For the past many years, there has been a common misconception among people that Apple MacBooks and iMac PCs are more secure than Microsoft Windows laptops and desktops. However, that misconception is set to be shattered by the security researchers Xeno Kovah and Trammel Hudson, who have developed Thunderstrike 2 Firmware Mac worm.
Trammel Hudson is a security engineer at investment management firm ‘Two Sigma Investments’ and Xeno Kovah, is the co-founder of LegbaCore, security training firm. Earlier this year the researchers demonstrated how they could infect a Mac’s firmware with malware by simply connecting malicious devices to them using Apple’s high-speed data transfer interface, Thunderbolt. The attack was dubbed ‘Thunderstrike’.
This week on Thursday, the security researchers will unleash Thunderstrike 2 Firmware Mac worm, which can spread to other machines through removable devices. Their attack uses various vulnerabilities in Apple’s firmware. The tech giant has patched some of the vulnerabilities in June and some of them are still remaining.
A malware hidden within firmware is specifically more dangerous since security products do not check the integrity of firmware, which means users’ will not be able to detect it using any Antivirus program.
According to a video posted by the researchers on YouTube, the Thunderstrike 2 Firmware Mac worm uses a local root privilege exploit that loads a kernel module and gives access to raw memory. The malware is capable to write itself to the Option ROMs of removable Thunderbolt peripherals.
According to a preview video:
“Once installed in the boot flash, it is very difficult to remove since it controls the system from the very first instruction executed upon booting. This includes the keys for updating the firmware.”
If users will reinstall the OS to get rid of the malware, they won’t be able to do that and even replacing the hard drive won’t help. The Thunderstrike 2 Firmware Mac worm could be used to attack computers that have been isolated for security reasons.