Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak (pcworld.com) 159
After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.
Conundrum (Score:5, Insightful)
Re:Conundrum (Score:5, Insightful)
Because they were probably compelled by some sort of behind the scenes bullshit to do this on behalf of the CIA and now that the cat's out of the bag they (the CIA) figure it's probably better to be able to poison the ability for the exploit to work than to let the bad guys (different groups depending on who you are) have a go unhindered.
And they're right. They're utter bastards but they're right.
Re: (Score:2)
Actually if you think about it...
Those who have the most to hide would be the first ones in line to rush to patch...
Re: (Score:2)
So use this patch(read injector) to make you feel at ease while the patch makes sure you're definitely infected. but with a password for login, so the low level criminals cant just come play when they want. they have to pay to play(buy credentials).
Re: Conundrum (Score:1)
If you don't trust Intel you are kinda screwed (Score:4, Insightful)
So obviously Intel makes popular CPUs, as well as other components, in computers. If you run a system with any of those, well then they could have a back door in them and there's nothing you could do. However it goes further than that: The Intel C Compiler is EXTREMELY popular for writing software (in Windows and Linux) because it generates really optimized code. It could, of course, insert back doors in to binaries without the knowledge of the person compiling it. So you'd have to scrap anything written using it.
Really, it isn't feasible. If you are so paranoid you think Intel is spying on you or helping others spy, your probably have to go hide in a cave because there is just nothing you can really do to eliminate all risk.
At some point, you have to stop being a member of the AFDB brigade and just accept that ya, there's some risk in trusting, well, anyone but you have to and just leave it be. You also have to accept that you aren't protecting nuclear secrets, the kind of attacks against you are not the spy-agency level.
Re: (Score:2)
Re: (Score:2)
How do you know I'm not protecting nuclear systems? Have you used one of the Intel backdoors to search my system for trade secrets?
Re: (Score:1)
Re: (Score:2)
I can't trust any cpu. All CPU has room for microcode patches, An instruction does not work right? Well, here is a boot time microcode patch to fix that instruction or to add an instruction. That added instruction could circumvent security by blocking interupts.
Re: (Score:2, Funny)
Wait.... he has a low ID?
Yes! Front Row!
Re: (Score:1)
Re: (Score:1)
Who has a low ID?
Re: (Score:2, Funny)
My chance to shine has been ruined.
Re: (Score:1)
Ahah
Re: (Score:1)
i know eh :)
Re: (Score:2, Funny)
I've played this game before. I always lose.
Re: (Score:1)
Re: (Score:1)
I just want to say, it has been an honor growing up on slashdot with you all. I hope my old millenial ass doesn't die before the site does, lol
-dk
Re: (Score:2, Funny)
Indeed.
Re: (Score:1)
Re: (Score:1)
If only I had registered immediately when I first started reading Slashdot...
Re: (Score:1)
What's going on here?
Re: (Score:1)
I now know slashdot is doomed, I didn't get a funny and no one noticed the Futurama reference. All you guys turn in your nerd cards.
Re: (Score:1)
Sorry, 464150 is the cut off for what we consider low ID.
Re: (Score:3, Insightful)
Re: Conundrum (Score:1)
Re: (Score:1)
Is anything 1000,0000 low?
But if Intel released chipset manuals (Score:1)
Then how can I trust Intel's code to detect rootkits?
Same applies for Motorola and AMD.
Mistake (Score:5, Insightful)
When will people admit that [U]EFI was a mistake?
It's too much code at too low a level, and it's too easy to manipulate. I for one would rather pay a nominal fee to have a new ROM chip sent to me. Remember when you could just pop those babies in and out? Remember when we had jumpers to protect and reset BIOS, boot sectors, etc.?
Yes, [U]EFI has good features and goes far beyond what BIOS can do, but so what? Outside of supporting hardware and booting to the point of OS handoff, the BIOS (either BIOS proper or [U]EFI) is supposed to be as minimal as possible. BIOS has been hacked to hell to support all sorts of shit like that at the behest of the various motheboard manufacturers. If we just had a newer BIOS developed by a central body that didn't try to completely reinvent the wheel as a helicopter, we'd be much better off.
Re: (Score:1)
All I want is a jumper to nuke the write line. Is that too much to ask?
Re: (Score:1)
I've been saying it was a mistake all along! Nobody ever listens to me!
Re: (Score:1)
Re: (Score:1)
UEFI is a bad alternative to what we already had that worked better: BIOS. Not all progress is good. Let it go.
Re:Mistake (Score:5, Insightful)
Yes, UEFI is a poorly implemented, bad idea, and full of never ending critical vendor security flaws. When you can extract the code, change it, compile it, and put it back, that is scaarrry! I have personally extracted the code from APCI table in the UEFI, tweaked it, compiled it, and put it back. UEFI is a security hole like no other. It can access all the hardware, including memory and the network without the host O/S having any idea.
To quote Linux: EFI is this other Intel brain-damage (the first one being ACPI).
Now root kits can hide after reboot and re-install. UEFI was supposed to make us secure, but all it accomplished was trying to lockout Linux from PC hardware.
Re: (Score:2)
Re: (Score:1)
LMFTFY:
Number of BIOS updates I've ever installed on my computer: 0.
Number of BIOS updates I've knowingly installed on my computer (bear in mind, your vendor could have it pre-installed, the NSA could install it on transit to the store, the evil maid on the hotel could have installed it while you were at the pool, etc)
Number of processes from the BIOS still running after the boot process finished: 0.
Number of processes from the BIOS that I know that are still running after the boot process finished (you don't think a spy process from the BIOS would be visible to your OS's pstools, do you?)
Re:Mistake (Score:5, Interesting)
Don't blame Intel for the constant problems of ACPI. It was a good design, as initially envisioned.
Blame Microsoft. The Windows ACPI support is really, really awful, but every non-server motherboard is designed and tested for windows - linux testing is an afterthought, if at all. Same for laptops. An ACPI implementation designed and tested for Windows is likely to go very wrong if confronted with an OS that actually does ACPI properly. A common problem is invalid values in those ACPI tables (Probably why the above poster was fiddling with them) - Windows ignores a few values, and just assumes defaults, so some mainboards and laptops pass testing on Windows even though the wrong values or just all-zeros are written in. When linux reads and tries to act on those tables, it usually hangs the system.
My own desktop has an issue something like that, which I got around by just putting 'acpi=off' on the kernel options.
Re: Mistake (Score:1)
Re: (Score:2)
Seems like you have never heard of Secure Boot. It's part of the UEFI spec that adds the security you are missing. With it enabled, screwing with parts of the firmware will break the chain of trust.
People hated it because it can be used to lock a machine to booting only Windows, but most implementations allow you to install your own keys.
UEFI reduces the attack surface compared to the old BIOS. That's one reason it boots faster - it does so much less.
Obviously Libreboot would be even better, but UEFI is sti
Re: (Score:2)
Secure boot doesn't protect shit beyond making you unable to boot to unsigned shit. The firmware is still as buggy and exploitable as fuck. And now wvery fuckign peripheral has firmware being talked to and running shit pre boot!
Are you retarded? You think UEFI presents a SMALLER attack surface? And you think that's why it boots faster? Hint: It doesn't boot faster. It may warm boot Windows faster, but that's got nothing to do with UEFI vs. BIOS. BIOS can achieve the same thing because the "fast boot
Re: (Score:2)
UEFI is much better than the BIOS for peripheral firmware. The BIOS runs x86 code directly. UEFI has a virtual machine running bytecode. At least you have a chance of securing that, with the BIOS you can't do anything.
Re: Mistake (Score:1)
Re: (Score:2)
Does Windows 10 even support BIOS mobos that don't have partial/faked EFI support?
Looking forward, everything is fucked. UEFI everywhere, Windows 10 everywhere, IME/PSP everywhere.
BIOS implementations can be insecure as fuck too, but there's typically the option to lock the BIOS to prevent this. Modern enthusiast/gamer boards have a dual BIOS option which lets you toggle a good copy of the BIOS if the current one fucks up or you bork it with overclocking settings. Older MSI boards used to have 2 physical
Re: (Score:2)
Dump the chip? Or use EEPROM (they're all EEPROM now anyway) and write a trusted version yourself?
Never. (Score:4, Insightful)
This is part of the long slow march back to locked down shitty platforms and completely closed hardware. This is the phone/appliance-ification of your shit.
People don't understand the freedoms they're losing. By the time they realize it it will be far too late (it pretty much already is at this point). Even the term "walled garden" doesn't make it sound as bad as it is.
What really gets to me is it takes talented, highly educated people in niche fields to create this shit and they're selling out hardcore to some of the worst evils imaginable and giving no fucks (the over arching cultural imperative, at least in America, of "I got mines").
It's a shame there aren't more RMS style zealots; maybe even some with billions of dollars to throw at preserving and perpetuating freedom.
Re: Never. (Score:1)
Re: (Score:3)
Hear! Hear!
UEFI is a "solution" looking for a problem. It truly has nothing to offer. We don't need a badly implemented mini-OS to load the real OS.
What we really needed was a simple 64 bit clean minimalist firmware to put the system into a known good standard condition, then load a stub and jump to it.
Re: Mistake (Score:1)
Re: (Score:3)
Actually, I know a great deal about it including being one of the first to use boot code tracing on a PC and work on the CoreBoot project (back when it was still LinuxBIOS). My first hack on BIOS itself was to convince an XT clone to accept a V20 CPU.
The biggest problems with BIOS were it's attempt to be an Input Output System as well as a startup firmware and severe limitations on it's ability to handle large drives.
The rest is a solution looking for a problem.
Now, would you like to make a substantial clai
Re: Mistake (Score:1)
Re: (Score:2)
In other words, you haven't a clue?
I agree a BIOS replacement was needed. EFI wasn't it. I have a worn out sock that needs replacing too, but you won't see me hopping down the street with my toes stuck in a bowling ball.
If you think EFI was the right answer, defend your position.
Re: Mistake (Score:1)
Re: (Score:2)
You need to read the thread again starting from the top. Either you are posting to the wrong thread or you're having a far more in-depth discussion in your own head than is implied by the actual posts here.
All you have said here is that you believe *I* should review the history of BIOS and that you will not defend your position (whatever it may be). Your post above was the first time in this thread you even claimed we have EFI for a reason (but you haven't stated one to me yet).
Re: (Score:2)
When will people admit that [U]EFI was a mistake?
(from below) but all it accomplished was trying to lockout Linux from PC hardware.
Microsoft: SUCCESS! What?? A misteak? ... You clearly don't work here. Begone, open-source heathen!
Re: (Score:2)
I have no problem buying a new computer. But I want control of my hardware. I replace shit whether its broken or not. Just to give me something to play with. But I remember the days when you didnt have to play the "Lets break this part to make the system work right" game..
Re: Not A Mistake (Score:1)
Re: (Score:2)
Eventually you can get Linux to boot on UEFI just fine. But it is harder than before.
It used to be that you could just put a DVD in a computer and click OK to install Linux, and that was it.
Now people people ask me for help when Linux installation fails. Usually the installation seem to succeed, but the computer cannot boot. I usually install Boot-Repair on a live USB disk, boot the computer and fix it. Boot-Repair is a nice toot but really, it should not be necessary.
And sometimes it does no
Re: Not A Mistake (Score:1)
So how do I install it? (Score:5, Informative)
Then I have to compile some C programs. OK.
Then I have to shutdown my system using funny flags I've never seen before. Before doing this I hope I've printed out a few pages of the manual, because the next few steps are wat do when the system won't boot.
Then I can run it.
OK, I'm technically competent. I'm kinda surprised I've had this laptop for 2 years and have yet to install Python. Oh well, not a problem. I've also got a C development system, that's easy enough. And I'm smart enough to print out the 2-3 pages of important info before shutting down my system in a funky way.
So yeah, I can install and run this. But how about grandma? She has no chance. Besides the fact she's been dead for 10 years or so, she would never be able to figure this stuff out.
What we need is a
Re: (Score:2)
Pretty sure one is posted at www.cia.gov/rootkit/EFI.msi
Re: (Score:1)
in addition you have to trust the tool to detect any newer rootkits that did not get disclosed by intel/cia leak.
not sure i trust intel any more than cia
Re: (Score:1)
Yeah, msi file yep, for our windows 10. So we can download it, install it, go to our start menu, scroll past the PowerJelq(tm) ad that popped up in our pinned list since the last windows update, and check if anyone's been dicking with our system without our consent.
Re: (Score:2)
Re: (Score:2)
No need for a Windows GUI I guess because you can just assume there is a rootkit up your EFI.
Re: (Score:2)
Interesting to the CIA and NSA as a way in to record interesting people in that home.
The need for a Linux and Mac GUI is the ability to test and see results as they might get a change in their computer via the Automated Implant Branch (AIB).
That could automate gov malware been pushed down into Linux or Mac OS to avoid any software firewall or other unexpected security settings.
Re: (Score:1)
What we need is a .msi file...
No you don't. And here you go!
ForGrandma.bat:
Re: (Score:2)
Reading the manual I need to install Python using pip. Never heard of pip. Google says it's a Python package manager. Whee.
Subtly seldom works here. I have to install Python to get a thingie I need to install Python. If this isn't a Whiskey Tango Foxtrot moment I don't know what is.
/. readers, let alone the general population.
The whole set of instructions for installing/running this tool are dead on arrival for 99% of
Re: (Score:2)
Us other 1% though. This is comedy gold for us. We were smart enough to either except our 3 lettered overlords of the internet or cripple the UEFI itsself. Also if youre that concerned build a firewall with old verifiable non backdoored hardware(looking at the 1990 IBM server in my closet) and monitor your traffic in and out. Block everything that isnt absolutely needed. 65535 ports is overkill anyways. nobody needs that many O.o
Re: (Score:2)
If they had only provided an MSI installer containing this program would you have really trusted it and ran it? At least by releasing the source code, we can look at it and verify what we are running before we do so.
Re: (Score:2)
Well if they use a .msi How will the linux and OSX users run it? Oh you run windows so thats the only OS that exists.. got you!
Re: So how do I install it? (Score:2)
What does it mean (Score:3, Interesting)
when Intel builds a separate computing environment into their processors and chipsets, designed to operate out of control or view of the user, and then offers this EFI rootkit detection tool? Can you trust Intel?
Re: (Score:2)
no
Re: (Score:2)
It's open source and relatively small, so sneaking stuff into it will be hard. But what do you have to lose by running it anyway? At worst it ignores the NSA rootkit, but you are no worse off than before.
What if I'm running an AMD board? (Score:1)
You insensitive clods!
Yeah right (Score:5, Interesting)
Intel already has a backdoor called "Intel Management Engine Interface" that can't be disabled, even if you disable Windows drivers or run Linux, it's built into the BIOS that cannot be disabled.
The UEFI/EFI itself is another layer of bullshit that makes it such a hassle to dual-boot or run non-windows OS. Try installing Linux Mint on an HP laptop and even the latest version requires you to log into the UEFI partition and rename/move the image file just so you can get grub to show up during boot (without hitting hot keys).
How do I know that Intel's utility's not going to replace it with the Microsoft version in the name of "security"?
How do I know your replacement image, if that's how it works - is not going to be Intel's compromised BS that allows even more access than the fucking Intel Management engine?
Yet Lower Level (Score:1)
My understanding (perhaps somewhat dated) is there is modifiable code inside Intel CPUs as well. Does the CIA/NSA/whoever have the capability of silently changing that microcode so as to make their task easier (perhaps as simple/complex as detecting when certain encryption code is running, and changing the results to be cryptographically weaker)? Or is this old stuff that no longer applies?
Re: (Score:2)
What about "secure boot"? (Score:2)
It ia REALLY this... (Score:1)
All this hype is to just get you to install it!
GOTCHA - AGAIN!!!