Intel’s CHIPSEC can detect CIA’s OS X rootkit

As details about CIA’s hacking capabilities and tools are, bit by bit, popping to the surface, companies are trying to offer users some piece of mind.

OS X rootkit

In the wake of WikiLeaks’ release of the CIA document dump, Apple has stated that many of the revealed iOS exploits have already been patched, and the company is constantly working to address any new vulnerabilities.

“Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system,” they noted. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

But it was Intel Security that offered a tool that can identify an EFI (Extensible Firmware Interface) rootkit that is meant to function as a covert implant on machines running Apple’s OS X.

What is EFI/UEFI?

Originally developed by Intel to replace the BIOS (Basic Input/Output System) firmware interface, EFI (Extensible Firmware Interface) has been deprecated in favor of the Unified Extensible Firmware Interface (UEFI).

UEFI is a specification that defines a software interface between an operating system and platform firmware.

The newly revealed rootkit, and the tool to detect it

The rootkit is named DarkMatter, and is part of the DerStarke bundle for targeting OS X machines.

“[DarkMatter] appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection,” Intel Security’s Christiaan Beek and Raj Samani explained.

“If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.”

The original firmware can be provided by the manufacturer (Apple).

The module they mention is part of Intel’s CHIPSEC open source framework for assessing the security of a variety of personal computer platforms (hardware, system firmware, and platform components). CHIPSEC can be run on Windows, Linux, Mac OS X and UEFI shell, and includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities.