Security researchers have created a worm specifically for OS X, and it has the potential to infect every Apple computer. Dubbed Thunderstrike 2 by its creators – Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments – the worm exploits a vulnerability in OS X, and can even affect machines not connected to the internet. Once installed, Thunderstrike 2 is virtually undetectable and there's no easy way to remove it.
The security researchers are expected to unveil their method of hacking this Thursday, at a Black Hat conference in Las Vegas.
What is Thunderstrike 2?
Thunderstrike 2 is the latest worm created by the research team, and starts its life on infected Thunderbolt peripherals. After being connected to an Apple machine, Thunderstrike 2 uses a vulnerability to write itself into the computer's firmware. At this point, the worm exists "below" the area used by traditional worms, as it's embedded into a computer's BIOS rather than its operating system.
As a result, it's almost impossible to detect – or remove. Even worse, the worm is able to copy itself to any other peripherals used by an infected machine, so it can easily be transmitted to other computers.
Thunderstrike 2 can usually write itself into a computer's BIOS immediately, but in several instances it must wait until the machine is restarted.
A new type of hacking
One of the most worrying things about Thunderstrike 2 is its ability to affect offline Macs. By infecting Thunderbolt hard drives, USB sticks, Ethernet adapters or anything else that could be connected to your Apple Mac, Thunderstrike 2 could infect machines that have never been used on the internet.
The makers of the worm believe it opens up an entirely method of hacking, and one that manufacturers and consumers still aren't prepared for. For example, hackers could distribute infected devices using eBay stores, and quickly gain access to thousands of Macs.
“People are unaware that these small cheap devices can actually infect their firmware,” Kovah explained to Wired. “You could get a worm started all around the world that's spreading very low and slow. If people don't have awareness that attacks can be happening at this level then they're going to have their guard down and an attack will be able to completely subvert their system.”
How do you remove Thunderstrike 2?
Thanks to its ability to infect a computer's firmware, Thunderstrike 2 cannot be detected by an operating system. As a result, the security team say the only way to remove the worm would be to reflash the hard drive.
Is there a fix for Thunderstrike 2?
According to a blog post by one of the researchers, the issue was partially fixed by an Apple patch last month. However, OS X is still vulnerable to the hack, and Apple is working with the researchers to fix the issue.