Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

page: 4
16
<< 1  2  3    5  6 >>

log in

join

posted on Nov, 1 2013 @ 02:33 PM
link   
reply to post by StargateSG7
 


I'll admit it is a possibility that our hardware could be laden with firmware rootkits, but until I hear/find otherwise, I'm going to assume that my little cheap Asus laptop isn't a carrier
I could see if it was a desktop, that the PCI-E card or a net card or another specific type of card may be a carrier, but as stringent as testing procedures are on the larger companies hardware (asus, toshiba, HP, Dell) I just cant see it as a possibility at this point in time

Good discussion nonetheless!




posted on Nov, 1 2013 @ 02:43 PM
link   
reply to post by StargateSG7
 


----



AN FINALLY HOW TO DEFEND YOURSELF AGAINST HIDDEN VIRII
stored on your flash drives:

Background on secret areas of flash drives which could be used to hide a flash drive virus:

The Boot Sector:
en.wikipedia.org...

See wear-levelling:
en.wikipedia.org...

Cold Boot Attack:
en.wikipedia.org...

Create a Hidden Partition on USB Flash Drive which stays even after formatting:
www.instructables.com...

Theory and practice of flash memory mobile Forensics:
www.google.ca... 6%26context%3Dadf&ei=oAF0UszFMOeSiQL5_YGwCQ&usg=AFQjCNFZSuv6kM4vzruSj3N8gP6fx46zAQ&bvm=bv.55819444,d.cGE


How to Solve the 32-Bit Problem: Using Hidden RAM for Speed (or installing Viruses!!):
blog.raxco.com...

Recovering critical files from flash drives that were maliciously hidden by virus programs:
www.tomshardware.com...
edit on 2013/11/1 by StargateSG7 because: sp.



posted on Nov, 1 2013 @ 02:57 PM
link   
reply to post by kingofyo1
 


Do you under stand what this means?

It provides a holistic, risk-based approach to secure information and compliance

Holistic means they can crawl through any and all things. Holistic is what they do when they crawl through a email a zip file and so on. The standards are put in place all down through the chain so they can. But that ability is supposed to be hidden at lower levels and and only the top level is supposed to know how to do it to everything.



posted on Nov, 1 2013 @ 03:03 PM
link   

kingofyo1
reply to post by StargateSG7
 


I'll admit it is a possibility that our hardware could be laden with firmware rootkits, but until I hear/find otherwise, I'm going to assume that my little cheap Asus laptop isn't a carrier
I could see if it was a desktop, that the PCI-E card or a net card or another specific type of card may be a carrier, but as stringent as testing procedures are on the larger companies hardware (asus, toshiba, HP, Dell) I just cant see it as a possibility at this point in time

Good discussion nonetheless!



---


ACTUALLY IT GETS WORSE: !!!!!

Chinese Spy Agencies have recently been accused of doctoring Chip Masks
at microcircuit foundries of common embedded controllers and RAM chip modules
that are used in Printers, Copiers, switches, routers and gateway appliances such
that data would be COPIED to the secret SECOND RAM MEMORY bank of say a PRINTER
or COPIER and the embedded extremely low-power micro-transmitter and embedded
antenna of the compromised microcontroller would transmit to and from data on
targeted systems where such compromised hardware was installed and sold!

It's specific brands of RAM chips and inexpensive embedded controllers made
in the Guangzhou (Canton) region of China that have EXTRA memory banks and
embedded RF circuitry that are used in printers and computer systems and information
appliances from HP, DELL, Lexmark, Lenovo, d-Link, and a number of others
western companies who have their devices OEM/ODM'ed in Asia (China).

Agencies within the Chinese Security Directorates monitor and ensure equipment
orders that go through specific distributors in the USA and Europe that TEND to
be used in government or university installations get these modified circuits installed.

AND THESE CANNOT BE DETECTED unless you SHAVE THE CHIPS LAYER BY LAYER!!!!

and LOOK FOR the added RF and extra RAM bank circuits!

When an order has been tracked to a specific office usually in a non-secured
and NON-TEMPEST rated location, the chips/devices are interrogated wirelessly
and any copied data transmitted to a waiting agent or dead-dropped device.

See what TEMPEST rated means:
en.wikipedia.org...

While the vast majority of these methods are used for purely ECONOMIC spying
since MOST US and Euro military offices ARE shielded against RF intrusion,
it is possible to do a wide-array-of-devices interrogation to gather a GENERAL
non-specific sweep of economic, business, political or technology oriented
data that could be useful to an adversary when aggregated together and
then data-mined for golden nuggets of information.

----

I thought I'd let you know!
edit on 2013/11/1 by StargateSG7 because: sp.



posted on Nov, 1 2013 @ 03:04 PM
link   

JBA2848
reply to post by kingofyo1
 


Do you under stand what this means?

It provides a holistic, risk-based approach to secure information and compliance

Holistic means they can crawl through any and all things. Holistic is what they do when they crawl through a email a zip file and so on. The standards are put in place all down through the chain so they can. But that ability is supposed to be hidden at lower levels and and only the top level is supposed to know how to do it to everything.


I do understand what holistic means
Holistic - characterized by the belief that the parts of something are intimately interconnected and explicable only by reference to the whole

In terms of 27001, it means that everything in the products is fully connected in one way or another.. Anything that could be counterproductive to the whole of the image should be in compliance with the standard

At least thats the way I read it, but I could be entirely wrong?

-King



posted on Nov, 1 2013 @ 03:07 PM
link   
reply to post by StargateSG7
 


OK yeah, thats pretty freaking scary when you look at the whole of the picture :/



posted on Nov, 1 2013 @ 04:06 PM
link   
Eh, I don't buy it. I am a computer scientist (degrees and everything
) and well, this sounds to me like some bad testing by this guy. It would seem to me he is not taking the proper steps to rid the machines of everything and starting over. He is introducing the virus (if it is even virus at all) himself via infected media or what have you. Either that or he just has some faulty hardware that is doing some strange things that are a red hearing.

Now, that being said, I do believe there are some nefarious chip manufacturers that can add in special registers, adders, core logic components to chips these days. I have worked directly with low level LOGIC systems and CPU's through assembly and hardware breadboards directly to chips, and it certainly is possible to hide stuff there. It would take some really clever people to be able to crack into the cpu's IO in order to discover the hidden parts. They would need to know the specific instructions to send to the cpu in order to access it. All in all like looking for a needle in a haystack, in a field of haystacks, that span the state of Florida. It's not going to be easy.

So all in all, yes, there are some really cool ways of spreading and storing virii that can be close to impossible to find. Although, the virii that make themselves embedded into the firmware or cpu's like this are not spread from machine to machine. They are embedded directly into the system before they are shipped out, or altered along the delivery route. Most of today's operating systems shield the software running on them from the lower level hardware, and act as a middle man to protect "rogue" operations. But, again, this doesn't mean there isn't some backdoor built into these systems to allow this if someone has the correct key (aka NSA/MS/Apple).

Following that note, if further my belief that this story is BS. Mostly because he claims a system running openBSD was infected. For those that do not know, openBSD is notorious for being very very secure, and focused on being secure. openBSD essentially ships with all services turned off, and makes you as the admin turn only the services needed into an operating state. So I would even go so far as to say the chances of breaking into a default installation of openBSD is close to zero. (notice I say close to zero for those other CS nerds out there
)



posted on Nov, 2 2013 @ 09:36 AM
link   
As a self-proclaimed expert in both IT security and Magik, I can only think of one rational explanation for this behavior: a sorcerer has put a spell on his computer equipment. It is well known* that the NSA, the FSB and Luxembourg now employ teams of elite wizards to attack computer systems.

The only way to disinfect the machines is to drop them into molten metal (see: Terminator 2). Though they do say there is a Ring of Power that can be found in the far North Wastelands (Manchester) that protects the wearer from such attacks.










*Though this may have been a dream I had, I'm not sure now.



posted on Nov, 2 2013 @ 09:48 AM
link   
reply to post by FatherLukeDuke
 

Oh yeah, I knew the wizard.. Pointy blue hat with stars and a brim, right? big furry glasses, and a boot hanging from his left arm



posted on Nov, 2 2013 @ 10:28 AM
link   
Something about that article sounds off.

First, it's entire non credible, if not entire nonsense how data can be transmitted without a NIC or Wifi Card...this is simply BS.

The article is written as if by someone who has no real tech experience, let alone someone who is really an analyst or security expert. There is just something off how the article is worded/written.

""We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did.""

No one technical inclined would use a term like "erase all our systems" (total BS)...let alone it wouldn't make any sense whatsoever to "erase all systems" if the true cause of the attack/virus is not even known.

"Cannot boot from CD" and "searching the registry stopped working" as indication of a virus infection...I call total BS on this article.
edit on 62013RuSaturdayAmerica/Chicago50AMSaturdaySaturday by NoRulesAllowed because: (no reason given)



posted on Nov, 2 2013 @ 11:04 AM
link   
reply to post by NoRulesAllowed
 


Yeah, Id say that this should probably be moved to the HOAX category, but thats not for me to decide. There's a lot of computer minded people who've put in their 0.02$ as to what they think, and I cant find one who can give a good explanation



posted on Nov, 2 2013 @ 10:03 PM
link   
I believe it. Sending files over audio, embedded in audio, hidden in audio has been done before. Echo hiding is most common. Basically an audio stream with an embedded file encoded in a way that you can't even hear the difference. Normal speakers/Mic works.
Everything else is like a FLAME or STUXNET capabilities. Nothing new there. Some paranoid folks are saying a new variant of Rakshasa malware and that would be bad but it fits.



posted on Nov, 4 2013 @ 02:05 PM
link   

NoRulesAllowed
Something about that article sounds off.

First, it's entire non credible, if not entire nonsense how data can be transmitted without a NIC or Wifi Card...this is simply BS.

The article is written as if by someone who has no real tech experience, let alone someone who is really an analyst or security expert. There is just something off how the article is worded/written.

""We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did.""

No one technical inclined would use a term like "erase all our systems" (total BS)...let alone it wouldn't make any sense whatsoever to "erase all systems" if the true cause of the attack/virus is not even known.

"Cannot boot from CD" and "searching the registry stopped working" as indication of a virus infection...I call total BS on this article.
edit on 62013RuSaturdayAmerica/Chicago50AMSaturdaySaturday by NoRulesAllowed because: (no reason given)


---

While the original author's story is rather suspect and LIKELY has more to do with hardware
failure than any given virus...i.e. check if CPU fan is still running to prevent CPU overheating
and check if capacitors on motherboard are not bulging because of cheap Chinese copies of
Japanese capacitor technology causing bad caps that vent hydrogen gas which cause INTERMITTENT
hard-to-trace bootup and Operating System running issues.

BUT...in terms of communications you DO NOT NEED a network interface card to move data
from computer-to-computer...audio cards and video cards have been used for YEARS to secretly
move and/or copy data between computers and networks.

Do a web search on this paper:

Audio Steganography: A Survey on Recent Approaches
by Masoud Nosrati, Ronak Karimi, Mehdi Hariri


or see this link:

Audio Steganography Used for Secure Data Transmission:
link.springer.com...


AND for light-based data transmission see these links:

Pulsed LEDs illuminate room with data:
physicsworld.com...

AND

Using a flashing LCD monitor to transfer data:
hackaday.com...



posted on Nov, 4 2013 @ 02:23 PM
link   
Something to point out for those screaming hoax, is that everyone in the security industry interviewed about this has nothing but respect for the person that is saying this is happening. They have said he's been wrong in the past, but he has never once given them cause to believe he's outright lying, or hoaxing them.
edit on 11/4/2013 by Zaphod58 because: (no reason given)



posted on Nov, 5 2013 @ 07:17 PM
link   
reply to post by Zaphod58
 


----

A quote like this .....

"Cannot boot from CD" and "searching the registry stopped working"

tells me this company HAS NO CLUE about ANYTHING to do with computers.

You create a bootable Boot.BIN partition and boot over the network using Wake-on-LAN
packets which boots a LOCAL ram-disk partition which allows to use Linux/DOS NTFS
low-level file system readers/writers to scan the windows registry WITHOUT interference from
a COMPLEX running operating system. Then you run a software (or a hardware debugger)
to scan the UEFI/BIOS for key phrases or specific signatures and if necessary RE-FLASH the
BIOS from your over-the-network boot partition. Some virii are polymorphic and/or encrypted
and thus you MUST using a debugger and slow down their code execution on a line-by-line basis
to UNWRAP the web scripts and or microcode instructions that are being constructed on-the-fly!

Of course, I do have DECADES of Assembler coding and debugging expertise
so this is somewhat trivial to check for on my side...unfortunately my pontification
doesn't help this guy.

In terms of hardware, I HAVE actually shaved microchips layer-by-layer to create
and debug a complex chip mask AND try to find hardware-based backdoors using
an Expert System to find and narrow down non-essential circuit paths
(Which WE HAVE FOUND in certain commercial CPU's!)

The most common HARDWARE EXPLOIT is pseudo-random or true random number generator
poisoning which lowers the dispersed bit-width of any given random number sequence created
on a CPU. The SECOND most common issue are EXTRA banks of memory cells on a chip.
say on a 4 gigabyte ram stick which actually has 5-to-8 gigs (You didn't think I would FIND THAT?)
but reports only 4 gigs and has an data splitter/copy circuit to enable incoming data shadowing!

Another big one is on USB sticks AND Network or Graphics cards that have embedded fractal
Antennae and RF/Zigbee/Bluetooth/Wifi communications circuits embedded onto them.
One series of circuits I encountered had LONG-RANGE RF devices embedded onto the
Graphics Card that used a custom WRAPPED HDMI/DVI cable as an RF antennae.
Protocol was WiMAX which meant 20 km (12 mile) range!!!!

Based on some of the unmangled C-code prototypes, I saw some typical programmer
North American (i.e. USA) slang and Euro-slang which means a combined country effort.
Another version of the circuits looked to be a BAD/Sloppy almost identical copy of the
first version which had English/Mandarin slang in the demangled microcode which means China!

The 3rd circuit was OBVIOUSLY German and another particularly DEVIOUS and
MUCH SMALLER circuit embedded into a USB stick was in fact VERY RECOGNIZABLE
as being from France...!!!! So it looks like EVERYONE is spying on each other!
And based on the INSTALLATION ORIGIN of the circuits, a LOT of the spying
is purely economic in nature --- Simple Greed!

So Hardware Tampering is the NEW king of tech spying!

---

And if you REALLY want to get technical, some of the hardware tampering is GETTING VICIOUS!!!!!

By embedding a small VERY MILDLY radioactive emitter into a chip mask NEAR
the data (not executable code) registers/pipelines of a general purpose CPU
or embedded microcontroller, you can randomly flip bits over a given
period of time so that ...say....distance, power-level, or time measurement
units are randomized to give off subtle and nearly unnoticeable changes
which MAY damage sensitive equipment or cause UNDERLOADING or OVERLOADING
of industrial machines and/or manufacturing processes. You can even use a shielding
around the radiation emitter that breaks down ONLY AFTER A SET PERIOD of time or
AFTER a specific series of temperature plateaus have been reached before
allowing the emitter to randomly flip bits in the data areas of a RAM or CPU chip.
This allows agencies to take into account shipping and install times when targeting
a specific adversary for hardware-based tampering efforts.

THIS IS NASTY, NASTY STUFF --- BUT IT'S HERE TODAY IN THE WORLD OF SPOOKS!!!!!
edit on 2013/11/5 by StargateSG7 because: sp.



posted on Nov, 7 2013 @ 07:37 AM
link   
Here is a zero day exploit of the management firmware that runs on a good number of servers out there.
IPMI is not the BIOS. ""We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did."" Not paranoid enough it seems as the malware could have been in another components such as IPMI or the video card.



However, if an attacker is able to exploit one of the IPMI vulnerabilities disclosed, they would not only be on the network, but could take control of the server in question at a BIOS level.

threatpost.com...

"No one technical inclined would use a term like "erase all our systems" (total BS)...let alone it wouldn't make any sense whatsoever to "erase all systems" if the true cause of the attack/virus is not even known."

In some organisations they shred the computer systems and the duplicate one they had as a backup that did not get used.

"Cannot boot from CD" and "searching the registry stopped working" as indication of a virus infection...I call total BS on this article.

The BIOS could have been compromised to not allow booting from external media. Just a couple lines of code my friend. Disabled registry functions are old school malware trick.

edit on 11/7/2013 by staple because: (no reason given)



posted on Nov, 7 2013 @ 07:17 PM
link   

staple
Here is a zero day exploit of the management firmware that runs on a good number of servers out there.
IPMI is not the BIOS. ""We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did."" Not paranoid enough it seems as the malware could have been in another components such as IPMI or the video card.



However, if an attacker is able to exploit one of the IPMI vulnerabilities disclosed, they would not only be on the network, but could take control of the server in question at a BIOS level.

threatpost.com...

"No one technical inclined would use a term like "erase all our systems" (total BS)...let alone it wouldn't make any sense whatsoever to "erase all systems" if the true cause of the attack/virus is not even known."

In some organisations they shred the computer systems and the duplicate one they had as a backup that did not get used.

"Cannot boot from CD" and "searching the registry stopped working" as indication of a virus infection...I call total BS on this article.

The BIOS could have been compromised to not allow booting from external media. Just a couple lines of code my friend. Disabled registry functions are old school malware trick.

edit on 11/7/2013 by staple because: (no reason given)


---

You can always try some debugging solutions to find problems or viruses within
your software and hardware...IT DOES TAKE EXPERTISE....but it CAN be done!!!!

Simple but cheap Power on Self Test Diagnostic Card:
www.shopclues.com...

More Expensive:
en.wikipedia.org...

Debug Explanation:
en.wikipedia.org...

Now we are getting into rarified territory on debugging (Instruction Set Simulator):
en.wikipedia.org...

Smart Card Sniffing And Debugging Tool
Smart Card Sniffing And Debugging Tool for contact based SIM/ME comm.
sourceforge.net...

Communications Buss Sniffers: (Bus Pirate):
dangerousprototypes.com...


THE REAL DEAL:
Design of low cost FPGA based PCI Bus Sniffer.
Chee Wei Liang, Noohul Basheer Zain Ali, and Ramesh Seth Nair. FPT, page 420-423. IEEE, (2003)
www.bibsonomy.org...


---
How to hack/create a rootkit using the UEFI bios:
Hacking the Extensible Firmware Interface
by John Heasman Director of Research NGS Consulting

www.google.ca... man%2FPresentation%2Fbh-usa-07-heasman.pdf&ei=OTp8Uu-OGuqoigK31IHYBw&usg=AFQjCNGkMdKREzKQQcg-_qX8jhqVWqUwvg&bvm=bv.56146854,d.cGE


---
Extracting EFI Drivers from Memory

cs.nyu.edu...

---

SO THERE ARE A TON OF TOOLS we can use to debug hardware and sniff out
and KILL UEFI/BIOS-based viruses...BUT...THEY ARE OUT THERE and the SPOOKS
use them ALL THE TIME!!!!

YOU CANNOT TOTALLY TRUST YOUR HARDWARE OR SOFTWARE

.....

UNLESS YOU DESIGN IT, BUILD IT AND CODE IT YOURSELF !!!!!!
edit on 2013/11/7 by StargateSG7 because: sp.



posted on Nov, 8 2013 @ 07:22 AM
link   

PhoenixOD
reply to post by MystikMushroom
 


I have a bunch of computer certs including networking ones.

While its possible on paper the idea of IPv6 ultra sonic networking is just so far out there i would have to put my money on hoax. The packet loss rate just would be to high, plus I just don't think the speakers or the mics would have high enough spec's to make it work.

It could be that the guy is just mistaken and has come up with this crazy theory to explain whats going on.

edit on 31-10-2013 by PhoenixOD because: (no reason given)


correct!

The Frequency range of the average speaker and microphone is way below those needed to reach ultrasonic. In fact for this to work... you would hear something analogous to the old modems or tape based machines of the 80's... even then it would take over a minute to transmit more than 48K....

Not something you are likely to miss.

Korg.



posted on Nov, 8 2013 @ 09:49 AM
link   
Well although I know many of you possess skills that far outdo my l33t windows fixing skills, there was one thing I noticed that did not appear to be mentioned in the article or in the thread so I'm tossing my 2 cents in.

He discussed disconnecting network devices, Bluetooth devices, thumb drives and so forth but one thing I didn't see mentioned was infra-red.

Think Furbies



posted on Nov, 8 2013 @ 11:38 AM
link   
I'll put my 2 cents in as a computer and security consultant.

Points I took out.
-The person allegedly infected is a "security consultant", this would dramaticly increase the likely-hood of him becoming coming into contact with the virus. Possibly from a high-profile client? This could be a result of poor quarantine standards, ie using the USB keys between jobs.

-The 'virus' is able to infect different vendors of BIOS, hardware and operating system. If the virus was able to flash itself onto specific hardware it would unlikely to work across an apple mac to a windows desktop due to major differences in hardware and software design. For example the attacks against Irans Nuclear plants which were designed to infect the simens SCADA control box, as opposed to a stray I-phone.

-BIOS are often limited in space as it is, when they boot they run a checksum to verify the are not corrupt. If they are they often boot off a secondary physical ROM(impossible to change) and load a safe BIOS then reflash the primary. For example modern Gigabyte motherboards.

-The complexity of the said program would have to be quite large, this would be impractical to be sent across audio waves however still possible due to the very slow bitrate. One would assume a new transmission standard would need to be created as TCP/IP is not designed for this. It still is possible however, I have seen people download firmware off devices such as cameras by cycling a flashing LED over the course of days. This certainly was not packet transfer though.

-Infecting BSD/Windows/Mac/Linux all in one virus, its hard to beleive this. This would be a huge and very powerful virus and be using many unreported vulnerabilities. Worth noting that many secure systems such as aircrafts operate on systems similar to BSD.

-Ipv6? Sounds like the author is using buzzwords. Any data transferred over the network could be analysed with a packet sniffer such as "Wireshark" non of the less. It appears the author does use a similar tool but does not mention the network interface he was capturing off (lan/wlan): Big clue of something sinister been hidden from us.

-As a security consultant, the last thing he would want to do is have a uncontained worm infecting every device in is lab for weeks on end! Nor would he sit on such virus's, he has financial incentives to report zero day attacks to anti-virus software firms for big rewards


In my experience
-Bios virus's do exist, however are very rare and only really seen pre 2000 on very specific hardware. This lead to hardware switches been installed on motherboards to prevent unauthorised changes. Countermeasures against BIOS virus's were very primitive against the complex safeguards today.

-Complex worms on UNIX systems do exist, for example in large university environments where appearingly random files are generated and cannot be traced to any specific process. Most of which the administrators have ignored and have been in operation for decades.

My view is that we are getting played. It sounds like an attempt to get self promotion of the company due to the large amount of buzz words and zero evidence. I would like to be proved wrong though.
Possibly the author just has a faulty hard disk or SSD, this would explain the cross platform corruption.





new topics
top topics
 
16
<< 1  2  3    5  6 >>

log in

join