Virustotal: Scan firmware for signs of manipulation
Google's popular online virus scanning service Virustotal received an update recently that enables users of the service to scan firmware just like other files.
One of the biggest strengths of Virustotal is its multi-engine scanning support which tests files uploaded to the service using more than 40 different antivirus engines.
The service has been expanded several times ever since it was acquired by Google improving scan parameters among other things.
The most recent addition to Virustotal is support for firmware scans which enables users of the service to upload firmware images, dumped or downloaded, to the service to find out whether they are (likely) legitimate or have been manipulated.
Virustotal firmware scanning
While most malware infects systems on the software-side of things, firmware malware is especially problematic as it is not easy to detect nor to clean.
Since firmware is stored on the device itself, formatting hard drives or even replacing them has no effect on the infected state of a computer.
Since detection is difficult on top of that, it is common that the attack type goes by unnoticed for a long time.
The scanning of firmware that Virustotal supports works in many regards like the normal scanning of files. The core difference is how the firmware is acquired.
While it can be used to test firmware that is downloaded from a manufacturer's website, a more common need is the desire to test the installed firmware of the device instead.
The main issue here is that the firmware needs to be dumped for that to happen. The blog post on the Virustotal website highlights several tools (mostly as source code or for Unix/Linux systems) that users can make use of to dump firmware on devices they operate.
The analysis of the file looks identical to that of other files on first glance, but the "file detail" tab and the "additional information" tabs reveal specific information that offer in depth information on top of that.
The "file details" tab includes information about the contained files, ROM version, build date and other build related information.
Additional information list file identification information and source details.
The new tool performs the following tasks according to Virustotal:
Apple Mac BIOS detection and reporting.
Strings-based brand heuristic detection, to identify target systems.
Extraction of certificates both from the firmware image and from executable files contained in it.
PCI class code enumeration, allowing device class identification.
ACPI tables tags extraction.
NVAR variable names enumeration.
Option ROM extraction, entry point decompilation and PCI feature listing.
Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
SMBIOS characteristics reporting.
The extraction of BIOS portable executables is of special interested here. Virustotal extracts those files and submits them for identification individually. Information such as the intended operating system target are revealed among other information after the scan.
The following scan result highlights Lenovo's rootkit (in form of NovoSecEngine2), the second an updated firmware for Lenovo devices where it has been removed.
Virustotal's new firmware scanning option is a welcome step in the right direction. While that is the case, it will remain a specialized service for now due to the difficulty of extracting firmware from devices and interpreting the results.
If you scan packed files, the “File detail” tab has a section called “Contained files”, which shows a “Show all” button if the packed file has lots of files. However, it only lists max 100 files when clicked.
When Virustotal was contacted about this, they responded that it is not a bug.
Incompetent people behind Virustotal. “Show all” is not ambiguous, it means all, not 10, not 50, not 100, it means all. And they ignore/deny their blunder.
An interesting advance!
Regular users should get the most out of VT. Examples or benefits are:
* scan the downloaded items before opening, always – this is the 1st line of defense, helping avoid greyware, riskware even malware
* scan some potentially unclean or insecure websites
“…scan the downloaded items before opening, always”
So a VirusTotal scan only of the URL from where a desired file is downloaded … is inadequate protection ??
One must upload to VT the actual file downloaded to one’s PC ???
I suppose it is possible for a malicious website to detect a VirusTotal connection/scan — and substitute a “clean” file to deceive VirusTotal, while everyone else who downloads gets the malicious version of the same basic file (?)