Intel Security has released a detection tool after the Vault7 documents leaked on Tuesday indicated that the CIA had developed malware that can compromise the firmware of Apple MacBooks.
The revelations from WikiLeaks suggest that the CIA created Extensible Firmware Interface (EFI) rootkits, called DarkMatter, in order to crack Apple MacBooks.
Apple stated at the time that it had addressed many of the issues in its latest laptops, but added that continued to work rapidly to address any other identified vulnerabilities. It didn't mention any specific vulnerabilities to MacBooks or its Mac OS X operating system.
To help detect and remove this alleged threat, Intel Security has updated its Chipsec BIOS tool, which it said would enable users to check whether their computer's low-level system firmware, or EFI, has been altered and contains unauthorised code.
The EFI runs before the operating system, and prepares the computer's hardware components during a system boot process.
According to the Vault7 ‘Year Zero' dump, there are a number of CIA-developed tools for exploiting zero-day vulnerabilities, including malware that can infect the firmware of computer systems. Not only do these cracks go unnoticed when a computer boots up, they can also remain within the system after a hard-disc reformat or an operating system re-installation.
"Following recent WikiLeaks Vault7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society," said Intel Security's Christiaan Beek and Raj Samani in a blog post.
"As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems," they added.
The tool compares the EFI executable binaries from a clean EFI firmware image - perhaps the original - to the existing EFI to check for new binaries.
On the DarkMatter EFI firmware malware, Beek and Samani said that they appeared to include multiple EFI executable components that it injects into the EFI firmware "on a target system at different stages of infection".
"If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit."
According to Intel Security, the CHIPSEC framework can protect organisations against this threat. It can be found on GitHub.
A smartphone maker fiddling its benchmarking scores? That's unusual, isn't it?
'We are making good progress on 10nm,' claims Intel
Engineer calculates that Chengdu's plan to replace streetlights with artificial moonlight would cost $100bn
Research could also apply to other 'space weather' events involving hot, fast-moving plasma