Thunderstrike 2 worm can infect your Mac without detection

By

12-inch MacBook
Get yours for just $999.
Photo: Jim Merithew/Cult of Mac

Apple has touted the Mac’s resistance to viruses for decades as a selling point over Windows PCs, but a team of researchers have created a new firmware worm for Mac that might just make you want to go back to doing work on good old pencil and paper.

Two white-hat hackers discovered that several vulnerabilities affecting PC makers can also bypass Apple’s renowned security to wreak havoc on Mac firmware. The two created a proof-of-concept of the worm called Thunderstrike 2 that allows firmware attacks to be spread automatically from Mac to Mac. Devices don’t even need to be networked for the worm to spread, and once it’s infected your machine the only way to remove it is to open up your Mac and manually reflash the chip.

Here’s a preview of Thunderstrike 2 in action:

Thunderstrike 2 can remain hidden because it doesn’t even touch your Mac’s operating system or file system. By only living in the firmware, scanners can’t detect it, so you’ll never know your Mac’s infected (until something goes terribly wrong).

To deliver the Thunderstrike 2 worm, an attacker could send it through a phishing email or plug an infected peripheral into your USB port or ethernet adapter. Once a machine is booted with a worm-infected device inserted, the machine loads the option ROM from the device, which triggers the process for the worm to write its malicious code to the boot flash firmware.

Xeno Kovah and Trammell Hudson, the two researchers who discovered the flaw and created the Thunderstrike 2 worm, plan to discuss their findings August 6 at the Black Hat security conference in Las Vegas.

Apple hasn’t released a statement on the worm yet, but the company acknowledged Thunderstrike six months ago and released a fix to the vulnerabilities. Hopefully there’s a new patch on the way for Thunderstrike 2 before some not-so-nice hackers start using it.

Source: Wired