Google's VirusTotal now picks out suspicious firmware

The new tool provides technical details about firmware images, a target for attackers

Google's VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computer's hardware and operating system at startup.

Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since it's a great place to hide. 

Since antivirus programs "are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on Wednesday.

Also, malware hidden in firmware often can't be easily erased and can survive reboots and fresh installs of an OS, Santos wrote.

VirusTotal's scanning service allows researchers and analysts to upload malware.  The service indicates if antivirus products detect a sample of malware and other technical information.

The new tool will label firmware images as either legitimate or suspicious. It can also extract certificates attached to firmware and if there are other executable files inside of it.

Santos wrote that the tool can extract portable executables (PEs) inside firmware since these could sometimes be a source of malicious behavior.

"These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image," Santos wrote.

Some portable executables will run on Windows rather than within the firmware. It could be a sign of bad behavior, but on occasion it is legitimate. Santos linked to an example in which a PE prove to be an antitheft feature designed to stay in place even if a computer was wiped.

It will now be possible for people to extract their own firmware and submit it to VirusTotal, which has the potential to create a database of various firmware images that could contribute to research into bad ones.

Santos included tips for extracting a firmware image without revealing sensitive information that may be contained in the code.


Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedGoogleNational Security AgencySantos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts