Wednesday, 27 January 2016

Putting the spotlight on firmware malware

Firmware malware has been a hot topic ever since Snowden's leaks revealed NSA's efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo's Service Engine or Hacking Team's UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.

To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.

As of today VirusTotal is characterizing in detail firmware images, legit or malicious. These are a couple of examples of the kind of information that is now generated, please refer to the File Detail tab:
https://www.virustotal.com/en/file/3afb102f0a61f5a71be4658c3d8d3624e4773e36f64fd68a173f931bc38f651e/analysis/  [1]
https://www.virustotal.com/en/file/4db9177af43a958686b9367f19df90023acf3189c388497a8a7d1d8cb3f7f0e0/analysis/  [2]
https://www.virustotal.com/en/file/57a0c38bf7cf516ee0e870311828dba5069dc6f1b6ad13d1fdff268ed674f823/analysis/
Pay attention to the Additional information tab in this other case,  you will see a new Source Details field which gives attribution information for the given file:
https://www.virustotal.com/en/file/8b1ec36a50683db137d3bd815052dd6034697af8ef2afd6c81c912b6d0f0f2e0/analysis/
100% PE resource match is not required in order to provide some attribution context, e.g.
https://www.virustotal.com/en/file/a90f803e10530e8f941d7054a12a37aa7b22c89bac89b6d2b8e40878bffccf11/analysis/


The new tool performs the following basic tasks:


  • Apple Mac BIOS detection and reporting.
  • Strings-based brand heuristic detection, to identify target systems.
  • Extraction of certificates both from the firmware image and from executable files contained in it.
  • PCI class code enumeration, allowing device class identification.
  • ACPI tables tags extraction.
  • NVAR variable names enumeration.
  • Option ROM extraction, entry point decompilation and PCI feature listing.
  • Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
  • SMBIOS characteristics reporting.


What's probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness. These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image. Additionally, the tool will highlight which of these extracted PEs are Windows targeted, i.e. they will run on the Windows OS itself rather than on the UEFI pseudo-OS. Usually you would not see Windows executables in this layer, though there are some exceptions like the following case:

As you can see, the report distinguishes between any kind of PE and PEs that will run on the Windows OS itself, the first one of which happens to be detected by a noticeable amount of antivirus vendors. This executable is actually an antitheft product called Computrace, embedded in many BIOS in order to be able to track a system after theft, even if the system is wiped and reinstalled. Totally legit when used for this purpose.

This exemplifies one way in which the new characterization can help in hunting badness, for instance, if you take a closer look at the very first two examples:
https://www.virustotal.com/en/file/3afb102f0a61f5a71be4658c3d8d3624e4773e36f64fd68a173f931bc38f651e/analysis/
https://www.virustotal.com/en/file/4db9177af43a958686b9367f19df90023acf3189c388497a8a7d1d8cb3f7f0e0/analysis/
You will notice that this is precisely the Lenovo rootkit case. They are two different BIOS updates for Lenovo S21e laptop systems, the second one removes what was identified as factory-installed malware, taking a closer look at both reports you will notice that the first image contains a NovoSecEngine2 Windows executable in charge of deploying further artifacts onto the target system.

Knowing that this new tool is available, the next interesting step would be to be able to dump your own BIOS in order to further study it by submitting it to VirusTotal, the following tools might come in handy:
https://bitbucket.org/blackosx/darwindumper/downloads
https://github.com/chipsec/chipsec
https://www.blackhat.com/docs/us-13/US-13-Butterworth-BIOS-Security-Code.zip
https://flashrom.org/Flashrom

Obviously, this has its limitations, the system could be compromised in such a manner that the dumpers are deceived, you should understand that the ultimate ground truth is physically attaching to the chip and electronically dumping the flash memory.

When performing BIOS dumps and uploading to VirusTotal make sure you remove private information, certain vendors may store secrets such as WiFi passwords in BIOS variables in order to remember certain settings across system reinstalls. If you are on a Mac, DarwinDumper will allow you to easily strip sensitive information by checking the "Make dumps private" option.


Premium users of VirusTotal Intelligence and VirusTotal Private Mass API will soon be able to read a follow-up article in Intelligence's blog in order to understand how all of this information is now indexed and searchable, allowing you to track down advanced actors making use of BIOS badness in order to persist in their targets' systems.



We would like to specially thank Teddy Reed, developer of the UEFI firmware python parser, he has been instrumental in helping us overcome our ignorance about BIOS, UEFI, and its ecosystem.

Tuesday, 17 November 2015

VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on www.virustotal.com, with our OS X Uploader app, or via the API.

As before, users with private API or "allinfo" privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the "Behavioural information" tab...

DMG files:
Mach-O files:

ZIP files with an Mac app inside:
If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

Friday, 9 October 2015

VirusTotal += CloudStat URL scanner

Today we are introducing a new URL scanner that will be characterizing URLs submitted by users to VirusTotal: CloudStat. In their own words:
CloudStat is a new platform set to revolutionize the way companies collect and analyze their data. It identifies compliance gaps, detects configuration problems and warns customers of cyber security threats by applying our proprietary analysis engine to millions of data points. It delivers concise actionable reports directly to mobile devices. The team behind CloudStat is dedicated to helping companies mitigate risks, increase productivity and reduce costs.
Let us look at how their verdicts show up:
https://www.virustotal.com/en/url/2ea21e20088c61bbcec94722c5ef9dd17a663f03869c1f85cacab5c705288064/analysis/
https://www.virustotal.com/en/url/a6ae8a164711f280e4df6d88ba9cd8a7b5acc491824b29e09fdd4e0ff951944c/analysis/
https://www.virustotal.com/en/url/de364f9419c0ed25ed9731e7afb412a0a5d647774c2c54fab2bbee72215519ad/analysis/

Judging by the reports, it seems that this new engine nicely complements other datasets, such that aggregate threat coverage has been improved, this is good news. Hopefully this addition results in more secure users world-wide.

Welcome CloudStat!

Tuesday, 9 June 2015

VirusTotal += Arcabit

We welcome Arcabit scanner to VirusTotal. This is a multi-engine product from Poland. In the words of the company:

"Arcabit is a Polish vendor of the antivirus and protection software. Arcabit antivirus engine is the hybrid of two solutions - Bitdefender and its own, constantly developed 
engine with rapid response to the new threats. Arcabit uses advanced cloud solutions to identify trends in malware development and to ensure an early response to new threats.
The heuristic mechanisms implemented by Arcabit (identified as HEUR.*) offer the efficacy at the level of 99.9% in detecting threats spreading through popular Web channels - www, email etc."

Friday, 5 June 2015

VirusTotal -= Norman

Blue Coat has decided to retire Norman Scanner Engine as an active OEMable AV scanner engine so it will not be shown in VirusTotal reports.

Tuesday, 28 April 2015

KnockKnock += VirusTotal

In October 2013 we announced that Windows Sysinternals Sigcheck was adding integration with VirusTotal in order to help its users with malware triage. Thereafter, Mark Russinovich has continued to plug VirusTotal into other tools commonly used by malware and forensics analysts, namely Sysinternals Autoruns and Sysinternals Process Explorer.

Today we are excited to announce that Patrick Wardle has included VirusTotal information in the Mac OS X equivalent of Autoruns: KnockKnock. In his own words:
"KnockKnock... Who's There?" See what's persistently installed on your Mac!
Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock (UI) uncovers persistently installed software in order to generically reveal such malware.

This tool is extremely useful when performing a quick malware hunt down in Mac OS X systems, and the integration with VirusTotal gives further momentum to all the efforts we have been conducting in helping secure Mac OS X users: tools to further characterize Mac OS X executables, VirusTotal Uploader for OS X, etc.

If you want to learn more about KnockKnock and download it, do not hesitate to visit the project's site: https://objective-see.com/products/knockknock.html.

Tuesday, 10 February 2015

A first shot at false positives

Every so often an antivirus detecting a legitimate file hits the headlines, this usually happens when a given vendor mistakenly marks as malicious a file belonging to a widespread software package, for example, a key operating system file.

These mistaken detections, commonly known as false positives, have all sorts of undesired effects:
  • Software developers may face strong business impact as a large portion of their users see their programs rendered unusable. 
  • Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
  • End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
  • Antivirus vendors' reputation may be severely hindered.
It is, thus, obvious that false positives are a head ache both for the antivirus industry and software developers. Solving them can be a very challenging problem. Why? Nowadays antivirus vendors are increasingly required to become more proactive, this includes developing generic signatures and heuristic flags, which very often leads to mistaken detections in an effort to have a more secure user-base. 

Virustotal is strongly committed to helping the antivirus and security industry, this is why we also wanted to collaborate on this front. Our first shot at this is a project that we call trusted source. The goal of this first stage is to have huge software developers share the files in their software catalogue.

These files are then marked accordingly at VirusTotal and whenever an antivirus solution (mistakenly) detects them, we notify the pertinent vendor, allowing them to quickly correct the false positive. Additionally, when files get distributed to antivirus vendors, they are tagged so that potential erroneous flags can be ignored,  preventing a snowball effect with detection ratios.

We have already started marking files and you may have already noticed the new message dialog at the top of file reports, example:
https://www.virustotal.com/en/file/a70999ee28e6233ffcadb6cc3967417be4de2678b868fa2d45bdd3f826c7ed48/analysis/

As you can see, not only a trusted source dialog is displayed, mistaken detections are also dropped from the positives count and degraded to the bottom of the report. This is just a quick measure to make sure the false positives do not mislead users looking at the report, as said, these mistaken detections are also shared with the pertinent vendors in order for them to fix.

We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. We would like to extend a big thank you to the Microsoft team for sharing metadata about its software collection and to the antivirus industry as a whole for the false positives remediation. 

So what are the next steps? We are looking to grow our collection of trusted software, if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives. Please note that this initiative is not open to potentially unwanted applications and adware developers.