Virustotal: Scan firmware for signs of manipulation

Martin Brinkmann
Feb 1, 2016
Security
|
4

Google's popular online virus scanning service Virustotal received an update recently that enables users of the service to scan firmware just like other files.

One of the biggest strengths of Virustotal is its multi-engine scanning support which tests files uploaded to the service using more than 40 different antivirus engines.

The service has been expanded several times ever since it was acquired by Google improving scan parameters among other things.

The most recent addition to Virustotal is support for firmware scans which enables users of the service to upload firmware images, dumped or downloaded, to the service to find out whether they are (likely) legitimate or have been manipulated.

Virustotal firmware scanning

While most malware infects systems on the software-side of things, firmware malware is especially problematic as it is not easy to detect nor to clean.

Since firmware is stored on the device itself, formatting hard drives or even replacing them has no effect on the infected state of a computer.

virustotal firmware scan

Since detection is difficult on top of that, it is common that the attack type goes by unnoticed for a long time.

The scanning of firmware that Virustotal supports works in many regards like the normal scanning of files. The core difference is how the firmware is acquired.

While it can be used to test firmware that is downloaded from a manufacturer's website, a more common need is the desire to test the installed firmware of the device instead.

The main issue here is that the firmware needs to be dumped for that to happen. The blog post on the Virustotal website highlights several tools (mostly as source code or for Unix/Linux systems) that users can make use of to dump firmware on devices they operate.

The analysis of the file looks identical to that of other files on first glance, but the "file detail" tab and the "additional information" tabs reveal specific information that offer in depth information on top of that.

The "file details" tab includes information about the contained files, ROM version, build date and other build related information.

Additional information list file identification information and source details.

The new tool performs the following tasks according to Virustotal:

Apple Mac BIOS detection and reporting.
Strings-based brand heuristic detection, to identify target systems.
Extraction of certificates both from the firmware image and from executable files contained in it.
PCI class code enumeration, allowing device class identification.
ACPI tables tags extraction.
NVAR variable names enumeration.
Option ROM extraction, entry point decompilation and PCI feature listing.
Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
SMBIOS characteristics reporting.

The extraction of BIOS portable executables is of special interested here. Virustotal extracts those files and submits them for identification individually. Information such as the intended operating system target are revealed among other information after the scan.

The following scan result highlights Lenovo's rootkit (in form of NovoSecEngine2), the second an updated firmware for Lenovo devices where it has been removed.

Closing Words

Virustotal's new firmware scanning option is a welcome step in the right direction. While that is the case, it will remain a specialized service for now due to the difficulty of extracting firmware from devices and interpreting the results.

 

Summary
Virustotal: Scan firmware for signs of manipulation
Article Name
Virustotal: Scan firmware for signs of manipulation
Description
Virustotal's newest scan service enables you to upload firmware files to the service for detecting firmware malware manipulation.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. jenkins said on February 2, 2016 at 12:17 am
    Reply

    “…scan the downloaded items before opening, always”

    So a VirusTotal scan only of the URL from where a desired file is downloaded … is inadequate protection ??

    One must upload to VT the actual file downloaded to one’s PC ???

    I suppose it is possible for a malicious website to detect a VirusTotal connection/scan — and substitute a “clean” file to deceive VirusTotal, while everyone else who downloads gets the malicious version of the same basic file (?)

  2. S2015 said on February 1, 2016 at 7:08 pm
    Reply

    Regular users should get the most out of VT. Examples or benefits are:
    * scan the downloaded items before opening, always – this is the 1st line of defense, helping avoid greyware, riskware even malware
    * scan some potentially unclean or insecure websites

  3. David B. said on February 1, 2016 at 5:20 pm
    Reply

    An interesting advance!

  4. Pete said on February 1, 2016 at 4:30 pm
    Reply

    If you scan packed files, the “File detail” tab has a section called “Contained files”, which shows a “Show all” button if the packed file has lots of files. However, it only lists max 100 files when clicked.

    When Virustotal was contacted about this, they responded that it is not a bug.

    Incompetent people behind Virustotal. “Show all” is not ambiguous, it means all, not 10, not 50, not 100, it means all. And they ignore/deny their blunder.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.