badBIOS (Or attention whoring/fearmongering for fun and profit!)

[Phyphor]

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world's foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer's Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

BLABLABLA, BULLSHEISSE!

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

Just in case any of ya'll hear anything about this, I just wanted to shut down any fears of this thing.

You should be wary of stuff  that actually exists, like Cryptolocker.

[Battle Monkey of Zardoz]

Excerpt from the article linked above:

"Really, everything Dragos reports is something that's easily within the capabilities of a lot of people," said , who is CEO of penetration testing firm Errata Security. "I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy."

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month's G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Does this exist. Don't know. I think it's possible.

[Devonai]

Somebody call John Connor.

[Balog]

who is CEO of penetration testing firm Errata Security

"So what do you do?"

"Oh, I'm head of penetration testing."

[Battle Monkey of Zardoz]

"So what do you do?"

"Oh, I'm head of penetration testing."

It's a hard job

[drewtam]

Does this exist. Don't know. I think it's possible.

For some reason this made me think of the aliens guy.

[zahc]

Whether it exists or not, an audio-based exploit is completely plausible.

[cordex]

Whether it exists or not, an audio-based exploit is completely plausible.

It could be done (especially for small amounts of data - fidelity wouldn't likely be very good over any realistic distance) but it would require the target machine to be compromised beforehand and a recipient application running to accept, interpret and execute the code.

It couldn't jump an air gap without the computer being contaminated ahead of time.

Also, given the quality/range of consumer computer microphones and speakers, I strongly doubt it could be done without it being very obvious that something was being broadcast.

[Phyphor]

It could be done (especially for small amounts of data - fidelity wouldn't likely be very good over any realistic distance) but it would require the target machine to be compromised beforehand and a recipient application running to accept, interpret and execute the code.

It couldn't jump an air gap without the computer being contaminated ahead of time.

Also, given the quality/range of consumer computer microphones and speakers, I strongly doubt it could be done without it being very obvious that something was being broadcast.

Exactly.

And if the computer was already compromised, why bother sending it anything else?
Plus, BIOS malware just can't hide.

[drewtam]

It couldn't jump an air gap without the computer being contaminated ahead of time.

In the original write up, this is exactly what was described. Two "infected" machines were in the same room. They were experimenting with the infected laptop. They found it was receiving/transmitting packets, so they disabled the wifi. It would re-enable itself. They removed the wifi card, still rx/tx. They unplugged the power cord, running on battery (hypothesizing that it was connected over powerline), unplugged it was still rx/tx. They removed the mic and speaker hardware while running, packets stopped.

[Firethorn]

And if the computer was already compromised, why bother sending it anything else?

You're trying to corporate espionage your way across an airgap.

 

[Fitz]

I'm thinking of my last official act to send out a warning email to the IA distribution list at the base warning them, then watch everyone overreact.

[Phyphor]

You're trying to corporate espionage your way across an airgap.

 

There are far better ways than that.  This sort of thing would be rather noticeable.

[AJ Dual]

Just hire a bunch of women.

All the talking, gossip, and chatter will overwhelm the computer to computer communications where the virus/malware tries to communicate between devices through the sound-cards and microphones.

[RevDisk]

In the original write up, this is exactly what was described. Two "infected" machines were in the same room. They were experimenting with the infected laptop. They found it was receiving/transmitting packets, so they disabled the wifi. It would re-enable itself. They removed the wifi card, still rx/tx. They unplugged the power cord, running on battery (hypothesizing that it was connected over powerline), unplugged it was still rx/tx. They removed the mic and speaker hardware while running, packets stopped.

Possible, but a waste of time and stupid infection vector except for niche circumstances.

Hoax. Plenty of real stuff to worry about. If it's verified by Kaspersky or a real AV, then I'll worry.

[AJ Dual]

Considering what we DO know about Stuxnet, despite the self-encrypting code, which seems to be the most targeted and carefully designed piece of military/espionage-grade malware ever seen to date, this mysterious "badBIOS" malware is most likely either a hoax, or a fiction of the researcher's imagination.