Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

reply to post by Zaphod58


I am a total moron when it comes to computing, but has anyone considered the possibility that there could be a quantum entanglement involvement here? You know, rather than accessing the data of a machine in the traditional way, using some sort of quantum communication method to infect the machines, even when they are off?

I mean, if this were a traditional virus or malware, you could pheasibly track it's progress from machine to machine, but if all the machines are being accessed remotely via some kind of hack at the quantum level, then all the normal rules go out the window, because the receiver of that data is going to be hidden, a) because no one expects it, and b) for the same reason that quantum entanglement can allow delivery and receipt of data without that data actually having to pass through an intervening space. It's damned near impossible to track.

Like I say, I am a moron when it comes to computers, but evil uses for cool science? I can think them up all damn day!

The writing style of this article was rather bizarre in the sense that it didn't really have an introduction or summary and was more of a story telling. Basically:

1. The malware infects hardware so reformatting doesn't do anything. It can also infect many different operating systems.
2. It is spread via USB, but the initial vector may be a different method.
3. Apparantly can communicate with other infected machines via sound. Note this was proven false here.

Bleeeeep
reply to post by MystikMushroom

 

I think you're right. Virus spreading through non-network devices is just out there. The only explanation is someone/something has figured out how to, I don't know, send electromagnetic or sound wave virus? It's so crazy to even think of that.

If real, it's some alien/AI/deep conspiracy stuff.

The code could survive all attempts to eradicate it by copying itself to other compenents on the MB besides the BIOS.

If the virus is advanced enough, it may be possible to use a process that acts as a kind of PIC programmer and write itself behind the code of any chip on the board....then copy itself back into the freshly flashed BIOS either right away, or after a predetermined length of time.

As for 'air jumping'..that's sound quite fantastic, but it may actually be possible.

A lot of MB's come with built in basic modem chips, it might be possible using the PC's internal speaker to hijack the modem chip and use it to create DTMF tones using the PC speaker..the tones may activate or be 'heard' by another chip on an adjacent system and the virus is sent over in the DTMF tones..it would be kind of 'out there', but theoretically it might be possible using this or variations of it.

I say it is a hoax. The article didn't cover what malicious activity is actually ocurring, beyond how the infection occurs and that it supposedly transmits encrypted data. Also, they mention that it can infect UEFI and regular BIOS. If that is true, then I would only suspect the mega chip maker Intel, since they were the main chipmaker who whas spearheading UEFI and UEFI is supposed to be much more secure than the standard BIOS. It is also tough to believe that it could universally infect Mac, Windows, and Linux systems at the same time. I'm going to need to see more reliable sources on this before I believe it.

reply to post by TrueBrit


No. That's not how entaglement works, the power required is far too large to be practical (i.e a nuclear reactor) and it would be impossible to code even if the previous two was possible.

It's probably a hoax, misinterpretation or removable media causing it.

Sigh. I don't even know where to begin...

As as been said (and confirmed) - it would be impossible to infect a clean (read: not ready) machine with sound waves. Complete and utter crock. The magic "airgap" infection? LoLoLoLoLoL.
Enough people explained why, so I'll move along.

Anyone that has spent 5 minutes in front of a computer and tried to install new hardware or software will tell you the frustration of "compatibility". There are endless compatibility issues just between different PC platforms. Trying to get something to work on Mac, PC and Linux!? Good luck.
Or let's put it this way: Currently there are (roughly) 34 different operating systems in use. Now multiply that with the amount of different CMOS/ROM/VRAM/whatever you feel like calling it and also the different BIOS versions. Now multiply that with the amount of anti-virus and anti-malware software packages and you have a pretty big variation on possible device configurations....
No, it's not impossible to have a piece of code that would be able to understand all platforms, bypass all security measures and be able to distribute itself and take control of said hardware... But if you were able to write the code to something like that, you would be a very, very rich man/woman.

Well, that's my opinons anyway.

All that said. I'm not sure what to make of the concept in general. I have spent thousands of hours in front of computers and I have seen some very weird, and technically "impossible" behavior from both software and hardware. I've seen enough to have a tiny bit of believe in "the ghost in the machine" or some sort of "self-awareness-intelligence" (for lack of better word). Some computers have personalities. Some computers are not bound by the rules of 1's and 0's.
So, the idea of something completely "new" and "impossible" like described in the article is not completely beyond my believe. If it's real, I'll bet my hat that it's not man-made.

"Good day. Welcome to Skynet."
"Hallo?! HAL 9000? Is that you?"

I am certainly no expert.

if real, something has to be moving from one device to the other. Computer code can't exist outside a computer or network.

Is it possible for a biological agent be made to affect innanimate items? Maybe one that reorganizes, physically a silicon chip? We can probably make one that attacks silicon and turns it into something else. Pretty far fetched for a virus or bacteria to reorganize into working, malicious computer code, though.

How about nanotech? Certainly a microscopic robot could do something like this.

People seem to think all the hacking has to be done in a certain way. Well ISO 9001 your normal hacker standard is long ways off from the ISO 27001 the NSA uses. Big difference in numbers there. And I would say there is a big difference in the way they could hack a machine. Just look at what the NSA and other world governments that work with them can do. Stars Duqu Flame Gauss Stuxnet and the list goes on. And since those have been found I am sure they have busy moving to the next level. Just remember those I listed all had a specific country tied to each one. Does that mean they have one for every country? That is a lot of viruses that nobody has ever heard about.

reply to post by JBA2848


ISO 9001 is a protocol of standardization. I do not follow the context you are using.

I was, at one time, ISO 9001 certified for Supply Chain Management operations within my company.

reply to post by bigfatfurrytexan


CISSP and EA follow ISO9001. Government hackers/ANONYMOUS so on.9001 strong bots.
NSA is ISO27001.

reply to post by JBA2848


So, you are essentially saying that they have a different standard of standardization across their enterprise.

How does that affect computing? Are you referring to the standardization protocols of their information systems, and how that effects things? Do their systems not still use TCP/IP? Is it that they have custom Linux configurations that make outside software incompatible? I am not following.

winofiend
reply to post by StargateSG7

 

Well for a start ms-dos 7 is win95.

You'd want 6.22 for a true dos environment.

And you would be very hard pressed to find an ndis driver to talk to a modern nic that operates in a dos environment. Other than that, using debug to scan the memory would be good, if anyone here knew how to do it. Not sure there are many people who even know what debug was, or that you used to have to low loevel format a hard drive with it. but I could be wrong. I ususaly am.

still..

Why do all this hard work when it's as simple as "hey kids, install itunes!!"

Sounds good and stuff, that's for sure!!

Use a Windows 95 disk machine to a FORMAT A: /S /V which gets you
a bootable 1.44 megabyte floppy disk partition which can then be copied
and installed onto a USB or bootable CD/DVD as a Boot.BIN bootup sector.
And the REASON you use 7.0 and not 6.22 is the FAT-32 partitioning tools
which I use. I've got lots of custom bootable software than can show me
running executable code (i.e. a debugger) which I then scan for malicious items.

NSA/DIA tends to use Visual Basic or Visual C++ which makes it EASY AS PIE to
find those nasty viruses.

To talk to NIC cards or even USB/Firewire/Disk/Audio/Video/etc hardware
I just use the Linux drivers (with source code) and keep them to 32-bit
interfaces rewriting them if necessary and then cross-compile to DOS 7.

Then I can debug as I see fit!

reply to post by bigfatfurrytexan


They have a whole other level of doing things in addition to that of the lower level. Just think about the hackers our governments are putting out there to pin test government websites and so on. They are given VPNs to use that allow the 27001 to see every thing they do. But what else are they doing? STUXnet DUQU Star Flame Gauss. 9001 standards would probably fall in to a name such as those for the NSA Hacking of the US.Guess PRISM could be the name? They just have not named it. Classified it does not exist in there eyes.

This is interesting, I've actually been wondering if capabilities like these exists / will exist in the near future.

JBA2848
People seem to think all the hacking has to be done in a certain way. Well ISO 9001 your normal hacker standard is long ways off from the ISO 27001 the NSA uses. Big difference in numbers there. And I would say there is a big difference in the way they could hack a machine. Just look at what the NSA and other world governments that work with them can do. Stars Duqu Flame Gauss Stuxnet and the list goes on. And since those have been found I am sure they have busy moving to the next level. Just remember those I listed all had a specific country tied to each one. Does that mean they have one for every country? That is a lot of viruses that nobody has ever heard about.

BFFT is correct (as always ) 9001 is basically a "Model for quality assurance in design, development, production, installation, and servicing was for companies and organizations whose activities included the creation of new products." - Wiki: iso9001

Also, to further inform, ISO 27001 MAY be used by the NSA but the NSA is not the only agency/company using it. 27001 is just Technology Security Control standard in its simplest definition, aka a way for companies with technology to cover their behinds... There are multiple reasons that a company could adopt 27001:

-It is suitable for protecting critical and sensitive information
-It provides a holistic, risk-based approach to secure information and compliance
-Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
-Demonstrates security status according to internationally accepted criteria
-Creates a market differentiation due to prestige, image and external goodwill
-If a company is certified once, it is accepted globally.

Pulled from Wikipedia


I would be willing to bet that the NSA follows these ISOs as well as many others but I also dont think you're understanding what the standards themselves are really meant to do.

-King

Gemwolf
Sigh. I don't even know where to begin...

As as been said (and confirmed) - it would be impossible to infect a machine with sound waves. Complete and utter crock. The magic "airgap" infection? LoLoLoLoLoL.
Enough people explained why, so I'll move along.

Anyone that has spent 5 minutes in front of a computer and tried to install new hardware or software will tell you the frustration of "compatibility". There are endless compatibility issues just between different PC platforms. Trying to get something to work on Mac, PC and Linux!? Good luck.
Or let's put it this way: Currently there are (roughly) 34 different operating systems in use. Now multiply that with the amount of different CMOS/ROM/VRAM/whatever you feel like calling it and also the different BIOS versions. Now multiply that with the amount of anti-virus and anti-malware software packages and you have a pretty big variation on possible device configurations....
No, it's not impossible to have a piece of code that would be able to understand all platforms, bypass all security measures and be able to distribute itself and take control of said hardware... But if you were able to write the code to something like that, you would be a very, very rich man/woman.

Well, that's my opinons anyway.

All that said. I'm not sure what to make of the concept in general. I have spent thousands of hours in front of computers and I have seen some very weird, and technically "impossible" behavior from both software and hardware. I've seen enough to have a tiny bit of believe in "the ghost in the machine" or some sort of "self-awareness-intelligence" (for lack of better word). Some computers have personalities. Some computers are not bound by the rules of 1's and 0's.
So, the idea of something completely "new" and "impossible" like described in the article is not completely beyond my believe. If it's real, I'll bet my hat that it's not man-made.

"Good day. Welcome to Skynet."
"Hallo?! HAL 9000? Is that you?"

----

Been There! Done That!

Actually it is VERY POSSIBLE to spread computer virii via audio waveforms
(via PCM - Pulse Coded Modulation) on a computer that has had its Audio
BIOS chip compromised. Barely audible pulsed waveforms running at say
192khz at 15 khz (most adults cannot hear that!) converting PCM data
to executable code that can run either directly on the
DSP (Digital Signal Processor) of the soundcard
OR converted to executable microcode that
can run on any given Intel, AMD and ARM chip
used on mobile and desktop computers and smartphones.

And since MANY soundcards have Ring-1 and sometimes
even Ring-0 privilege in any given OS, data execution or
deep code inspection can be BYPASSED and then the mcirocode can
have its way in adding keyboard hooks, Norton anti-virus bypass or
hooks onto the Write_Disk() and Read_Disk() routines of almost
all OS file input/output which can then be COPIED and sent over to
the Network Interface Card as an encrypted packet for a nefarious 3rd party entity!!!!

SO YUP!!! It can be done using audio waveforms or pulsed lighting to transmit data...
The Soviets did that in the late 80's and Early 90's on their Washington-oriented office
spy rings! While web cams were NOT common at all in those days, expensive audio and
video frame buffers (TGA/TIGA/TARGA/Matrox/EGA-Wonder/VGA-Wonder/SoundBlaster/AdLib)
video and audio cards WERE common in business environments which made SENSE for agencies
to SPY on people using these novel methods!

---

Now for today's world:

There are ONLY 9 major chip manufacturers that make
THEIR OWN Common Core CPU/GPU intellectual property:

1) IBM (International Business Machines): Power Series Processors

2) Intel: Pentium, I3/i5/i76-series processors

3) ARM: (Advanced RISC Machines) 32/64 bit embedded processors for mobile and embedded devices

4) AMD (Advanced Micro Devices) Athlon, Opteron CPU's and Radeon/Firepro graphics

5) NVIDIA: Kepler and CUDA-oriented graphics processors

6) Matrox: CAD/CAM/Pro Video/Frame Buffer GPU processors

7) Oracle/Sun : SuperSPARC/UltraSPARC workstation/server class CPUs

8) MIPS (Reduced Instruction Set) embedded processors.

9) Texas Instruments: Digital Signal Processors and embedded microcontrollers.

AND EVEN THEN the core IP (Intellectual Property) is pretty similar.

AND THEREFORE it is actually QUITE EASY to create a CROSS COMPILER

See weblink:
en.wikipedia.org...

to run code in something called a HyperVisor or VM (Virtual Machine) mode
that is privileged code:

See this Ring-0 code link:
en.wikipedia.org...

Hypervisor link:
en.wikipedia.org...

VM (Virtual machine)
en.wikipedia.org...

which allows to to run a DEBUGGER or Disassembler:

Debugger link:
en.wikipedia.org...

Disassembler Link:
en.wikipedia.org...

and even decompose machine code BACK INTO C++ or PASCAL:

Decompiler Link:
en.wikipedia.org...

Since there only a FEW major network communications chips
and IO (Input Output ) chip manufacturers,,,you don't even
need a BIOS to call the motherboard parts...just send the
commands directly across the PCI-x buss directly to the
chips and control serial/parallel port IO, USB IO, RJ-45 IO,
Wireless/Wifi, etc all by yourselves.

Even hard disk and Flash Drive IO uses the basic commands
known by ALL manufacturers so its actually quite easy to
create a universal boot program (i.e. like WinBoot, Partition Magic, etc)
that can run your own debuggers and scan for rogue microcode on BIOS
chips located on NIC and Graphics cards, Audio Card BIOS, Flash ROM bios,
Wifi BIOS and even router, witch and Gateway bioses.

BUT AS I DESCRIBE BELOW THERE ARE TWO MORE NEFARIOUS WAYS TO SPREAD
VIRI using the HIDDEN write-levelling cache areas on USB/Flash Drives
and on the HIDDEN checksum areas of NON-volatile RAM/Flash chips

| | |
| | |
| | |
| | |
/ / /

I work in IT, including security and I call BS on this for so many reasons, but there is one big tell...

He says he noticed this happening 3 years ago, if a virus was so powerful it could transmit through the air, could restore its self to a fresh install, then after 3 years near enough every PC in the world would be infected and not just the ones in his lab. Nothing could stop it, however only his PC's show any of these symptoms, hmmm, perhaps what would be the greatest coder in the world has it in for him only...

Nope don't believe it for one minute

PrinceDreamer
I work in IT, including security and I call BS on this for so many reasons, but there is one big tell...

He says he noticed this happening 3 years ago, if a virus was so powerful it could transmit through the air, could restore its self to a fresh install, then after 3 years near enough every PC in the world would be infected and not just the ones in his lab. Nothing could stop it, however only his PC's show any of these symptoms, hmmm, perhaps what would be the greatest coder in the world has it in for him only...

Nope don't believe it for one minute

---

A PC ALREADY has to be compromised for the over the air (air-gap) virii infection to occur!

Either at point-of-manufacture (which HAS been done MANY TIMES!) or just before delivery
software or embedded flash-bios microcode can be injected that WILL NOT BE WIPED by
a re-format command...!!!! Only a hardware debugger will catch these types of infections.

...and this code...can be ordered to LISTEN FOR or RESPOND TO specific sequences embedded
into audio waveforms or embedded as steganographic information in videos or still photos
or as basic single or small series of TRIGGER-oriented TCP/IP packets arranged in a
particular order or arranged with embedded payloads or specified address which will
TRIGGER a microcode event such as a data copy and send command sequence, or a
data scrambling sequence or a copy virus command OR ANY OTHER purposes required!

See Steganography:
en.wikipedia.org...

PCM (Pulse Coded Modulation)
en.wikipedia.org...

Ghost Rat:
en.wikipedia.org...

FinFisher:
en.wikipedia.org...

Multipartite Virus
en.wikipedia.org...

BIOS Chip Vulnerabilities:
en.wikipedia.org...


and for your info virii can be TARGETED towards PCS that have a specific single or series
of MAC addresses (Media Access Control number) or specific range of IP addresses or a specific
combination of CPU/GPU/Disk/Motherboard hardware spec. It may be a very specific targeted
virus such as what Stuxnet targeted VERY SPECIFIC Siemens Microcontrollers on machines that
ran a very specific type of High-RPM industrial control application.

Targeting of Virii is VERY EAST TO DO!!!!!

PrinceDreamer
I work in IT, including security and I call BS on this for so many reasons, but there is one big tell...

He says he noticed this happening 3 years ago, if a virus was so powerful it could transmit through the air, could restore its self to a fresh install, then after 3 years near enough every PC in the world would be infected and not just the ones in his lab. Nothing could stop it, however only his PC's show any of these symptoms, hmmm, perhaps what would be the greatest coder in the world has it in for him only...

Nope don't believe it for one minute

Same here man, there's just too many holes poked in his story for it to be even reasonably true. Still an interesting story nonetheless if you're not a tech guy like over half of us in this thread are


@stargate,
If in fact the systems were compromised from the factory, there'd be A LOT MORE systems out there with this virus, and we would have heard about it by now. (3 years later, right?) Replication would have occurred by the 6 month mark if not before, and it would have been transferred over the internet to multitudes of different machines. Fact is, replication has not occurred of this so called virus, or worm, or whatever you want to call it, and it hasn't been found anywhere else in the world by anyone other than this dude.

I'm officially calling it a story

-King

reply to post by kingofyo1



---

I do must admit this Air-Gap virus DOES SOUND RATHER SUSPICIOUS
so I am going to PASS on this one as being more of a BASIC HARDWARE
FAILURE ISSUE (i.e. overheating or bad motherboard) than any specific
malicious BIOS virus!

...BUT I DO MUST ADD....

Stuxnet infected thousands of microcontroller systems BUT it either removed itself
or laid dormant UNLESS a specific industrial application was run or a specific
microcontroller family was preset (i.e. Siemens)... No one knew about it EXCEPT
the NSA and the Haifa, Israel team that created it initially!

SO I ALSO MUST SAY THAT TARGETED VIRII are NOT UNCOMMON!

and they are HERE NOW ... MAYBE even in YOUR OWN hardware !!!!