Submitted via IRC for chromas
Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code.
The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. A rootkit is a malicious program that runs with high privileges -- typically in the kernel -- and hides the existence of other malicious components and activities.
The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter.
EFI, also known as UEFI (Unified EFI), is the low-level firmware that runs before the operating system and initializes the various hardware components during the system boot process. It's the replacement for the older and much more basic BIOS in modern computers and resembles a mini operating system. It can have hundreds of "programs" for different functions implemented as executable binaries.
A malicious program hidden inside the EFI can inject malicious code into the OS kernel and can restore any malware that has been removed from the computer. This allows rootkits to survive major system updates and even reinstallations.
(Score: 2, Informative) by Anonymous Coward on Sunday March 12 2017, @09:05AM
It's important to realize that this is just an update to CHIPSEC, which has existed for several years, and is pointless unless you trust that your system is uncompromised when you get it from the manefacturer (because you have to do a scan of all your files as soon as you receive the system, or you won't be able to verify all of them).