nicro

Q: thunderstrike-2 once infected always infected?

I understand that the chances of getting thunderstrike2 is slim, and that if you have El Capitan you're immune from catching it.
My question is... If you got thunder strike 2 before upgrading to El Captian, i.e. from running Mavericks, will you still carry the bug in your SPI after the upgrade, if not, how does this work?

MacBook Pro (17-inch Late 2011), OS X El Capitan (10.11.2), Security

Posted on Jan 12, 2016 10:36 AM

Close

Q: thunderstrike-2 once infected always infected?

  • All replies
  • Helpful answers

Page 1 Next
  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Jan 12, 2016 10:49 AM in response to nicro
    Level 5 (7,776 points)
    Mac OS X
    Jan 12, 2016 10:49 AM in response to nicro

    my understanding is thunderstrike2 would go from being a theoretical proof of concept threat that it currently is and become a legitimate code in the wild. Right now it's Pinocchio (exists but not as a "real boy/virus")  if I'm reading this correctly so the chance of you having it means it was distributed to you by the lab that provided the concept idea to Apple to you in the form of code.

  • by Cmoore01,

    Cmoore01 Cmoore01 Jan 12, 2016 10:55 AM in response to nicro
    Level 2 (186 points)
    Mac OS X
    Jan 12, 2016 10:55 AM in response to nicro

    Basically, according to this article: Once a Mac computer has been infected with Thunderstrike 2, the only way to remove the malware is to re-flash its firmware chips. (http://www.techtimes.com/articles/74024/20150804/thunderstrike-2-is-the-latest-n ightmare-of-mac-owners-what-you-should-k…)

     

    I have not heard of any true "in-the-wild" infections occurring, but if you are not sure about your system, for whatever reason, make an appointment with a Genius Bar and have them check your system.

  • by nicro,

    nicro nicro Jan 12, 2016 10:58 AM in response to Cmoore01
    Level 1 (1 points)
    Jan 12, 2016 10:58 AM in response to Cmoore01

    Thanks Cmoore, yep, I thought so too, but some people are saying that this advice might now be out of date as El Capitan sandboxes the issue.
    Can the genius bar do an inspection then? I thought there was no way to tell if you had it?

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Jan 12, 2016 11:04 AM in response to nicro
    Level 5 (7,776 points)
    Mac OS X
    Jan 12, 2016 11:04 AM in response to nicro

    there is no inspection. this concept never made it out a lab. It's not a downloadable thing, it not a contracted thing, it's a concept.

    the only thing Apple can do is what they have already done, update the toolset they provided for you in an update. So if you don't update they can't fix it, they already provide you with a fix in the form of an update so that how they would "fix" this conceptual attack.

  • by Cmoore01,

    Cmoore01 Cmoore01 Jan 12, 2016 11:03 AM in response to nicro
    Level 2 (186 points)
    Mac OS X
    Jan 12, 2016 11:03 AM in response to nicro

    Best advice I could give you, would be to call and see.  I would think they could do a check of the PROM version or s checksum check, to verify. Could be wrong, but if anyone should be able to do so, I would think it would be Apple.  Once again, I have not found any reports of an actual reported case in the wild.  Why would you suspect you are infected? Also, make sure you have installed the EFI update that Apple released. First clue, if you can't update, then a good chance you have made history.

     

    EDIT:  Basically what Jimmy said above.

  • by nicro,

    nicro nicro Jan 12, 2016 11:12 AM in response to Cmoore01
    Level 1 (1 points)
    Jan 12, 2016 11:12 AM in response to Cmoore01

    Thanks Both, I had some nasties on computer a while back, downloaded some silly software. I've done many re-instals since so in general I'm happy. I'm super security conscious so the only issue I can have kept from what I can tell is Thunderstrike2 hence the aim to know for sure and eliminate if so. Re, none in the wild, I'm sure I saw an article about it being used already to download junk ware such as mackeeper

  • by Cmoore01,Solvedanswer

    Cmoore01 Cmoore01 Jan 12, 2016 11:19 AM in response to nicro
    Level 2 (186 points)
    Mac OS X
    Jan 12, 2016 11:19 AM in response to nicro

    In my read of that article, they are talking about a second exploit for root privileges called DYLD, which has since been patched.  This is unrelated to the first exploit the article was talking about, Thunderstrike 2. Two different situations in one article. at least this is my read.

  • by nicro,

    nicro nicro Jan 12, 2016 11:26 AM in response to Cmoore01
    Level 1 (1 points)
    Jan 12, 2016 11:26 AM in response to Cmoore01

    Apologies, your correct, it was for a different bug! Just out of interest, if El Capitan has fixed the thunderstrike 2 flaw, is it just now immune from catching the bug or does it actually remove the bug as well if found in the EFI?

  • by JimmyCMPIT,Helpful

    JimmyCMPIT JimmyCMPIT Jan 12, 2016 11:50 AM in response to nicro
    Level 5 (7,776 points)
    Mac OS X
    Jan 12, 2016 11:50 AM in response to nicro

    the article skips the part where the Trammell Hudson who discovered it also created the concept. The article is trying to elude to the fact it's a real "out in the wild" threat when it never was found or released in the wild. It is a concept, and the writer of that page is leaving out a lot of pertinent information for the sake of sensationalizing a threat that was never made real, he also fails to explain the patch to prevent this concept was indeed addressed in Yosemite by Apple in the event it did really happen.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jan 12, 2016 11:36 AM in response to nicro
    Level 8 (37,892 points)
    Mac OS X
    Jan 12, 2016 11:36 AM in response to nicro

    Even on your 2011 MacBook Pro, now essentially impossible. Especially if you have the latest firmware update applied. The EFI update MBP81.0047.B2A (2015-001) was rolled out for all 2011 models. It's main fix is to protect the EFI against Thunderstrike. This EFI (firmware) update was automatically installed along with the Yosemite 10.10.4 update. Or if you didn't install that, it would have appeared as a separate update under the App Store app.

     

    There were also OS updates for Mountain Lion, Mavericks and Yosemite to block either version of Thunderstrike at the OS level.

     

    About the security content of Mac EFI Security Update 2015-001 - Apple Support

    About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005 - Apple Support

     

    If you happened to have Thunderstrike already in the firmware before any of these, the firmware/EFI update MBP81.0047.B2A (2015-001) would remove it by way of replacing it on the EFI with the new firmware code.

     

    Also, for any 2014 model or newer Mac, the original Thunderstrike can't be installed. The firmware itself had already been updated to block it. Thunderstrike 2 was blocked later at both the firmware and OS level.

  • by nicro,

    nicro nicro Jan 12, 2016 11:44 AM in response to Kurt Lang
    Level 1 (1 points)
    Jan 12, 2016 11:44 AM in response to Kurt Lang

    Wow thanks Kurt, and thanks all, it never got into the wild and Apple seem to have done a **** good job of fixing it!

  • by JimmyCMPIT,Helpful

    JimmyCMPIT JimmyCMPIT Jan 12, 2016 11:58 AM in response to nicro
    Level 5 (7,776 points)
    Mac OS X
    Jan 12, 2016 11:58 AM in response to nicro

    first line of the faq from the "discoverers" web page

    https://trmm.net/Thunderstrike_FAQ

    Is Thunderstrike "in the wild"?

    To the best of our knowledge there are no Mac firmware bootkits in the wild and Thunderstrike is only a proof-of-concept that does not have any malicious payload.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jan 12, 2016 11:49 AM in response to JimmyCMPIT
    Level 8 (37,892 points)
    Mac OS X
    Jan 12, 2016 11:49 AM in response to JimmyCMPIT

    A lot of these reports also leave out that the researchers who discovered how to infect the firmware via Thunderbolt reported the concept and handed over the working code to Apple so it could be patched before anyone could do something malicious with it.

Page 1 Next