Two cyber-security experts working in the US have created a worm computer virus that can severely damage the software at the heart of an Apple Mac computer. The malware, which was created for research purposes, has been designed to highlight vulnerabilities within the Apple Mac platform that researchers hope the company will now be able to rectify.
The worm virus, which is called Thunderstrike 2, was created by Xeno Kovah (owner of LegbaCore) and his research partner Trammel Hudson (a security engineer at Two Sigma). Thunderstrike 2 works by attacking a computer’s firmware – the software that comes pre-loaded onto a computer in order to load the operating system – and the virus is even designed to find its way onto Apple Mac’s that are not connected to the Internet.
Firmware is a type of software that gives companies the ability to control, monitor, and manipulate data within their products. For a long time, it was believed that Apple Mac computers had strong and impenetrable security features within their firmware. Research carried out by LegbaCore last year, however, demonstrated that 5 out of 6 of the vulnerabilities that affected 80% of PC’s, also affected Apple Macs. This is due to similarities between competing manufacturers firmware says Kovah,
‘Most of these firmwares are built from the same reference implementations, so when someone finds a bug in one that affects Lenovo laptops, there’s a really good chance it’s going to affect the Dells and HPs. What we also found is there is really high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI (BIOS) firmware.’
Today, the researchers will be showcasing their new worm virus at the Black Hat security conference in Las Vegas. They hope its efficacy will encourage computer firms to work harder at implementing improved security on future firmware.
Usually, worms like the one in question make their way onto computers via the Internet, where malevolent websites that are purposefully infected with the code can deliver the malware to computers. Another common method of infecting a machine is via a phishing email – a fake email that appears to be from a reputable source – but which in reality is only there to deliver the virus.
The design of Thunderstrike 2, however, is even more troublesome. The researchers have created the malware with the ability to spread to peripheral appliances attached to a Mac computer (such as Apple’s Thunderbolt-to-gigabit-Ethernet adapter). This capability allows it to spread to further machines via connected accessories (that use Option ROM) and demonstrates the ease with which this worm can contaminate other machines.
It also reveals that a worm, like the one they have created, could be spread via infected accessories sold on an online marketplace such as eBay. Once an infected accessory is plugged into another machine, the virus writes malicious code to the Mac’s firmware, so powerful, that to remove it the computer’s chip must be reprogrammed. A normal anti-malware software is completely unable to deal with it.
‘[The attack is] really hard to detect… it’s really hard to get rid of,” said Kovah. “It’s really hard to protect against something that’s running inside the firmware…for most users that’s really a throw-your-machine-away kind of situation.’
The worm, which was specially designed to make clear the vulnerabilities that LegbaCore discovered in Apple’s firmware will now give the company the opportunity to improve the security of its machines. In fact, Apple has already been informed of the malware, and although three vulnerabilities remain yet unfixed, the company has already managed to fix one completely, and partially correct another. The researchers’ work, even at this early stage then, is helping to improve security features on Apple Mac computers.
‘We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security,’ commented Kovah, who has also pointed out that while some companies work hard at implementing solutions to security vulnerabilities in their firmware, other firms do not.