally, the tool will highlight which of these extracted PEs are Windows targeted, i.e. they will run on the Windows OS itself rather than on the UEFI pseudo-OS. Usually you would not see Windows executables in this layer, though there are some exceptions like the following case:

As you can see, the report distinguishes between any kind of PE and PEs that will run on the Windows OS itself, the first one of which happens to be detected by a noticeable amount of antivirus vendors. This executable is actually an antitheft product called Computrace, embedded in many BIOS in order to be able to track a system after theft, even if the system is wiped and reinstalled. Totally legit when used for this purpose.

This exemplifies one way in which the new characterization can help in hunting badness, for instance, if you take a closer look at the very first two examples:


You will notice that this is precisely the Lenovo rootkit case. They are two different BIOS updates for Lenovo S21e laptop systems, the second one removes what was identified as factory-installed malware, taking a closer look at both reports you will notice that the first image contains a NovoSecEngine2 Windows executable in charge of deploying further artifacts onto the target system.

Knowing that this new tool is available, the next interesting step would be to be able to dump your own BIOS in order to further study it by submitting it to VirusTotal, the following tools might come in handy:

Obviously, this has its limitations, the system could be compromised in such a manner that the dumpers are deceived, you should understand that the ultimate ground truth is physically attaching to the chip and electronically dumping the flash memory.

When performing BIOS dumps and uploading to VirusTotal make sure you remove private information, certain vendors may store secrets such as WiFi passwords in BIOS variables in order to remember certain settings across system reinstalls. If you are on a Mac, DarwinDumper will allow you to easily strip sensitive information by checking the “Make dumps private” option.

Premium users of VirusTotal Intelligence and VirusTotal Private Mass API will soon be able to read a follow-up article in Intelligence’s blog in order to understand how all of this information is now indexed and searchable, allowing you to track down advanced actors making use of BIOS badness in order to persist in their targets’ systems.

We would like to specially thank Teddy Reed, developer of the UEFI firmware python parser, he has been instrumental in helping us overcome our ignorance about BIOS, UEFI, and its ecosystem.

Source: VirusTotal

VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on www.virustotal.com, with our OS X Uploader app, or via the API.

As before, users with private API or “allinfo” privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the “Behavioural information” tab…

DMG files:

Mach-O files:
ZIP files with an Mac app inside:
If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

    Source: VirusTotal

    VirusTotal += CloudStat URL scanner

    Today we are introducing a new URL scanner that will be characterizing URLs submitted by users to VirusTotal: CloudStat. In their own words:

    CloudStat is a new platform set to revolutionize the way companies collect and analyze their data. It identifies compliance gaps, detects configuration problems and warns customers of cyber security threats by applying our proprietary analysis engine to millions of data points. It delivers concise actionable reports directly to mobile devices. The team behind CloudStat is dedicated to helping companies mitigate risks, increase productivity and reduce costs.

    Let us look at how their verdicts show up:

    Judging by the reports, it seems that this new engine nicely complements other datasets, such that aggregate threat coverage has been improved, this is good news. Hopefully this addition results in more secure users world-wide.

    Welcome CloudStat!
    Source: VirusTotal

    VirusTotal += Arcabit

    We welcome Arcabit scanner to VirusTotal. This is a multi-engine product from Poland. In the words of the company:
    “Arcabit is a Polish vendor of the antivirus and protection software. Arcabit antivirus engine is the hybrid of two solutions – Bitdefender and its own, constantly developed 
    engine with rapid response to the new threats. Arcabit uses advanced cloud solutions to identify trends in malware development and to ensure an early response to new threats.
    The heuristic mechanisms implemented by Arcabit (identified as HEUR.*) offer the efficacy at the level of 99.9% in detecting threats spreading through popular Web channels – www, email etc.”

    Source: VirusTotal