Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

So someone linked me to this earlier, and it looks like prime ATS subject matter. If this isn't the right forum, feel free to move it. And also note there's no independent verification of this story outside what Dragos Ruiu is saying, leaving better-than-even odds that it's a hoax, but I feel like it's worthy of discussion. It's also on a pretty reliable site, so make of that what you will.

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps Like a super strain of bacteria, the rootkit plaguing Dragos Ruiu is omnipotent. by Dan Goodin - Oct 31, 2013 2:07 pm UTC Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since." In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities. "We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Source

simple solution is design a better registry, obviously the windows registry is a very poor design, in fact windows itself is a bad design by the fact its so susceptible to virus attacks.


everyone should learn how to manually use the registry as viruses cant beat manual direct processes they can only modified and alter automated processes.

Viruses in earlier versions of windows weren't prevalent because people had closer control over the fundamental operating system.

Windows basically no sux more than ever as a operating system.

reply to post by ShadeWolf

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

Im finding this very hard to believe, is this article for real?

EDIT:
This is from the source article

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

Ok its technically possible but still very difficult to believe.

From my limited knowledge of computers, I don't think this is real. Unless there is some kind of hidden wireless transmitter inside every computer -- I can't see how something could be transmitted OTA like a human virus or bacteria.

It's a good story, and it mixes in enough tech-talk to make the writer sound knowledgeable. Usually that's how a good hoax works. One sprinkles tidbits of actual fact to give credibility to the hoaxer.

Anyone more familiar with computers around these parts?

reply to post by MystikMushroom


I have a bunch of computer certs including networking ones.

While its possible on paper the idea of IPv6 ultra sonic networking is just so far out there i would have to put my money on hoax. The packet loss rate just would be to high, plus I just don't think the speakers or the mics would have high enough spec's to make it work.

It could be that the guy is just mistaken and has come up with this crazy theory to explain whats going on.

I guess I know why my computer has been acting like it was haunted over the last two weeks... hum

reply to post by PhoenixOD

The packet loss rate just would be to high,

See that was my initial reaction. There's no way the output would be clean enough to push any large file or be able to broadcast 'loud' enough for devices around it to see it.

Now, then I thought, well how big is your average virus these days, couple of MB at the most for the annoying ones? So yeah, I can see this working, but only over really short gaps, with already infected devices.

The only thing I know of that even remotely acts this way, is FLAME, which we all know is a Stuxnet build. I doubt the general everyday hacker is creating from that monstrosity.

~Tenth

This is an indication that there has been an infection from extraterrestrial origin, Most likely from NASA missions in deep space were comet dust was brought back to earth.

Wait until it affects an advanced Ai system, Then things will quickly get interesting.

AthlonSavage
simple solution is design a better registry, obviously the windows registry is a very poor design, in fact windows itself is a bad design by the fact its so susceptible to virus attacks.


everyone should learn how to manually use the registry as viruses cant beat manual direct processes they can only modified and alter automated processes.

Viruses in earlier versions of windows weren't prevalent because people had closer control over the fundamental operating system.

Windows basically no sux more than ever as a operating system.

edit on 31-10-2013 by AthlonSavage because: (no reason given)

Did you read the article?

... Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot.

...

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting....

More on my ongoing chase of #badBIOS malware. It's been difficult to confirm this as I'm down to a precious few reference systems that are clean. I lost another one yesterday confirming that's simply plugging

Source

I guess Windows haters have to hate at any cost.

reply to post by PhoenixOD


As a computer tech myself, I'm also finding this very hard to believe. The author of the article makes it clear that none of the claims have been verified or peer-reviewed.

So, until someone can verify these claims, this will remain just a "story" for now.

ShadeWolf
And also note there's no independent verification of this story outside what Dragos Ruiu is saying, leaving better-than-even odds that it's a hoax

Source

I have not verified your story but can vouche for arstechnica as a good source and not a HOAXer site. Hope that eases your mind. If they made a mistake, they'll publish it in a followup.

reply to post by MystikMushroom


I think you're right. Virus spreading through non-network devices is just out there. The only explanation is someone/something has figured out how to, I don't know, send electromagnetic or sound wave virus? It's so crazy to even think of that.

If real, it's some alien/AI/deep conspiracy stuff.

Able to transmit to other computers which have no WiFi or Bluetooth components is still possible due to a computers basic COM ports still physically on the motherboard.

Able to transmit info to a computer which has no power is still possible due to that little battery on the motherboard. CR2016 CMOS

Bios settings remain as long as the battery is alive.

Transfering info to a computer with no power at all is possible due to bios flash memory which needs no power to retain info but can be flashed if outside power ..ie microwave power is involved.

A number of security people have said that it "wouldn't be hard" to develop something that spread through soundwaves. But he said today that it appears that while there apparently IS communication between infected machines, it's not spreading through soundwaves.

reply to post by Zaphod58


Of course sound waves could be used to transmit data but computer speakers and microphones just are not designed to deal with the frequencies that would be needed.

reply to post by PhoenixOD


No, but from everything I'm reading, it's something that can be done with a standard PC, although apparently this isn't actually doing it that way.

reply to post by PhoenixOD


Just enough Microwave energy to power up the bios system to flash info into the bios in a very compressed format.


Its possible


If micro sd cards exist that hold 64GB then its possible

Bios chips might not have that much storage but not every type of data compression is known.

reply to post by ShadeWolf

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

I'm calling BS on this. How on earth is anything going to "transmit" without hardware to transmit with. Without a physical layer in the network model you have no transmitting anything. The OS has little to do with this either especially if the power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

While rootkit's can be nasty and difficult to get rid of they are not magic. They are simply a virus that hides itself from the operating systems API making it difficult to find using standard file viewing tools.

Yes bios can be updated, even hacked to create it's own rudimentary OS but still unless it's magically oscillating the CPU fan or growing crystals on the motherboard that no one saw it's not going to transmit any network packets without the hardware to do it.

soundwaves could be used for communication between several computers, and in case of high enough frequencies (which would be used to speed up the data transfer), those could be inaudible for humans (but the quality of mics in regular laptops makes all this highly doubtful). still, it won't be able to spread using such means, because when one computer sends the data, the other one has to receive said data - and receiving them has to involve some software that is ALREADY INSTALLED.

bottom line, it's a hoax.

www.theepochtimes.com...

That link includes tweets from today, where he says that it's not spreading through sound.