Exposure of a New Worm Virus Infected with Mac on an invisible Mac Platform

Exposure of a New Worm Virus Infected with Mac on an invisible Mac Platform

If you think that Apple Mac is safer than Windows, think twice. The researchers have proved that this is not true.

Mac is no longer "virus-free"

The two researchers developed the first Mac-infected firmware worm and can automatically spread between MACOs without going online.

Known as "Thunderstrike 2", the virus is a variant of the "Thunderstrike" virus at the beginning of the year (FreeBuf has reported in detail ). It can infect Mac at the firmware level and is hard to eradicate. After the firmware is infected, it cannot be repaired or upgraded, which means that people are almost helpless.

The vulnerability author is still the founder and security expert Trammell Hudso of LegbaCore. He is also the creator of Xeno Kovah, another BIOS malware. Thunderstrike demonstrates the ability of worms to communicate physically through peripherals (the Thunderbolt Interface) and exploit Apple's EFI security vulnerabilities to spread maliciously, while Thunderstrike 2 can spread through malicious websites or emails.

Thunderstrike 2 Remote Propagation

Although the prototype Thunderstrike requires the attacker to physically access the user's Mac computer for destruction, the new attack can be spread remotely.

Thunderstrike 2 is spread through an external device (Ethernet Adapter, external SSD, RAID Controller, etc.) connected to the Thunderbolt (lightning) interface of the Mac machine.

Once the malware is infected, Mac will be infected on the ROM-level firmware. Then the malware can be automatically transferred to any Mac that inserts the attachment.

Video demonstration

The researchers showed their attacks in the video.

Infected Mac is invisible

The malicious worm Thunderstrike 2 attack and the station are both in the firmware, so it can escape the overall restart of the system, which is also a real pain point for Mac users.

Kovah told Wired,

"Thunderstrike 2 is hard to find and clear, and it is difficult to prevent running things in the firmware. For most users, this is a question of 'throwing your Mac loan. Many users and organizations do not have the ability to open their machines and then reprogram the chips electronically ."

Many firmware vulnerabilities used by researchers to develop Thunderstrike 2 also apply to EFI firmware. These six vulnerabilities affect computers such as Dell, HP, Lenovo, and Samsung. After Apple completely fixes a vulnerability, five other vulnerabilities have an impact on Mac firmware.

This week, the two researchers will present the results at the black hats and DEF Con Security Conference in Las Vegas, which is worth looking forward.

Apple responds

According to the guardian's latest report, Apple has promised to fix this vulnerability in Mac as soon as possible.

With the increasing exposure of Thunderstrike 2, Apple has noticed this vulnerability and promises to fix it as soon as possible. At the same time, Apple has taken temporary measures to prevent the vulnerability from being exploited, including abolishing the developer certificate that uses the vulnerability and any application that uses the malware for upgrade.