Just so u know….
Google’s popular online virus scanning service Virustotal received an update recently that enables users of the service to scan firmware just like other files.
One of the biggest strengths of Virustotal is its multi-engine scanning support which tests files uploaded to the service using more than 40 different antivirus engines.
The service has been expanded several times ever since it was acquired by Google improving scan parameters among other things.
The most recent addition to Virustotal is support for firmware scans which enables users of the service to upload firmware images, dumped or downloaded, to the service to find out whether they are (likely) legitimate or have been manipulated.
Virustotal firmware scanning
While most malware infects systems on the software-side of things, firmware malware is especially problematic as it is not easy to detect nor to clean.
Since firmware is stored on the device itself, formatting hard drives or even replacing them has no effect on the infected state of a computer.
Since detection is difficult on top of that, it is common that the attack type goes by unnoticed for a long time.
The scanning of firmware that Virustotal supports works in many regards like the normal scanning of files. The core difference is how the firmware is acquired.
While it can be used to test firmware that is downloaded from a manufacturer’s website, a more common need is the desire to test the installed firmware of the device instead.
The main issue here is that the firmware needs to be dumped for that to happen. The blog post on the Virustotal website highlights several tools (mostly as source code or for Unix/Linux systems) that users can make use of to dump firmware on devices they operate.
The analysis of the file looks identical to that of other files on first glance, but the “file detail” tab and the “additional information” tabs reveal specific information that offer in depth information on top of that.
The “file details” tab includes information about the contained files, ROM version, build date and other build related information.
Additional information list file identification information and source details.
The new tool performs the following tasks according to Virustotal:
Apple Mac BIOS detection and reporting.
Strings-based brand heuristic detection, to identify target systems.
Extraction of certificates both from the firmware image and from executable files contained in it.
PCI class code enumeration, allowing device class identification.
ACPI tables tags extraction.
NVAR variable names enumeration.
Option ROM extraction, entry point decompilation and PCI feature listing.
Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
SMBIOS characteristics reporting.
The extraction of BIOS portable executables is of special interested here. Virustotal extracts those files and submits them for identification individually. Information such as the intended operating system target are revealed among other information after the scan.
The following scan result highlights Lenovo’s rootkit (in form of NovoSecEngine2), the second an updated firmware for Lenovo devices where it has been removed.