Main Area and Open Discussion > Living Room

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

<< < (3/5) > >>

40hz:
Article with some more info on this over at Errata Security. Link here.

Despite some reservations, Errat Security feels Dragos Ruiu is on the level with all this.

First, a disclaimer

The story so far is this: Dragos's laptops appear to be have been infected by a virus more advanced than anything seen so far, more advanced than Stuxnet or Flame, two previous examples of state-sponsored advanced viruses.

We don't know of any of this is real. Dragos could be having a psychotic episode where paranoia has gotten the best of him. Our industry is rife with paranoia, where our "Occam's Razor" is tuned to believing that the most plausible explanation for everything "hackers". Weird sounds coming from the speakers? OMG it's a hacker!!

Also, Dragos hasn't given us anything we can independently verify. If it's a bad BIOS, Dragos can extract it and publish it. If a USB drive infects a system, Dragos can use a USB sniffer and dump all the packets going across the USB bus. If it's ultrasonic audio, Dragos could record the sound in WAV files. He could publish all this stuff, and we could see for ourselves whether it's real or not. That he hasn't casts doubt on what he's found.

But at the same time, this is Dragos Ruiu, a well-respected researcher for 15 years. If he says he's got an infected BIOS, I'm going to believe him. Sure, he's probably gotten some things wrong: just because "they" really are ought to get you doesn't mean that "they" are responsible for every phenomenon you can't explain. But on the whole, I (and many other old-time experts) believe that in the end, most everything he suspects will be confirmed.
.
.
.
Everything Dragos describes is plausible. It's not the mainstream of "hacking", but neither is it "nation state" level hacking. That it's all so plausible leads credence to the idea that Dragos isn't imagining it. Of course, since Dragos is an expert, his imagination is likely be full of factually correct details anyway, so maybe the plausibility of these hacks isn't such guarantee of truth.

Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference. Until then, I guess we are all just blowing smoke about whether this is "real" or not.
--- End quote ---

40hz:
This from ArsTechnica (link here):

Researcher skepticism grows over badBIOS malware claims
Peers have yet to reproduce the odd behavior infecting Dragos Ruiu's computers.
by Dan Goodin - Nov 5 2013, 9:30pm EST

Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings.

"I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing."

As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware and allows infected machines to communicate even when they're not connected over a network.

Since the article was published, researchers have attempted to reproduce the behavior Ruiu described. So far there have been no reports of success, and some of the more skeptical researchers are beginning to say Ruiu has misinterpreted or misrepresented the data. Ruiu, meanwhile, continues to stand by his conclusions. <more>
--- End quote ---

Starting to look a little iffy...

TaoPhoenix:
"Executive Summary is ..."

"Researcher skepticism grows over badBIOS malware claims
Peers have yet to reproduce the odd behavior infecting Dragos Ruiu's computers."

It's pretty risky to risk your entire career on a bogus security claim...

Unless...

Is that even his real name? Purposely not going TinFoilHat, does a bad SecRes report make ANY sense in ANY other realm of logic?

40hz:
Right now I think it's more an issue of a breach of professional etiquette.

The rule in this sort of game is go public with full information and engage the larger security community as soon as a genuine threat is positively identified. "Many eyes make for quick solutions" when it comes to combating malware. Ruiu's holding back so many details isn't the way it's done in this field.

There's also a hint of competition in the air. These security folks can sometimes behave like a couple of professional beauties attending a major public social gathering.

Either way, time will tell. ;)

rgdot:
"even when their power cords ... were removed"

Any discussion after this?  :huh:

Navigation

[0] Message Index

[#] Next page

[*] Previous page