Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Intel Security Government Operating Systems Portables (Apple) Software Apple Hardware

Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak (pcworld.com) 159

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.
This discussion has been archived. No new comments can be posted.

Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak

Comments Filter:
  • Conundrum (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Friday March 10, 2017 @08:13PM (#54016063)
    I no longer trust Intel. Therefore why would I run this?
    • Re:Conundrum (Score:5, Insightful)

      by barc0001 ( 173002 ) on Friday March 10, 2017 @10:02PM (#54016417)

      Because they were probably compelled by some sort of behind the scenes bullshit to do this on behalf of the CIA and now that the cat's out of the bag they (the CIA) figure it's probably better to be able to poison the ability for the exploit to work than to let the bad guys (different groups depending on who you are) have a go unhindered.

      And they're right. They're utter bastards but they're right.

      • by Dunbal ( 464142 ) *

        Actually if you think about it...

        Those who have the most to hide would be the first ones in line to rush to patch...

        • So use this patch(read injector) to make you feel at ease while the patch makes sure you're definitely infected. but with a password for login, so the low level criminals cant just come play when they want. they have to pay to play(buy credentials).

      • Or they gave them something they've been working on that looks like a patch, but is a unfixable root kit. Honestly, unless it's something we can all look at to know for sure there's no backdoor, it's crap. Linux, Linus, and Lynis are all you need to know. When they say Linux, I honestly think they mean Android and are generalizing. For goodness sake, Google knew about Dirty Cow but didn't fix it until December 2016.
    • by Sycraft-fu ( 314770 ) on Friday March 10, 2017 @11:12PM (#54016603)

      So obviously Intel makes popular CPUs, as well as other components, in computers. If you run a system with any of those, well then they could have a back door in them and there's nothing you could do. However it goes further than that: The Intel C Compiler is EXTREMELY popular for writing software (in Windows and Linux) because it generates really optimized code. It could, of course, insert back doors in to binaries without the knowledge of the person compiling it. So you'd have to scrap anything written using it.

      Really, it isn't feasible. If you are so paranoid you think Intel is spying on you or helping others spy, your probably have to go hide in a cave because there is just nothing you can really do to eliminate all risk.

      At some point, you have to stop being a member of the AFDB brigade and just accept that ya, there's some risk in trusting, well, anyone but you have to and just leave it be. You also have to accept that you aren't protecting nuclear secrets, the kind of attacks against you are not the spy-agency level.

    • I can't trust any cpu. All CPU has room for microcode patches, An instruction does not work right? Well, here is a boot time microcode patch to fix that instruction or to add an instruction. That added instruction could circumvent security by blocking interupts.

  • Then how can I trust Intel's code to detect rootkits?

    Same applies for Motorola and AMD.

  • Mistake (Score:5, Insightful)

    by sexconker ( 1179573 ) on Friday March 10, 2017 @08:29PM (#54016115)

    When will people admit that [U]EFI was a mistake?

    It's too much code at too low a level, and it's too easy to manipulate. I for one would rather pay a nominal fee to have a new ROM chip sent to me. Remember when you could just pop those babies in and out? Remember when we had jumpers to protect and reset BIOS, boot sectors, etc.?

    Yes, [U]EFI has good features and goes far beyond what BIOS can do, but so what? Outside of supporting hardware and booting to the point of OS handoff, the BIOS (either BIOS proper or [U]EFI) is supposed to be as minimal as possible. BIOS has been hacked to hell to support all sorts of shit like that at the behest of the various motheboard manufacturers. If we just had a newer BIOS developed by a central body that didn't try to completely reinvent the wheel as a helicopter, we'd be much better off.

    • by Anonymous Coward

      All I want is a jumper to nuke the write line. Is that too much to ask?

    • I've been saying it was a mistake all along! Nobody ever listens to me!

    • Re:Mistake (Score:5, Insightful)

      by Proudrooster ( 580120 ) on Friday March 10, 2017 @10:24PM (#54016471) Homepage

      Yes, UEFI is a poorly implemented, bad idea, and full of never ending critical vendor security flaws. When you can extract the code, change it, compile it, and put it back, that is scaarrry! I have personally extracted the code from APCI table in the UEFI, tweaked it, compiled it, and put it back. UEFI is a security hole like no other. It can access all the hardware, including memory and the network without the host O/S having any idea.

      To quote Linux: EFI is this other Intel brain-damage (the first one being ACPI).

      Now root kits can hide after reboot and re-install. UEFI was supposed to make us secure, but all it accomplished was trying to lockout Linux from PC hardware.

      • by xvan ( 2935999 )
        And that's different from bios updates besides available space exactly how?
      • Re:Mistake (Score:5, Interesting)

        by SuricouRaven ( 1897204 ) on Saturday March 11, 2017 @04:21AM (#54017241)

        Don't blame Intel for the constant problems of ACPI. It was a good design, as initially envisioned.

        Blame Microsoft. The Windows ACPI support is really, really awful, but every non-server motherboard is designed and tested for windows - linux testing is an afterthought, if at all. Same for laptops. An ACPI implementation designed and tested for Windows is likely to go very wrong if confronted with an OS that actually does ACPI properly. A common problem is invalid values in those ACPI tables (Probably why the above poster was fiddling with them) - Windows ignores a few values, and just assumes defaults, so some mainboards and laptops pass testing on Windows even though the wrong values or just all-zeros are written in. When linux reads and tries to act on those tables, it usually hangs the system.

        My own desktop has an issue something like that, which I got around by just putting 'acpi=off' on the kernel options.

        • The only thing you didn't mention is that this is quite intentional on the part of Microsoft as they work closely with the vendors, and deviating from their published standards for market advantage was one of Gates' classic scumbag moves.
      • by AmiMoJo ( 196126 )

        Seems like you have never heard of Secure Boot. It's part of the UEFI spec that adds the security you are missing. With it enabled, screwing with parts of the firmware will break the chain of trust.

        People hated it because it can be used to lock a machine to booting only Windows, but most implementations allow you to install your own keys.

        UEFI reduces the attack surface compared to the old BIOS. That's one reason it boots faster - it does so much less.

        Obviously Libreboot would be even better, but UEFI is sti

        • Secure boot doesn't protect shit beyond making you unable to boot to unsigned shit. The firmware is still as buggy and exploitable as fuck. And now wvery fuckign peripheral has firmware being talked to and running shit pre boot!

          Are you retarded? You think UEFI presents a SMALLER attack surface? And you think that's why it boots faster? Hint: It doesn't boot faster. It may warm boot Windows faster, but that's got nothing to do with UEFI vs. BIOS. BIOS can achieve the same thing because the "fast boot

          • by AmiMoJo ( 196126 )

            UEFI is much better than the BIOS for peripheral firmware. The BIOS runs x86 code directly. UEFI has a virtual machine running bytecode. At least you have a chance of securing that, with the BIOS you can't do anything.

      • Actually I don't find it scary by any stretched of the imagination. I DO find it scary that I live in a world where people read Slashdot and find this scary though.
    • Never. (Score:4, Insightful)

      by waspleg ( 316038 ) on Friday March 10, 2017 @11:38PM (#54016665) Journal

      This is part of the long slow march back to locked down shitty platforms and completely closed hardware. This is the phone/appliance-ification of your shit.

      People don't understand the freedoms they're losing. By the time they realize it it will be far too late (it pretty much already is at this point). Even the term "walled garden" doesn't make it sound as bad as it is.

      What really gets to me is it takes talented, highly educated people in niche fields to create this shit and they're selling out hardcore to some of the worst evils imaginable and giving no fucks (the over arching cultural imperative, at least in America, of "I got mines").

      It's a shame there aren't more RMS style zealots; maybe even some with billions of dollars to throw at preserving and perpetuating freedom.

    • by sjames ( 1099 )

      Hear! Hear!

      UEFI is a "solution" looking for a problem. It truly has nothing to offer. We don't need a badly implemented mini-OS to load the real OS.

      What we really needed was a simple 64 bit clean minimalist firmware to put the system into a known good standard condition, then load a stub and jump to it.

      • You should actually learn quite a bit about the history of PCs and computer architecture in general, as well as UEFI itself, then get back to us.
        • by sjames ( 1099 )

          Actually, I know a great deal about it including being one of the first to use boot code tracing on a PC and work on the CoreBoot project (back when it was still LinuxBIOS). My first hack on BIOS itself was to convince an XT clone to accept a V20 CPU.

          The biggest problems with BIOS were it's attempt to be an Input Output System as well as a startup firmware and severe limitations on it's ability to handle large drives.

          The rest is a solution looking for a problem.

          Now, would you like to make a substantial clai

          • Why would I bother. According to your claim you ashtray know why BIOS is a thing if the past and why that is a good thing. You said you are an expert, right?
            • by sjames ( 1099 )

              In other words, you haven't a clue?

              I agree a BIOS replacement was needed. EFI wasn't it. I have a worn out sock that needs replacing too, but you won't see me hopping down the street with my toes stuck in a bowling ball.

              If you think EFI was the right answer, defend your position.

              • You are saying 'right' and implying perfect. I never said UEFI is perfect. I said we have it for a reason, and since you didn't come up with a better one ... "expert" though you are ... this is what we have and it is fine.
                • by sjames ( 1099 )

                  You need to read the thread again starting from the top. Either you are posting to the wrong thread or you're having a far more in-depth discussion in your own head than is implied by the actual posts here.

                  All you have said here is that you believe *I* should review the history of BIOS and that you will not defend your position (whatever it may be). Your post above was the first time in this thread you even claimed we have EFI for a reason (but you haven't stated one to me yet).

    • When will people admit that [U]EFI was a mistake?

      (from below) but all it accomplished was trying to lockout Linux from PC hardware.

      Microsoft: SUCCESS! What?? A misteak? ... You clearly don't work here. Begone, open-source heathen!

  • by Snotnose ( 212196 ) on Friday March 10, 2017 @08:36PM (#54016135)
    Link leads to github, which I've never used. Reading the manual I need to install Python using pip. Never heard of pip. Google says it's a Python package manager. Whee.

    Then I have to compile some C programs. OK.

    Then I have to shutdown my system using funny flags I've never seen before. Before doing this I hope I've printed out a few pages of the manual, because the next few steps are wat do when the system won't boot.

    Then I can run it.

    OK, I'm technically competent. I'm kinda surprised I've had this laptop for 2 years and have yet to install Python. Oh well, not a problem. I've also got a C development system, that's easy enough. And I'm smart enough to print out the 2-3 pages of important info before shutting down my system in a funky way.

    So yeah, I can install and run this. But how about grandma? She has no chance. Besides the fact she's been dead for 10 years or so, she would never be able to figure this stuff out.

    What we need is a .msi file we can install that, when run, says yay or nay that the CIA/NSA/KGB/Chinese/whomever has infected your firmware.
    • Pretty sure one is posted at www.cia.gov/rootkit/EFI.msi

    • by Anonymous Coward

      in addition you have to trust the tool to detect any newer rootkits that did not get disclosed by intel/cia leak.
      not sure i trust intel any more than cia

    • Yeah, msi file yep, for our windows 10. So we can download it, install it, go to our start menu, scroll past the PowerJelq(tm) ad that popped up in our pinned list since the last windows update, and check if anyone's been dicking with our system without our consent.

    • by AHuxley ( 892839 )
      We need a nice GUI version for Mac and Linux users.
      • No need for a Windows GUI I guess because you can just assume there is a rootkit up your EFI.

        • by AHuxley ( 892839 )
          Most Windows 10 users got their OS for games, GPU support and directx 12.
          Interesting to the CIA and NSA as a way in to record interesting people in that home.
          The need for a Linux and Mac GUI is the ability to test and see results as they might get a change in their computer via the Automated Implant Branch (AIB).
          That could automate gov malware been pushed down into Linux or Mac OS to avoid any software firewall or other unexpected security settings.
    • What we need is a .msi file...

      No you don't. And here you go!

      @echo off
      echo The CIA/NSA/KGB/Chinese/whomever has indeed infected your firmware. You're welcome.

    • Reading the manual I need to install Python using pip. Never heard of pip. Google says it's a Python package manager. Whee.

      Subtly seldom works here. I have to install Python to get a thingie I need to install Python. If this isn't a Whiskey Tango Foxtrot moment I don't know what is.

      The whole set of instructions for installing/running this tool are dead on arrival for 99% of /. readers, let alone the general population.

      • Us other 1% though. This is comedy gold for us. We were smart enough to either except our 3 lettered overlords of the internet or cripple the UEFI itsself. Also if youre that concerned build a firewall with old verifiable non backdoored hardware(looking at the 1990 IBM server in my closet) and monitor your traffic in and out. Block everything that isnt absolutely needed. 65535 ports is overkill anyways. nobody needs that many O.o

      • by Vairon ( 17314 )

        If they had only provided an MSI installer containing this program would you have really trusted it and ran it? At least by releasing the source code, we can look at it and verify what we are running before we do so.

    • Well if they use a .msi How will the linux and OSX users run it? Oh you run windows so thats the only OS that exists.. got you!

    • Your post shows a complete lack of understanding of the situation. You cannot run an MSI file because that requires you have booted Windows already, at which point all bets are off as any malware you may be infected with is already running.
  • What does it mean (Score:3, Interesting)

    by Anonymous Coward on Friday March 10, 2017 @08:37PM (#54016137)

    when Intel builds a separate computing environment into their processors and chipsets, designed to operate out of control or view of the user, and then offers this EFI rootkit detection tool? Can you trust Intel?

    • by zlives ( 2009072 )


    • by AmiMoJo ( 196126 )

      It's open source and relatively small, so sneaking stuff into it will be hard. But what do you have to lose by running it anyway? At worst it ignores the NSA rootkit, but you are no worse off than before.

  • You insensitive clods!

  • Yeah right (Score:5, Interesting)

    by Anonymous Coward on Friday March 10, 2017 @08:58PM (#54016209)

    Intel already has a backdoor called "Intel Management Engine Interface" that can't be disabled, even if you disable Windows drivers or run Linux, it's built into the BIOS that cannot be disabled.

    The UEFI/EFI itself is another layer of bullshit that makes it such a hassle to dual-boot or run non-windows OS. Try installing Linux Mint on an HP laptop and even the latest version requires you to log into the UEFI partition and rename/move the image file just so you can get grub to show up during boot (without hitting hot keys).

    How do I know that Intel's utility's not going to replace it with the Microsoft version in the name of "security"?

    How do I know your replacement image, if that's how it works - is not going to be Intel's compromised BS that allows even more access than the fucking Intel Management engine?

  • by Anonymous Coward

    My understanding (perhaps somewhat dated) is there is modifiable code inside Intel CPUs as well. Does the CIA/NSA/whoever have the capability of silently changing that microcode so as to make their task easier (perhaps as simple/complex as detecting when certain encryption code is running, and changing the results to be cryptographically weaker)? Or is this old stuff that no longer applies?

    • Yeah, Intel has "secure boot" firmware in their CPUs that provide something called UEFI. They don't release the source code. If compromised it's even worse than a root kit. Do I need to mention the NSA/CIA/KGB/Chinese/Random hacker group has a 50/50 chance of already hacking it?
  • What about UEFI's "secure boot"? Wasn't it designed to prevent this kind of boot exploits, while incidentally making it a pain in the backside to run non-Microsoft OSes? So, was the executable image of the CIA exploit signed? By whose key?
  • It is really another tool developed by Intel for the CIA to make hacking even easier!

    All this hype is to just get you to install it!


Mater artium necessitas. [Necessity is the mother of invention].