VirusTotal has New Feature Analyzing Malware-Embedded Firmware Images

The popular VirusTotal service of Google now owns one fresh tool which's created for assessing firmware, a code which connects any PC's hardware with its OS during system-boot. Sophisticated attackers, even National Security Agency of the U.S., sometime or the other targeted firmware where malware can be implanted as it is an extremely good place to remain concealed.

According to VirusTotal's (VT) IT security engineer Francisco Santos, as anti-virus software wouldn't scan this low-level code, a compromise by the same can go undetected. Over the years, malware programs that infected a PC's firmware images such as UEFI and BIOS have increased numerically. A highly well-known instance is the data-hack by Hacking Team. Attackers target the BIOS/UEFI firmware images mainly since they enable persistency of malware from one PC reboot to another as well as between computer software reinstalls. Besides, AV programs cannot reach the extreme depth of a computer for virus scan of firmware.

Researchers using VT's scanning service are let to upload malicious software. It (the service) tells whether an AV has detected any malware while gives more technical information. VT's most recent tool gives the mark suspicious or legitimate to a firmware image. It as well pulls out certificates that any firmware may be carrying and whether more executable files are there within it. According to Francisco Santos, the tool is capable of pulling out PEs (portable executables) located within firmware, which support malicious behavior.

A few PE are suitable on Windows operating system (OS), while not inside the firmware. This implies undesirable behavior; however, sometimes it's legitimate. For example, a PE could stand as an antitheft characteristic created for being persistent even though the PC was wiped. CIO posted this, January 2016. The tool in discussion pulls out firmware code, if wanted eliminate PII (personally identifiable information) e.g. hostnames, WiFi passwords, followed with uploading it onto VT via the usual means of homepage.

VT of its own segregates the firmware files; assesses each one followed with drawing its comparison with virus databases belonging to every AV program it supports. Incase of any shady presence, it'll get reflected within "File detail" label colored red/orange.

» SPAMfighter News - 2/3/2016