Virustotal: Scan firmware for signs of manipulation

Google’s popular online virus scanning service Virustotal received an update recently that enables users of the service to scan firmware just like other files.

One of the biggest strengths of Virustotal is its multi-engine scanning support which tests files uploaded to the service using more than 40 different antivirus engines.

The service has been expanded several times ever since it was acquired by Google improving scan parameters among other things.

The most recent addition to Virustotal is support for firmware scans which enables users of the service to upload firmware images, dumped or downloaded, to the service to find out whether they are (likely) legitimate or have been manipulated.

mod apk

Virustotal firmware scanning

While most malware infects systems on the software-side of things, firmware malware is especially problematic as it is not easy to detect nor to clean.

Since firmware is stored on the device itself, formatting hard drives or even replacing them has no effect on the infected state of a computer.

virustotal firmware scan

Since detection is difficult on top of that, it is common that the attack type goes by unnoticed for a long time.

The scanning of firmware that Virustotal supports works in many regards like the normal scanning of files. The core difference is how the firmware is acquired.

While it can be used to test firmware that is downloaded from a manufacturer’s website, a more common need is the desire to test the installed firmware of the device instead.

The main issue here is that the firmware needs to be dumped for that to happen. The blog post on the Virustotal website highlights several tools (mostly as source code or for Unix/Linux systems) that users can make use of to dump firmware on devices they operate.

The analysis of the file looks identical to that of other files on first glance, but the “file detail” tab and the “additional information” tabs reveal specific information that offer in depth information on top of that.

The “file details” tab includes information about the contained files, ROM version, build date and other build related information.

Additional information list file identification information and source details.

The new tool performs the following tasks according to Virustotal:

Apple Mac BIOS detection and reporting.
Strings-based brand heuristic detection, to identify target systems.
Extraction of certificates both from the firmware image and from executable files contained in it.
PCI class code enumeration, allowing device class identification.
ACPI tables tags extraction.
NVAR variable names enumeration.
Option ROM extraction, entry point decompilation and PCI feature listing.
Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
SMBIOS characteristics reporting.

The extraction of BIOS portable executables is of special interested here. Virustotal extracts those files and submits them for identification individually. Information such as the intended operating system target are revealed among other information after the scan.

The following scan result highlights Lenovo’s rootkit (in form of NovoSecEngine2), the second an updated firmware for Lenovo devices where it has been removed.

Closing Words

Virustotal’s new firmware scanning option is a welcome step in the right direction. While that is the case, it will remain a specialized service for now due to the difficulty of extracting firmware from devices and interpreting the results.


Article Name

Virustotal: Scan firmware for signs of manipulation


Virustotal’s newest scan service enables you to upload firmware files to the service for detecting firmware malware manipulation.


Martin Brinkmann


Ghacks Technology News


About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook, Twitter or Google+

You are here: Home > Security > Virustotal: Scan firmware for signs of manipulation

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at