First Firmware Worm Able to Infect Macs Created by Researchers

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 3, 2015.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

    The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.


    Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.
    Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.
    Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

    More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

    Article Link: First Firmware Worm Able to Infect Macs Created by Researchers
     
  2. Goldfrapp, Aug 3, 2015
    Last edited: Aug 3, 2015

    Goldfrapp macrumors 601

    Goldfrapp

    Joined:
    Jul 31, 2005
    #2
    El Capitan will take care of this. Piece of cake. Good job, researchers! Make Apple's life easier and keep on researching!
     
  3. joshuaclinton macrumors member

    Joined:
    Mar 28, 2014
  4. Frign macrumors member

    Joined:
    Aug 19, 2011
    #4
    The question is: Why does this guy wear nail varnish?
     
  5. midwife99 macrumors newbie

    midwife99

    Joined:
    Aug 3, 2015
    #5
    This is dated 2001, is it something new?
     
  6. spherox macrumors member

    Joined:
    Jan 26, 2015
    #6
    Ok, now this is kind of scary. Hardware replacement won't fix it? Neither will re-installing OS X? Infection could be stored in external devices such as Apples own thunderbolt adapter? *turns off Mac*
     
  7. Paul Simon, Aug 3, 2015
    Last edited: Aug 3, 2015

    Paul Simon macrumors newbie

    Paul Simon

    Joined:
    Jun 3, 2015
    #7
    And only these guys can do it with nothing that I've seen so far to back up their claims that other companies are heeding their grave warnings. Self-aggrandizing people.
     
  8. macduke macrumors G3

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #8
    Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
     
  9. stridemat Moderator

    stridemat

    Staff Member

    Joined:
    Apr 2, 2008
    Location:
    UK
    #9
    So, what advice do the researchers offer to mitigate the issue at user level?

    Hopefully Apple can sort this.
     
  10. Dargoth macrumors regular

    Dargoth

    Joined:
    Oct 27, 2014
    #10
    Couldn't be. There was no Thunderbolt back then.

    Well, this seems to require a malicious website or email to get onto your computer in the first place, which almost certainly would require the download of a file or attachment for execution. I'm not worried by this.
     
  11. mdnz macrumors regular

    Joined:
    Apr 14, 2010
    Location:
    The Netherlands
    #11
    No it won't. If you think it does can you give us a source?
     
  12. mainstreetmark macrumors 68020

    mainstreetmark

    Joined:
    May 7, 2003
    Location:
    Saint Augustine, FL
    #12
    Well that wasn't very uplifting news. If you get infected, you have to replace your mac and all your cables?

    Is it at least possible to make a TS2 killer that lives on some other TB cable, that uses the same exploits, but gets rid of the bad payload?
     
  13. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #13
    What do you mean dated 2001?
    If you are looking to the left under the user avatar that is the join date
     
  14. AngerDanger, Aug 3, 2015
    Last edited: Aug 3, 2015

    AngerDanger macrumors 68040

    AngerDanger

    Joined:
    Dec 9, 2008
    #14
    I wish there was a chart or enumeration of Macs that can be affected by this. This article and the one on WIRED only mention MacBooks for some reason, but this would presumably affect desktop Macs as well. Also, what about computers that don't have Thunderbolt ports? :confused:
     
  15. brinary001 macrumors 6502a

    brinary001

    Joined:
    Sep 4, 2012
    Location:
    Midwest, USA
    #15
    I was talking to a buddy of mine the other day about Macs and their vulnerabilities. There's more of them than people think. Nothing is safe anymore. And better than any security program, is your awareness and looking over your digital shoulder now and then.
     
  16. marco114 macrumors 6502

    marco114

    Joined:
    Jul 17, 2001
    Location:
    USA
    #16
    it's crazy that someone has this kind of time on their hands. I'd love to hire them to work on my latest App design but they are busy hacking away at the mac.
     
  17. Parasprite macrumors 68000

    Parasprite

    Joined:
    Mar 5, 2013
    #17
    Apple is just so ahead of the curve, they beat themselves to Thunderbolt 2. :cool:
     
  18. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #18
    Blackhat is going to be really interesting this year. I can't wait.
     
  19. pdaholic macrumors 65816

    pdaholic

    Joined:
    Jun 22, 2011
    #19
    Thank goodness these "researchers" are on our side.
     
  20. Headrush69 macrumors member

    Joined:
    Jun 12, 2007
    #20
    Does rootless mode coming in El Capitan make this moot? (At least being done remotely)
     
  21. Kobayagi macrumors 6502a

    Kobayagi

    Joined:
    Dec 18, 2012
    #21
    New youtube player design? First change I actually like in years.
     
  22. bushido Suspended

    bushido

    Joined:
    Mar 26, 2008
    Location:
    Germany
    #22
    kinda crazy. makes it sound like a living organism
     
  23. maxsix Suspended

    maxsix

    Joined:
    Jun 28, 2015
    Location:
    Western Hemisphere
    #23
    Apple enthusiasts busy defending Apple, while living in complete denial about the risks, are just what Apple counts on, so they can push security down their list of priorities.
     
  24. Steve121178 macrumors 601

    Steve121178

    Joined:
    Apr 13, 2010
    Location:
    Bedfordshire, UK
    #24
    Err, no it won't. We all know how rubbish Apple is when it comes to security so if you think El Capitan will make your Mac bulletproof then you need to get some help.
     
  25. SoyCapitanSoyCapitan macrumors 68040

    SoyCapitanSoyCapitan

    Joined:
    Jul 4, 2015
    Location:
    Geneva
    #25
    Just sandbox all browsers and implement a thorough scan of anything downloading. Sandboxing the user folders would also help. Access to system folders should require a password.
     

Share This Page