Latest in Gear

Image credit:

Google's VirusTotal can tell if your firmware is infected

VirusTotal peers into a hidden layer of your computer.

Shares
Share
Tweet
Share
Save

BIOS firmware is the root of your electronic devices, dictating communication between a computer's hardware and operating system from the boot-up process. It's an insulated layer in most devices, and organizations including the National Security Agency have focused on infecting firmware because it's not covered in standard virus-detection scans. Google's latest VirusTotal tool changes that -- in a blog post, VirusTotal security engineer Francisco Santos outlines the dangers of firmware malware and how the company can now pinpoint that bad code.

"Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar," Santos writes. "As of today VirusTotal is characterizing in detail firmware images, legit or malicious."

Researchers can upload malware to VirusTotal to see which antivirus products detect malicious code. On top of labeling firmware images, the new tool can extract certificates from the firmware and its executable files, and it can extract portable executables inside the image. PEs are a high-profile source of malicious software, Santos says.

"What's probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness," Santos writes. "These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image."

The "next interesting step" for VirusTotal's firmware tool is the ability to dump your own BIOS firmware into its scanning service, Santos says.

From around the web