Until now, Googles VirusTotal merely scanned URLs and “suspicious” files (up to 128MB) that are uploaded to the site including Windows executables, Android APKs, PDFs, images, and more. Now, PC World points to a new tool added to the VirusTotal service that will scan firmware for known malicious code.
Firmware is at the root of a device, stored on a flash memory chip and loaded into memory when the device boots up. It’s the platform of communication between the hardware and operating system, and typically isn’t scanned by virus detection software. This has been a target by the likes of the National Security Agency and hackers, because malware embedded in firmware can survive device reboots and system wipes.
With the new tool in place, analysts and researchers can search for low-level infections in firmware, and label this firmware as either legitimate or suspicious. The new tool will also extract certificates, executable files that may be packed in the firmware, and UEFI portable executables (PEs), the latter of which could be the source of malicious behavior.
“These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image,” says IT security engineer Francisco Santos. He added that the tool will also highlight which PEs are targeted at Windows, which could be a sign of foul play.
For those interested in scanning firmware, Santos suggests that users remove private information first, such as vendor “secrets” (like Wi-Fi passwords) that are stored in BIOS variables to retain specific settings during system reinstalls. For those on a Mac, Santos recommends DarwinDumper and checking the “Make dumps private” option.
Here’s a list of the basic tasks the new tool can perform:
- Strings-based brand heuristic detection, to identify target systems
- Extraction of certificates both from the firmware image and from executable files contained in it
- PCI class code enumeration, allowing device class identification
- ACPI tables tags extraction
- NVAR variable names enumeration
- Option ROM extraction, entry point decompilation and PCI feature listing
- Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image
- SMBIOS characteristics reporting
- Apple Mac BIOS detection and reporting
For more information about VirusTotal, Google has a lengthy FAQ that answers common questions here. VirusTotal is a subsidy of Google and is a free online service.
From maximumpc
