First Firmware Worm Able to Infect Macs Created by Researchers

Discussion in ' News Discussion' started by MacRumors, Aug 3, 2015.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A team of researchers has created the first firmware worm that's able to infect Macs, reports Wired. Building on "Thunderstrike" exploits uncovered earlier this year, the worm, dubbed "Thunderstrike 2," infects Macs at the firmware level, making it nearly impossible to remove. Embedded into firmware, malware is resistant to firmware and software updates, able to block them entirely or reinstall itself at will.

    The worm was created by security engineer Trammell Hudson, who first discovered the Thunderstrike exploits, and Xeno Kovah, owner of firmware security consultancy LegbaCore. When Thunderstrike made waves earlier this year, it was a limited proof-of-concept attack with no known presence in the wild, but Thunderstrike 2 demonstrates a real-world worm able to target Macs using the same general vulnerabilities.

    Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. Once on a Mac, it's able to spread itself to other Macs by hiding in the option ROM of peripheral devices like Apple's own Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, and more. Once infected by a Mac that has the Thunderstrike 2 worm, the peripheral would go on to infect any other Mac it connects to.
    Removing malware embedded into a Mac's firmware would need to be done at the hardware level, making it particularly dangerous. According to the researchers, Apple has not done enough to fix the vulnerabilities that leave Macs open to these kind of attacks.
    Kovah and Hudson have notified Apple about the Thunderstrike 2 vulnerabilities, but thus far, Apple's only fixed one of five security flaws and introduced a partial fix for a second. Three of the vulnerabilities have not yet been patched, but it's likely Apple is working to get the flaws fixed in an upcoming security update.

    More information on Kovah and Hudson's research and the Thunderstrike 2 exploit can be found in a lengthy report over at Wired.

    Article Link: First Firmware Worm Able to Infect Macs Created by Researchers
  2. Goldfrapp, Aug 3, 2015
    Last edited: Aug 3, 2015

    Goldfrapp macrumors 601


    Jul 31, 2005
    El Capitan will take care of this. Piece of cake. Good job, researchers! Make Apple's life easier and keep on researching!
  3. joshuaclinton macrumors member

    Mar 28, 2014
  4. Frign macrumors member

    Aug 19, 2011
    The question is: Why does this guy wear nail varnish?
  5. midwife99 macrumors newbie


    Aug 3, 2015
    This is dated 2001, is it something new?
  6. spherox macrumors member

    Jan 26, 2015
    Ok, now this is kind of scary. Hardware replacement won't fix it? Neither will re-installing OS X? Infection could be stored in external devices such as Apples own thunderbolt adapter? *turns off Mac*
  7. Paul Simon, Aug 3, 2015
    Last edited: Aug 3, 2015

    Paul Simon macrumors newbie

    Paul Simon

    Jun 3, 2015
    And only these guys can do it with nothing that I've seen so far to back up their claims that other companies are heeding their grave warnings. Self-aggrandizing people.
  8. macduke macrumors G3


    Jun 27, 2007
    Central U.S.
    Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
  9. stridemat Moderator


    Staff Member

    Apr 2, 2008
    So, what advice do the researchers offer to mitigate the issue at user level?

    Hopefully Apple can sort this.
  10. Dargoth macrumors regular


    Oct 27, 2014
    Couldn't be. There was no Thunderbolt back then.

    Well, this seems to require a malicious website or email to get onto your computer in the first place, which almost certainly would require the download of a file or attachment for execution. I'm not worried by this.
  11. mdnz macrumors regular

    Apr 14, 2010
    The Netherlands
    No it won't. If you think it does can you give us a source?
  12. mainstreetmark macrumors 68020


    May 7, 2003
    Saint Augustine, FL
    Well that wasn't very uplifting news. If you get infected, you have to replace your mac and all your cables?

    Is it at least possible to make a TS2 killer that lives on some other TB cable, that uses the same exploits, but gets rid of the bad payload?
  13. MacDawg macrumors Core


    Mar 20, 2004
    "Between the Hedges"
    What do you mean dated 2001?
    If you are looking to the left under the user avatar that is the join date
  14. AngerDanger, Aug 3, 2015
    Last edited: Aug 3, 2015

    AngerDanger macrumors 68040


    Dec 9, 2008
    I wish there was a chart or enumeration of Macs that can be affected by this. This article and the one on WIRED only mention MacBooks for some reason, but this would presumably affect desktop Macs as well. Also, what about computers that don't have Thunderbolt ports? :confused:
  15. brinary001 macrumors 6502a


    Sep 4, 2012
    Midwest, USA
    I was talking to a buddy of mine the other day about Macs and their vulnerabilities. There's more of them than people think. Nothing is safe anymore. And better than any security program, is your awareness and looking over your digital shoulder now and then.
  16. marco114 macrumors 6502


    Jul 17, 2001
    it's crazy that someone has this kind of time on their hands. I'd love to hire them to work on my latest App design but they are busy hacking away at the mac.
  17. Parasprite macrumors 68000


    Mar 5, 2013
    Apple is just so ahead of the curve, they beat themselves to Thunderbolt 2. :cool:
  18. 556fmjoe macrumors 65816


    Apr 19, 2014
    Blackhat is going to be really interesting this year. I can't wait.
  19. pdaholic macrumors 65816


    Jun 22, 2011
    Thank goodness these "researchers" are on our side.
  20. Headrush69 macrumors member

    Jun 12, 2007
    Does rootless mode coming in El Capitan make this moot? (At least being done remotely)
  21. Kobayagi macrumors 6502a


    Dec 18, 2012
    New youtube player design? First change I actually like in years.
  22. bushido Suspended


    Mar 26, 2008
    kinda crazy. makes it sound like a living organism
  23. maxsix Suspended


    Jun 28, 2015
    Western Hemisphere
    Apple enthusiasts busy defending Apple, while living in complete denial about the risks, are just what Apple counts on, so they can push security down their list of priorities.
  24. Steve121178 macrumors 601


    Apr 13, 2010
    Bedfordshire, UK
    Err, no it won't. We all know how rubbish Apple is when it comes to security so if you think El Capitan will make your Mac bulletproof then you need to get some help.
  25. SoyCapitanSoyCapitan macrumors 68040


    Jul 4, 2015
    Just sandbox all browsers and implement a thorough scan of anything downloading. Sandboxing the user folders would also help. Access to system folders should require a password.

Share This Page