After CIA Leak, Intel Security Releases Detection Tool for EFI Rootkits
Mon, 13/03/2017 - 01:56 — smashdracs
Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code.
The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. A rootkit is a malicious program that runs with high privileges -- typically in the kernel -- and hides the existence of other malicious components and activities.
The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter.
EFI, also known as UEFI (Unified EFI), is the low-level firmware that runs before the operating system and initializes the various hardware components during the system boot process. It's the replacement for the older and much more basic BIOS in modern computers and resembles a mini operating system. It can have hundreds of "programs" for different functions implemented as executable binaries.
A malicious program hidden inside the EFI can inject malicious code into the OS kernel and can restore any malware that has been removed from the computer. This allows rootkits to survive major system updates and even reinstallations.