It appears as though a firmware virus has surfaced that can infect Macs. “Thunder-strike 2” is a rootkit that uses Thunderbolt accessories to infect Mac firmware
The worm was developed by a team of researchers, reports Wired. Working atop the foundation laid by “thunder-strike” exploits discovered last year this new worm has been given the moniker “Thunder-strike 2”. It infects Macs at the deepest level right down to the firmware making it nigh impossible to remove. If Malware becomes embedded into your firmware it will be unresponsive to firmware updates or other attempts to remove the infection.
The worm is the brainchild of security engineer Trammel Hudson, who was the first person to discover the “Thunder-strike” exploits, and Xeno Kovah, who owns and works in the firmware security consultancy, Lebgacore. With thunder-strike’s reveal earlier this year it garnered widespread attention but since it was only a concept for vulnerabilities with no real-world presence, however, it’s predecessor shows attack capabilities using the same vulnerabilities.
Thunder-strike 2 is able to remotely access a device through the web or an e-mail. Once it finds refuge on a Mac system it begins to work on propagation to other Macs by hiding in the ROM of peripheral devices like Apple’s Thunderbolt to Gigabit Ethernet adapter, external SSDs, RAID controllers, etc. The infected peripheral device then goes on to spread the infection onwards to other systems that may connect through these devices. Thunder-strike 2 can remain hidden because it doesn’t even touch your Mac’s operating system or file system. By only living in the firmware, scanners can’t detect it, so you’ll never know your Mac’s infected.
“People are unaware that these small cheap devices can actually infect their firmware,” says Kovah. “You could get a worm started all around the world that’s spreading very low and slow. If people don’t have an awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”
Drastic measures would have to be taken to clean a system infected at the firmware level and may require changes to the hardware itself. Researchers insist that Apple developers have not done enough to patch up these vulnerabilities leaving the user in a precarious position.
“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks and show customers that they need to hold their vendors accountable for better firmware security.”
Kovah and Hudson were quick to inform Apple of the threat their users are facing with such attacks present due to Thunder-strike 2, still Apple it seems has only gotten around to repairing one of five flaws introducing only a partial fix for a second. Three of the vulnerabilities have not been patched, but Apple is most likely working to get them to the public in its newest security update.