psycamel Posted March 23, 2017 Share Posted March 23, 2017 Hi, Julian Assange just released new CIA attacking methods for OS X: https://wikileaks.org/vault7/darkmatter/ ...I'm wondering if custom bootloaders like Clover will prevent that kind of attacks? hah that would be awesome Link to comment Share on other sites More sharing options...
mhaeuser Posted March 24, 2017 Share Posted March 24, 2017 Clover doesn't execute until it's too late (at least if the attacker has any clue about what he is doing), Link to comment Share on other sites More sharing options...
Slice Posted March 24, 2017 Share Posted March 24, 2017 There is no reason to panic The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. Link to comment Share on other sites More sharing options...
psycamel Posted March 24, 2017 Author Share Posted March 24, 2017 But Dark Matters isn't the same as Sonic Screwdriver isn't it? Link to comment Share on other sites More sharing options...
Slice Posted March 24, 2017 Share Posted March 24, 2017 But Dark Matters isn't the same as Sonic Screwdriver isn't it? I found no other way to infect. Link to comment Share on other sites More sharing options...
psycamel Posted March 24, 2017 Author Share Posted March 24, 2017 hm wiileaks Tweeted today:"Darkmatter+Triton can be remotely installed CIA has 2016 version: DerStake2.0 EFI is not fixable "vulnerability" " Link to comment Share on other sites More sharing options...
apianti Posted April 10, 2017 Share Posted April 10, 2017 First these attacks only affect a limited number of Mac models with unupdated firmware that allowed unsigned option roms to be loaded and executed from a thunderbolt device. Second they need physical access to the machine to infect the firmware, the other methods can be done remotely be can also be cleaned, by reinstalling the OS. I imagine there are many more PCs that have this vulnerability as well, in fact one of the reason for the major change to (U)EFI is BIOS firmware rootkits being very prevalent. But, no - Clover can not prevent this because the firmware has already loaded and executed the option rom during pre-initialization boot, before direct execution boot where clover runs. 1 Link to comment Share on other sites More sharing options...
Recommended Posts