Google's VirusTotal Digs All The Way Into BIOS To Scan For Malware That Survives Reboots

VirusTotal, a free online service owned by Google, launched a new tool that characterizes firmware images in detail with the aim of accurately declaring them as either legit or malicious.

In a recently published blog post, the company outlined the gravity of the danger found in a firmware malware and discussed how a bad code can be detected.

Apart from labeling firmware images, the new tool can extract firmware-based certificates along with their executable files. It is also capable of extracting portable executables that are found within the image.

The company's new focus on firmware malware should not be surprising given that the topic had gained wide-scale attention following Snowden's leaks on NSA's attempts to compromise BIOS firmware.

The BIOS malware threat has eventually become a growing concern in the security industry and has created new vulnerability cases other than those pursued by NSA. These include the Lenovo Service Engine and the Hacking Team's UEFI rootkit.

"Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, IT Security Engineer at VirusTotal, in a blog post.

The post also outlines some of the basic tasks that the new tool can perform. These include BIOS identification and reporting of Apple Mac; identification of target systems using strings-based brand heuristic detection; certificate extraction coming from both the firmware image and the executable files it contains; device class identification by performing PCI class code enumeration; variable names enumeration of NVAR; tables tags extraction of ACPI; PCI feature listing, decompilation of entry point and option ROM extraction; characteristics reporting of SMBIOS; and Extraction of the so-called BIOS Portable Executables and detection of possible Windows Executables found in an image.

VirusTotal also said the UEFI Portable Executables are extracted and then submitted individually to the company's system. This allows users to see a report for each of the executables and perhaps aid them in identifying whether something fishy is detected in their BIOS image.

VirusTotal managed to provide some reminders to users when they are performing BIOS dumps and then uploading to the site. The first thing they ought to do is to remove private information since there are vendors who tend to keep secrets such as the user's WiFi password in BIOS variables. They do this to help them remember the required settings across system reinstalls.

Santos continued by advising Mac users to use DarwinDumper, which has a "Make dumps private" feature in order to help them remove sensitive information easily.

Photo : Ministerio TIC Colombia I Flickr

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics