Two researchers have developed a malware exploit that not only infects a MacBook with a particularly resilient worm but also spreads the infection to other MacBooks without requiring that they share a network.
Xeno Kovah, who owns the security firm LegbaCore, and Trammell Hudson of Two Sigma Investments used a known vulnerability in Apple’s Mac firmware to make a worm that could spread to new computers without alerting their users.
Taking inspiration from the original vulnerability’s name “Thunderstrike,” they called their creation “Thunderstrike 2.”
A computer’s firmware is like a house’s foundation. Everything is built on top of it, which makes an infection of it extremely difficult to detect or eliminate. Thunderstrike 2 is particularly dangerous, not just because of its ability to compromise a Mac’s firmware—though that is certainly its key trait—but also because of how discreetly it operates.
You would likely never know that your computer was infected with a worm like Thunderstrike 2. All you’d need to do is trust a sketchy email attachment or strange link and you’d be opening the door to a worm that is very difficult to detect and scrub.
Once Thunderstrike 2 takes root on a system, it spreads itself to any compatible plugged-in accessories, including Apple’s own Thunderbolt Ethernet adapter, which allows people to plug Internet cables into their laptops. If you were to share an infected accessory with another Mac, Thunderstrike 2 would sneak onto that machine and continue its infectious process.
An infected computer can relay its owner’s personal information to a nefarious third party. It can also be sucked into a botnet, a collection of computers used by a malicious actor to spread malware or spam.
Kovah and Hudson will show off more of their Thunderstrike 2 development at the Black Hat conference in Las Vegas on Aug. 6.