Two researchers have created the Apple Mac firmware Worm Thunderstrike 2, which can infect the Mac remotely. The worst part is that it stays at the firmware level, making it almost impossible to detect and remove, and can be transferred from one Mac to another without any connection between them. The worm was created by Kovah (owner of Legbacor) and Trammel Hudson (security engineer at Two Sigma Investments).

Since worms live and work at the firmware level, this makes it even more deadly. Since most scanners and antivirus do not work at the firmware level, no matter how many times you scan, the firmware worm will not be noticed. And since it’s in firmware, even formatting Apple Mac and new installation won’t solve the problem.

Thunderstrike 2 firmware worms can infect your Mac remotely and all you need to do is click on malicious links, phishing emails, etc. from you. Once it’s located on your Mac, it can spread to other Macs without being connected. It uses alternative ROMs available on peripheral devices to spread the word. Option ROM is basically the firmware of a peripheral device that connects to the BIOS system. So, whenever you connect a peripheral device with Option ROM, Thunderstrike 2 will infect the firmware. After that, it will be transferred to each Mac where the infected peripheral will be connected.

So, you can see that Thunderstrike 2 not only works silently, but spreads. This means that it is easier to spread worms by selling infected peripheral devices on websites like eBay. So far, the only solution for infected Macs is to re-flash the chip where the worm is staying.

Researchers gave Wired an exhibition of firmware worms just before the August 6 Black Hat Security Conference in Las Vegas. They say that Macs are at risk for many of the vulnerabilities of the Widow PC. During the test, they found that 5 out of 6 PC vulnerabilities were also affecting the Mac. They further added that they had informed Apple about those vulnerabilities and that Apple had patched one completely and partially patched the other.

However, this is not the first worm attack on Mac. Previously, they were affected by Thunderstrike but in that case, the user would have to have physical access to the Macs to infect them.