Two researchers have created the Apple Mac firmware worm Thunderstrike 2, which can infect Macs even remotely. The worse part is that it resides at the firmware level, making it almost impossible to detect and remove, and can be transferred from one Mac to another without any connection between them. The worm has been created by Kovah (owner of LegbaCore) and Trammell Hudson (security engineer with Two Sigma Investments).
Since the worm resides and works at firmware level, this makes it even deadlier. As majority of the scanners and antiviruses don't operate at the firmware level so no matter how many times you scan, the firmware worm will go unnoticed. And since it is on the firmware, so even formatting the Apple Mac and fresh installation won't fix the issue.
The Thunderstrike 2 firmware worm can infect your Mac remotely and all it needs is a click from you on the malicious link, phishing email, etc. Once it has resided on your Mac, it can also spreads to other Macs even without being connected. It uses the Option ROM available in peripheral devices to spread. The Option ROM is basically the firmware on periphal devices, which connects with the system BIOS. So, whenever you will connect any periphal device with Option ROM, Thunderstrike 2 will infect its firmware. After this, it will be transferred to every Mac to which infected peripheral will be connected.
So, you can see that Thunderstrike 2 not only works silently, but also spreads. It means it is easier to spread the worm by simply selling infected peripheral devices on websites like eBay. As of now, the only solution for infected Mac is to re-flash the chip where the worm is residing.
The researchers gave demonstration of firmware worm to Wired, just ahead of Black Hat security conference which will be held on August 6 in Las Vegas. They told that Macs are vulnerable to many of the Widows PC vulnerabilities. During the experiment, they found that 5 out of 6 PC vulnerabilities were also affecting Macs. They also said that they have notified Apple about those vulnerabilities and Apple has fully patched one and partially patched another.
However, it is not the first worm attack on Macs. Earlier, they were affected by the Thunderstrike but in its case, the user needed to have the physical access to the Macs for infecting them.