The First Firmware Worm For Mac Is Here, Windows Fanboys Rejoice

For the last few weeks I've been giving Windows a hard time. I tried to install Windows 10 on 2 of my laptops and it didn't go so well. Mac users have enjoyed laughing at my expense and Windows users have enjoyed fighting back in the comments. Well score one more for team Windows, the worlds first Mac firmware worm is here.

A worm is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a standard virus, it can travel without any human action. 

As you can see by the video above, this particular worm has the ability to actually change the code built into the laptop's motherboard. This means that swapping the hard drive will have no effect. Obviously Apple will patch this hole in the very near future but it's another reminder that Apple computers are not virus free. 

 

Lee Morris's picture

Lee Morris is a professional photographer based in Charleston SC, and is the co-owner of Fstoppers.com

Log in or register to post comments
20 Comments

But why was it created? Are they just looking to cause damage or are they after personal information and such?

Are desktop macs safe?

It was a research project done at a blackhat conference... they do this stuff all the time.. and as for mac desktops, not sure... if you don't use a thunderbolt adapter (which would not be required with an iMac, Mac Mini or Mac Pro) then you *could* be safe... if you do use one of these adapters, then you *could* be unsafe... Joys of computers...

Before you cause unnecessary panic:
"limited to a proof-of-concept with no reported attacks, leading security experts say this new threat is also very low-risk."

Read more: http://www.macnn.com/#ixzz3hmjP9q7l

Agreed. This is simply proof this can be done.

Lee: can we please stop the fanboy crap? If I wanna read tech articles, I'll go to Ars, Wired, etc. If I wanna ready fanboy stuff.. wait.. why would I want to read about fanboy stuff?

If this is merely clickbait for the site.. then ignore above and do what you gotta do :)

I'm going to guess that firmware worms may exist for Windows as well but this does prove(contrary to what I have seen many say) that Macs are impervious to this kind of stuff.

That being said, on my Windows workstation that I just built the motherboard (MSI X99A Mpower) contains two identical bios so that if one gets toasted you can flip a switch on the board to go to the other. Never had to use it but nice to know that it is there for quick recovery.

Beyond that, you can also fix the bios via a USB drive but not sure if Macs support that.

Check if your BIOS has driver signing. Most PC BIOS will have this option (and have done for several years) and alsol have a BIOS password, both of which can mitigate this attack to a degree. I know on my x99 rig I have a driver signing option.

Could not resist!!

Anyone who argues that a Mac is immune to virus, worms, or trojans indicates that they really don't know a lot about computers and programming. Of course Macs can be attacked, it's simply a lot less common. I think this is partly because the BSD underpinnings are a little harder to defeat, but in the end it's really just a numbers game: if you're looking to maximize your scope, then it makes more sense to target Windows systems. Both platforms have their pluses and minuses, use the one that works best for you.

Thing is that's a fallacy, it may have some BSD core code but most of the OS X isn't. Also remember much of OS X was not written with security first principles hence why these massive security holes appear. Apple was told by Intel years ago about the potential risk of having DMA to peripherals and this is why most manufacturers and MS didn't start to include this to Windows PCs. It can be mitigated but it requires jumping through a lot of hoops.

Apple hasn't seen that as much of a threat because of the need to compromise external hardware and have physical access to the computer to attack or, alternately, you need to convince the user to execute the attack with elevated privileges for you. I think that's shortsighted and I agree that Apple hasn't been especially security conscious either, but they're hardly unique in this respect, both platforms have had massive security holes.

Actually there's been three documented cases in the last 2 years on the Black Hat boards that show you didn't need access that I know of.

So it's a bit of a red herring say you needed hardware or physical access, and if they have physical access to your machine malware is the least of your worries. The only reason Apple has had a such an easy ride is that a) A Windows/Adobe was seen as a easy target. Windows 8 onwards has made the bar so high that it's now unprofitable for them to do so. Hence moving to other systems like Linux and OSX which often share similar under-pinnings. b) Apple market share and lack of InfoSec makes it's a nice easy target.

Most security issues in Windows is in legacy code, hence why from Vista MS has implemented security layers to reduce vectors and you can install a free utility will pretty much stop all exploits: EMET. Downside of EMET is not that easy to understand or deploy and cause issues with badly written programs.

You can see the drop off of vulnerabilities from Vista onwards to current Win 8.1 and I posted about this a few weeks back. However during the same period you have seen vulnerabilities in iOS and OSX increase.

I did note alternative to physical access. It is interesting, though, that Windows may be getting more secure, beats out Apple and Linux, but Internet Explorer is way out in front of anything for high risk vulnerabilities. You still have to consider the whole package, but Apple is most definitely more in need of a wakeup call on this front.

Actually if you install EMET then IE 11 becomes the most secure browser.

In the Pwn20wn contest it was the only system left standing, standard IE on Win 8.1 failed but when you applied EMET it pretty much stops all exploits. It's not infallible but it's something to bear in mind.

Also MS Edge is the new generation of browser and will replace IE, time will tell if it's more secure but it's removed a lot of the legacy code that made IE vulnerable.

Doesn't this require root access first?

The article that I read discussed that the exploit can be done remotely, now. So I'm not sure what would be required first, etc... But it went on to say that a malicious email would be all that is necessary, etc. (although, I'm assuming that, combined with a click on the email and/or approval of a warning of some kind...but who knows?).

Not if it's chained, and there's plenty of scenarios of how to do this without root since the initial UEFI exploit hit the wild.

You don't even have to have a booby trapped e-mail, most attacks are starting to come from Malvertising which uses exploit detection kits often based off MetaSploit.

To add to Apple's headaches because they've ignored the Zero Day in their server it's now being actively exploited. Whilst in this instance requires a user click it's not beyond the imagination of getting to click something to run or chain it with another zero day:

http://arstechnica.co.uk/security/2015/08/0-day-bug-in-fully-patched-os-...

Ahh firmare hack threw the thunder bolt, so I guess the next step is to create an app for i phone.
let the users plug in their phones and implement timed attacks.