Thunderstrike 2 rootkit infects Mac firmware

Pierluigi Paganini August 05, 2015

A security researcher developed an improved version of the Thunderstrike rootkit that uses Thunderbolt accessories to infect the Mac firmware.

Earlier this year, security expert Trammell Hudson presented a proof-of-concept firmware called Thunderstrike. Thunderstrike is a hacking technique to infect Apple’s Mac PCs with EFI Bootkit through the Thunderbolt port.

The expert demonstrated how to compromise accessories connected to the Thunderbolt port to infect Mac PC. The expert demonstrated that the malware inoculated through Thunderbolt port can also infect other Mac by propagating to other accessories.

All Mac computers that come with a Thunderbolt port are theoretically vulnerable to attack.

In January 2015 Apple released the version OS X 10.10.2 to patch the exploit, but a couple of researchers have developed a new malware based on the Thunderstrike code, dubbed “Thunderstrike 2.”

Xeno Kovah, a researcher from the Hudson and LegbaCore, demonstrated that Thunderstrike 2 spreads primarily through infected Thunderbolt accessories.

The Kovah’s hacking technique improved the previous one, it overwhelms the need to have a physical access to the target computer. The attacker can spread the exploit via phishing emails or through a compromised web.

“An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.” states a post published by Wired.

Thunderstrike 2

Thunderstrike 2, such as many other firmware malware, are not easy to detect by common antivirus software. Another aspect to consider is the difficulty to remove Thunderstrike 2 firmware malware, as explained in the FAQ it is not possible to use the Option ROM technique to replace the modified boot ROM with a clean and legitimate copy.

You can’t use Thunderstrike to remove Thunderstrike

Another element of concern is that the security vulnerabilities exploited by Thunderstrike 2 are common to most EFI firmware.

Security experts have already discovered six vulnerabilities that affected PCs from Dell, HP, Lenovo, Samsung, and others.

“Of those, five also applied to the Mac’s firmware, and of those, Apple has fully patched one, partially patched another, and failed to patch three more.” states Arstechnica.

The expert already reported the flaws to Apple that likely will patch them in the next release.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Thunderstrike 2, malware)

[adrotate banner=”12″]



you might also like

leave a comment