Thunderstrike 2 worm can infect your Mac without detection, but requires root access

“Trammell Hudson, an employee of high-tech hedge fund Two Sigma Investments, created something of a storm late last year with his Thunderstrike exploit on Apple Macs,” Thomas Fox-Brewster reports for Forbes. “t was the first time anyone had demonstrated a Mac bootkit – malware that launches ahead of the operating system, from the moment the PC starts, and is hidden from security tools, most of which don’t delve so deep inside Macs’ innards. It’s probably the most surreptitious, devilish kind of malware one can get onto a PC, effectively granting an attacker total control over the computer.”

“There was one major barrier to exploitation outside of labs, however: it required physical access to the target PC,” Fox-Brewster reports. “But now Hudson has collaborated with self-proclaimed ‘voodoo’ researchers Xeno Kovah and Corey Kallenberg, Mac bootkits can now be delivered from anywhere on the planet. They could also jump between machines over infected Thunderbolt devices, creating a ‘firmworm.'”

“To get that bootkit up and running, there are numerous paths a malicious hacker could take. The one the trio will show off at the Black Hat security conference in Las Vegas this week will assume the attacker already has root control over the machine. Getting to that point is not the simplest of tasks on Apple Macs, but an Oracle ORCL -0.68% Java or Adobe Flash exploit would do the trick,” Fox-Brewster reports. “In the video below, Hudson shows how an attack can jump from OROMs, to the BIOS, and back to the OROMs, primed to infect another Mac.”

Read more in the full article here.

MacDailyNews Take: Firmworm? Sounds like something starring in the U.S. NSA’s wet dream.

EFI firmware attacks. Proof that not everything about Apple’s switch x86 was peachy keen.

As Wired‘s Kim Zetter notes:

[An effective] countermeasure would involve hardware vendors giving users the ability to easily read their machine’s firmware to determine if it has changed since installation. If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check to see if what’s installed on their machine differs from the checksums. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum.

But hardware makers aren’t implementing these changes because it would require re-architecting systems, and in the absence of users demanding more security for their firmware, hardware makers aren’t likely to make the changes on their own.

“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”

Apple, who are all in on privacy, certainly should work to fix this problem.

That said, of course the old rule still applies: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.

Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015

[Thanks to MacDailyNews Reader “Edward W.” for the heads up.]


    1. There are other exploits. Also most people tend to run with administrative privileges on their machines. Meaning it takes precious seconds to enable root access if physical access is acquired. I’ve done it with people staring at the screen and they never noticed.

      1. I have a some questions about solutions for “run with administration privileges”. Would creating a separate account the administrator (usually the person who owns the Mac and uses it the most) with privileges off help? Only using the admin account when necessary. This would be on the same machine, most of us only have one. If not, would getting a cheep Mac (used Mini) and doing something similar as above work? This way you would keep the hardware separate? If neither what would be a easy solution?

  1. If a strange, suspicious person knocked on your door and wanted to come into your house… would you let them just walk in? No?!? Then don’t give out permission to enter your computer either.

    1. Why not? Then I’d also them where my safe is, give them the password, give the keys to everything and leave the house. Then I’d write a story about how scandalous it was that the designer of my house hadn’t protected me better.

    2. They are not simply talking about strangers knocking on your door, or you going out and using the Internet unprotected. They are talking about installation via vectors you know and trust.

      There is very little to trust these days.

      Dell hah!

      What is anyone doing to establish a secure and safe computing environment? What ever it is, it’s not enough. Maybe we should just go back to paper, the slow, antiquated, environment unfriendly system, that made hacking of mass society and spying impossible or not worth the effort.

      Either manufacturers are part of the solution or part of the problem. Anything thing they say, seems as if they were meaning to to keep people calm and carry on, while the wolves rape and shear the sheep.

      At some point not coming up with a solution is actually a liability. If they know there is a problem but ignore it, then any customer losses are their liability as long as the customer has nowhere to turn.

      When cars and planes crash, despite safe and appropriate use, the manufacturer is liable. The same should be said for the computing industry.

      The problem isn’t old software/hardware. This is all zero day exploits and defective systems integration, a lack of understanding of how software should protect hardware.

      1. You cannot tell me you are secure from security threats which evolve on a week by week basis by just relying on the OS security. Thunderstrike 2 seems to prove that point quite nicely for Macs. The game changes quite often and if as a Mac user you want to sit back and allow the OS default security to work for you then think again Thelonious.

  2. Yet another reason to:

    1) Remove Adobe Flash Internet plug-in from your Macs, or at least keep it up-to-date and use a Flash blocker in your web browsers.

    2) Remove Oracle’s Java Internet plug-in from your Macs, or at least keep it up-to-date and use a Java blocker in your web browsers.

    Flash and Java: The two worst technologies perpetrated on the Internet.

    1. BTW: There’s always something questionable about an article that calls a Mac a “MAC”. Shame KIM ZETTER at Wired. There are also lazy redundancies in the article as well as blatant Apple hate in the form of ignoring the fact that OS X UNIX is, in fact, far more security be design than Windows. To say otherwise is incredibly ignorant.

      AND then consider the fact that we’re specifically talking about Intel hardware problems, NOT OS X. In total, this author, KIM ZETTER, is the wrong person to write about computer security, particularly Macs. Sorry Kim! But you did a lazy job. 😛

      1. Therefore, I’ll be waiting until the August 6th presentation of this firmware attack for complete details about this situation.

        Wired: Please try harder and better. Not that I mind the preview of Xeno Kovah and Trammell Hudson’s work. I just don’t like lazy, ignorant FUD!

        World: Watch for better articles about ‘Thunderstrike 2’ at the end of this week.

      2. I understand the difference between Mac and MAC, and it’s a big one. However your grammatical mistakes makes you look like a hypocrite. If this was sarcasm, without a /s it is not understood. The Emoji at the end is rather meaningless. I am not into grammar police, however when complaining about someone’s grammar you should pay more attention.

  3. The thing that worries me about Flash is that it is updated regularly and requires typing in the user password (admin). I just switched off automatic updates since the webpage that launches could be spoofed from a malicious site.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.