MANILA, Philippines – The idea that Apple’s Macs are less susceptible to attacks are dealt a blow Monday, August 3, due to vulnerabilities that affected both PCs and Macs.

Two researchers – Xeno Kovah of LegbaCore, a firmware security consultancy, and Trammell Hudson, security engineer for Two Sigma Investments – designed a proof-of-concept worm that would allow a firmware attack to spread automatically from one Mac to another.

Wired reports that the “Thunderstrike 2” worm, created to exploit vulnerabilities that were discovered to affect PCs and Macs, lets an attacker remotely target a machine and infect device peripherals with option ROM.

The malware, if it reaches the main machine firmware, could block new updates from being properly installed or otherwise write itself to a new update during the installation process.

This is because firmware operates at a level below security programs, and is not normally scanned by antivirus software.

Normally unkillable

To kill malware embedded in a computer’s main firmware, one would need to re-flash the chip that contains the firmware.

Kovah went on to explain that doing this is difficult and complicated.

“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” Kovah said.

Users cannot easily examine the firmware themselves to determine if alterations have been made.

Wiping the operating system on an infected machine doesn’t work either as the firmware-based malware stays on a system after a full wipe of the memory and operating system.

“For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip,” Kovah added.

How Macs get infected

An infection attack would take seconds and can be done remotely.

Attackers could remotely hit the boot flash firmware on a Macbook through a phishing attack or malicious website code.

Once infected, Thunderstrike 2 would search for computer peripherals that contain an option ROM, then infect those peripherals. These include the Thunderbolt Ethernet adapters of Macs.

The worm can be passed to other computers if the infected adapter gets connected to another device.

With worm-infected devices, machines connected to it have malicious code written on them from the infected device. Infected machines can further infect other option ROM-carrying devices, and so on.

Attackers could also sell compromised devices to spread the malware.

“People are unaware that these small cheap devices can actually infect their firmware,” explained Kovah.

“You could get a worm started all around the world that’s spreading very low and slow. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”

Kovah and Hudson will present their findings about the vulnerabilities and the proof-of-concept worm at the Black Hat conference in Las Vegas on August 6. – Rappler.com