VirusTotal bashes bad BIOSes with forensic firmware fossicker
AV outfit finds new ways to banish low level malware to the .bin
VirusTotal can now analyse firmware for known malware, prying inside almost-hard-coded code for hidden executables.
The service allows users to search for low-level infections in embedded devices and BIOS which could represent the handiwork of sophisticated malware or well-resourced or dedicated attackers.
Security engineer Francisco Santos says it could help build a database of firmware to benefit the research community.
"BIOS malware is no longer something exclusive to the NSA - Lenovo's Service Engine or Hacking Team's UEFI rootkit are examples of why the security industry should put some focus on this strain of badness," Santos says.
"Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar."
Portable executables can be extracted from the images and examined in VirusTotal such that those targeting Windows systems - and therefore most likely to be malicious - can be identified.
Those inclined to dump their BIOS and serve it up to VirusTotal can use a handful of free tools for the job.
Santos warns that private data like WiFi passwords should be removed from firmware before it is uploaded.
Full capabilities of the tool include:
- Apple Mac BIOS detection and reporting;
- Strings-based brand heuristic detection to identify target systems;
- Extraction of certificates and executable files from firmware images;
- PCI class code enumeration allowing device class identification
- ACPI tables tags extraction;
- NVAR variable names enumeration;
- Option ROM extraction, entry point decompilation and PCI feature listing;
- Extraction of BIOS portable executables and identification of potential Windows executables contained within the image, and
- SMBIOS characteristics reporting.