Google's free Internet security service, VirusTotal, which scans the image files of running processes, trigger scans of remote URL content before saving it to disk, and more, has now received a new feature where it can tell if the firmware is infected.
According to Francisco Santos of VirusTotal, antivirus software usually doesn't scan the BIOS of a computer, which means this layer remains unseen and a breach can fly under the radar. In a blog post, the company also gave few examples where attackers have taken advantage of firmware malware including NSA which has been alleged by Snowden's leaks to infect BIOS firmware and Lenovo's service engine among others.
"To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar," writes Santos.
With the new tools, VirusTotal can characterise firmware images as legitimate or malicious. Some of the basic tasks that the new tool will perform include Apple Mac BIOS detection and reporting; strings-based brand heuristic detection, to identify target systems; extraction of certificates both from the firmware image and from executable files contained in it; PCI class code enumeration, allowing device class identification; ACPI tables tags extraction; NVAR variable names enumeration; option ROM extraction, entry point decompilation and PCI feature listing; extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image, and SMBIOS characteristics reporting.
The company also suggests users to remove private information before performing BIOS dumps and uploading to VirusTotal. The company says that private information could be saved by certain vendors such as Wi-Fi passwords in BIOS variables in order to remember certain settings across system reinstalls.
"If you are on a Mac, DarwinDumper will allow you to easily strip sensitive information by checking the "Make dumps private" option," notes the company. To recall, Google acquired the free Internet security service VirusTotal back in 2012.