VirusTotal Adds Support for Scanning Malicious Firmware Images

Av Gurus

Level 29
Thread author
Verified
Helper
Top poster
Malware Hunter
Well-known
Sep 22, 2014
1,768
VirusTotal, the best thing for security aficionados since sliced bread, has announced initial support for detecting and then properly analyzing firmware images.

The new feature should come in handy to users who suspect they might be infected with rootkit malware.

Rootkits are a common occurrence in new malware families
In the past years, malware targeting a computer's BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) firmware images has grown in numbers, with the most famous case coming out of the Hacking Team data breach.

The reason cyber-criminals are targeting UEFI and BIOS images is because they can persist malicious code between PC reboots and even PC reinstalls. Additionally, antivirus engines can't reach that deep inside a computer's system to scan for viruses in the firmware.

As you'd normally expect, this has led to an increase in the number of malware strains that come with a rootkit component, either loaded on command or included by default within the malware's body.

Either way, the number is growing, and most users find themselves with sluggish computers, even after a fresh reinstall, something that might lead anyone to believe that something weird may be happening with your motherboard's code.

New VirusTotal firmware scanner feature is available right now
VirusTotal's new feature is available starting today, and you can extract your firmware code, optionally remove personally identifiable information (like WiFi passwords, hostnames, etc.), and then upload it to VirusTotal through the regular homepage form.

Once the results show up, just check out the "File detail" and "Additional information" tabs.

VirusTotal will automatically break down your firmware, analyze each file, and compare it to the virus databases of all the antivirus engines it supports. If something shady comes up, you'll see it in the "File detail" tab, marked with an orange or red icon.

When this happens, then it may be the time to wipe your BIOS/UEFI and reinstall it from scratch. For this operation, non-technical users might need to hire an IT professional.

The following tools will also help you extract your firmware image from your PC and submit it to VirusTotal for analysis:

- DarwinDumper

- CHIPSEC

- Flashrom

Here's a naughty firmware sample to play with.

Sample VirusTotal firmware scan
 

SloppyMcFloppy

Level 13
Sep 12, 2015
618
It does work! And I'm glad that my ASUS Maximus VII Hero motherboard BIOS come out clean! Here is the virustotal.com of ASUS Maximus VII Hero latest BIOS.
Code:
https://www.virustotal.com/en/file/cb7cb993d91a8c28a7de0e4c6fe929b6ad17cb72e9826b9b61440981c48e385e/analysis/1454134092/
 

Solarquest

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 22, 2014
2,526
It does work! And I'm glad that my ASUS Maximus VII Hero motherboard BIOS come out clean! Here is the virustotal.com of ASUS Maximus VII Hero latest BIOS.
Code:
https://www.virustotal.com/en/file/cb7cb993d91a8c28a7de0e4c6fe929b6ad17cb72e9826b9b61440981c48e385e/analysis/1454134092/

What program did you use to extract it?
I ll check my bios as soon as I get some time to read how to use the programs suggested by VT..
 
  • Like
Reactions: DracusNarcrym

Solarquest

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 22, 2014
2,526
That file is already extracted by default. So all you need is just copy and paste it onto USB and booted into the BIOS to update

Just to be sure, did you scan on VT the bios you had on your MB (that you extracted with a program) or an update available online you doenloaded on your pc? Thank you
 
  • Like
Reactions: DracusNarcrym

pneuma1985

Level 4
Verified
Aug 30, 2015
189
Awesome its about time honestly... I deal with firmware images alot on android now they need to make the upload file-size limit in the gigabytes lol :p
Id like to point out I've never heard of any of those utilities to decompress android frimware .img files? Was wondering about the capability when it came to android .img files?
 
  • Like
Reactions: DracusNarcrym

jamescv7

Level 85
Verified
Helper
Mar 15, 2011
13,085
Expand and expand; analysis should not only rely into the mainstream components but also sophisticated ones so Virustotal generally apply the purpose at all.
 
  • Like
Reactions: DracusNarcrym