Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

[sirri]

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such asProcess Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world's foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer's Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw. (A compilation of Ruiu's observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSecconferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he's no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu's computers and networks.

In contrast to the skepticism that's common in the security and hacking cultures, Ruiu's peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

"Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS," Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: "No joke it's really serious." Plenty of others agree.

"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," security researcher Arrigo Triulzi told Ars. "Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever."

Been there, done that

Triulzi said he's seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllersthat sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer's peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It's also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it's one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it's another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What's more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran's nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

"Really, everything Dragos reports is something that's easily within the capabilities of a lot of people," said Graham, who is CEO of penetration testing firm Errata Security. "I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy."

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month's G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Source : Arstechnica

Edited November 1, 2013 by sirri

[stylemessiah]

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed

Look im not saying that entire story is bullshit, but going on just the one above quote from it alone, well, okay i am.... its bullshit.

Edited November 1, 2013 by stylemessiah

[Dodel]

There was a similar post to this quite recently, I see it as nonsense, simply because you have to have a generic bios flash which is patched to work on every mobo in the wild...

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Most BIOS Screens will be Blue in colour, this is due to how the BIOS Manufacturers implement general BIOS colour attributes. BIOS Colour Attributes are 8 bit values where the lower 4 bits represent the character colour and the higher 4 bits represent the background colour. In BIOS, to print a white character in blue background the ‘BIOS colour attribute’ would be set to a hexadecimal value of 0x1F.

I could well be wrong on that last one however.

Edited November 1, 2013 by Dodel

[stylemessiah]

There was a similar post to this quite recently, I see it as nonsense, simply because you have to have a generic bios flash which is patched to work on every mobo in the wild...

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Most BIOS Screens will be Blue in colour, this is due to how the BIOS Manufacturers implement general BIOS colour attributes. BIOS Colour Attributes are 8 bit values where the lower 4 bits represent the character colour and the higher 4 bits represent the background colour. In BIOS, to print a white character in blue background the ‘BIOS colour attribute’ would be set to a hexadecimal value of 0x1F.

I could well be wrong on that last one however.

Hehe i like that you picked up on that angle

For me the biggest BS indicator was the part i quoted about machines with "no power cables (funny ive tried to use my PC without power and it isnt very accomodating, i cant even get into BIOS for it to be evil :( ), ethernet cables, wireless cards or bluetooth cards STILL transmitting data" as if somehow they were all still communicating via magical fairy dust......apparently according to the source oxygen now has the ability to store and route tcp/ip and do it without any power....hooray, lets tear down all the mobile towers and microwave dishes and leave it up to oxygen for our interwebs!

Edited November 1, 2013 by stylemessiah

[Dodel]

There was a similar post to this quite recently, I see it as nonsense, simply because you have to have a generic bios flash which is patched to work on every mobo in the wild...

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Most BIOS Screens will be Blue in colour, this is due to how the BIOS Manufacturers implement general BIOS colour attributes. BIOS Colour Attributes are 8 bit values where the lower 4 bits represent the character colour and the higher 4 bits represent the background colour. In BIOS, to print a white character in blue background the ‘BIOS colour attribute’ would be set to a hexadecimal value of 0x1F.

I could well be wrong on that last one however.

Hehe i like that you picked up on that angle

For me the biggest BS indicator was the part i quoted about machines with "no power cables (funny ive tried to use my PC without power and it isnt very accomodating, i cant even get into BIOS for it to be evil :( ), ethernet cables, wireless cards or bluetooth cards STILL transmitting data" as if somehow they were all still communicating via magical fairy dust......apparently according to the source oxygen now has the ability to store and route tcp/ip and do it without any power....hooray, lets tear down all the mobile towers and microwave dishes and leave it up to oxygen for our interwebs!

I must admit I didn't read the full thread, I was just remembering the previous article along the same lines.

[janedoe]

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Wow, you can't be serious. You think that is an actual screenshot of the malware infecting the BIOS, and actually spent time analyzing whether such a "screenshot" is possible to create or not?! :lol: It's a Thinkstock stock image credited to a graphic designer named Aurich Lawson.

[Dodel]

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Wow, you can't be serious. You think that is an actual screenshot of the malware infecting the BIOS, and actually spent time analyzing whether such a "screenshot" is possible to create or not?! :lol: It's a Thinkstock stock image credited to a graphic designer named Aurich Lawson.

No, but as a curious programmer & analyst, I explored the theory.

If you could write a generic bios patch to work on the amount / types of motherboards in the wild you'd have the holy grail.

Edited November 1, 2013 by Dodel

[cruelsister]

For any thinking that Jumping the Gap by malware is a delusion, please see:

http://www.defensenews.com/article/20130115/C4ISR01/301150010/DoD-Looking-8216-Jump-Gap-8217-Into-Adversaries-8217-Closed-Networks?odyssey=nav|head

Note especially the more relevant part about “inserting and extracting data from sealed, wired networks.” The DoD believes they can inject malicious code via radio frequencies by analyzing electromagnetic field distortions from aircraft and ground vehicles deployed in or around the systems they want to compromise. The sample in question here is obviously an early sample (3 years old), and the fact that it was detected by Dragos seems to indicate that it was a poorly coded SEMI (self eradicating malware intrusion).

For any interested, do a little digging into a company called Endgame Inc.

Edited November 1, 2013 by cruelsister

[Knightmare]

Finally, we have a virus for the Mac!

[majormalfunction]

Yikes, I used the nick badbios on irc a long time ago :bag: Yeah endgame's wikipedia entry is quite errrr interesting.... The air gap idea sounds very next-level, but remember that bios battery on the mobo keeping a bit of it "hot" where the configuration is kept. Its easy to forget that little battery is there (until it goes bad after a few years). Anything's probably possible, it's a matter of how much effort is put into it.

[cruelsister]

Don't concentrate on the BIOS. This was probably a first generation Jumper and the BIOS intrusion messed with the SEMI functionality of the vector.

[jtmulc]

There was a similar post to this quite recently, I see it as nonsense, simply because you have to have a generic bios flash which is patched to work on every mobo in the wild...

Also, looking at the attached screenshot, it's using 16 million color for the skull overlay, which I think can't be done due to the nature of how a bios developed, due to a limited colour bit range.

Most BIOS Screens will be Blue in colour, this is due to how the BIOS Manufacturers implement general BIOS colour attributes. BIOS Colour Attributes are 8 bit values where the lower 4 bits represent the character colour and the higher 4 bits represent the background colour. In BIOS, to print a white character in blue background the ‘BIOS colour attribute’ would be set to a hexadecimal value of 0x1F.

I could well be wrong on that last one however.

Hehe i like that you picked up on that angle

For me the biggest BS indicator was the part i quoted about machines with "no power cables (funny ive tried to use my PC without power and it isnt very accomodating, i cant even get into BIOS for it to be evil :( ), ethernet cables, wireless cards or bluetooth cards STILL transmitting data" as if somehow they were all still communicating via magical fairy dust......apparently according to the source oxygen now has the ability to store and route tcp/ip and do it without any power....hooray, lets tear down all the mobile towers and microwave dishes and leave it up to oxygen for our interwebs!

The machines with power cables disconnected were laptops running on battery.

[Whoopenstein]

Either it's totally B.S. or this guy doesn't know WTF he's doing. He could be spreading the malware via flash drive or infected (bogus) installation disks. Then there's the possibilty that someone on the inside is doing it.

[emerglines]

Computer peripherals have always provided a gateway for malware. LAN adapters, modems, floppy drives, and USB flash drives have all provided entry points for infections. Now you can add microphones and speakers to the list.

Respected security researcher Dragos Ruiu spoke with Ars Technica about his ongoing battle with badBIOS, and the report reads like something out of 1990s sci-fi cinema. It started about three years ago, when Ruiu noticed an isolated machine behaving very strangely.

Even though the laptop wasn’t connected to a network with any other badBIOS-infected systems, it was physically close to some. And apparently badBIOS is equipped to handle exactly that kind of situation.

Ruiu says that the laptop acted like it was connecting to the internet, but packet-sniffing software continued to detect activity even when its WiFi and Bluetooth modules were removed. His next step? To remove the speakers and microphone.

That put a stop to the communications, which confirmed his suspicion: badBIOS was somehow passing information to this laptop via high-frequency soundwaves (which security researchers say really isn’t that hard to do). This was a brand new system, fresh out of the box. Unless it was somehow pre-compromised — and someone with Ruiu’s skill and knowledge would have been able to rule that out — that’s really the only option.

Clearly this isn’t your typical malware strain. And apart from being able to spread through the airwaves to non-networked machines, badBIOS is so nasty that the best way to deal with an infected machine might be to physically destroy it.

As the names suggests, it targets a system’s BIOS and it digs in deep. It’s able to infect Windows PCs and Macs alike, and Ruiu even witnessed a BSD system that seemed like it had come down with something. It resists attempts to boot other operating systems, and it’s self-healing, too. Disable a component, and badBIOS will figure out how to switch it back on.

It’s incredibly sophisticated malware, and it’s got the potential to cause serious digital damage. The good news — if you can call it that — is that malware as complex as badBIOS is almost certainly state-sponsored, and it’s designed to be used against very specific targets.

Your home computer probably isn’t what the people who built badBIOS are after. They’re likely more interested in things like servers that belong to Government agencies, laptops used by top-level officials, and other systems that hold sensitive data.So… at least you probably won’t have to throw away your new MacBook Pro because of badBIOS.

Source: http://www.geek.com/apps/self-healing-badbios-malware-infects-pcs-through-mic-and-speakers-is-straight-out-of-sci-fi-1575768/

Edited November 4, 2013 by 7h3Pr3d47oR
Spoiler.

[Mr Orus]

Threads merged.