Author Topic: Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps (Read 11995 times)

Renegade · « **on:** November 01, 2013, 02:51 AM »

Be afraid. Be very afraid. This is seriously scary stuff.

http://arstechnica.c...-that-jumps-airgaps/

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

More at the link.

40hz · « **Reply #1 on:** November 01, 2013, 06:26 AM »

Holy "three rings for the Elven Kings..." Mr. Frodo!

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Right now I'm decidedly skeptical (but still keeping an open mind) over roughly 50-70% of what is being claimed in that article.

However, if true (insofar as the other 30-50% goes) it makes for a very strong argument for Coreboot or UEFI - although Microsoft's gamesmanship with UEFI also makes me wonder if this story might be just a little too conveniently timed. Especially since desktop system/OS sales are down now that most companies are keeping their non-UEFI/SecureBoot legacy PCs for as long as possible rather than replacing them.

Time will tell...

Renegade · « **Reply #2 on:** November 01, 2013, 06:48 AM »

I'm not sure why you're so skeptical, especially in light of things like we've already seen released at Black Hat (RFID hacking up to 250 m). Much less the Black Hat presentation where the speaker was assassinated the day before...

And then there's the entire car hacking thing. Famous journalist anyone?

It's not that far fetched. There are plenty of examples of similar technologies out there.

However, I've not looked into it deeply. It's just something to keep in the back of your mind at the moment unless you've got the time to look into it further, which I don't have.

4wd · « **Reply #3 on:** November 01, 2013, 07:03 AM »

I would have thought:
1) a simple sound meter capable of measuring up to 25kHz, (or 40kHz if you really want to check normal ultra-sound transducer frequencies), would have settled the matter, and
2) the microphones in a laptop would be so frequency limited that they wouldn't respond to much above 20kHz, (if that), since their primary purpose is to pick up the human voice, (~400Hz-4kHz was standard for phones when I was with Telstra).

So I'm going along with 40 on this ... call me skeptical too

Just for something to do, grab one of the many dog whistle apps for your smartphone and then point it at your laptop while it's running something like audioTester, Soundcard Oscilloscope, etc.

Renegade · « **Reply #4 on:** November 01, 2013, 09:52 AM »

@4wd - You're missing a lot there. Audio frequencies have nothing to do with it.

4wd · « **Reply #5 on:** November 01, 2013, 05:57 PM »

Sorry, I was referring to the 'theory' about the high frequency networking side of it.

5 minutes should have been all that was required to prove it, (assuming the machine cooperated in those 5 minutes), one way or the other.

EDIT: Maybe it's the way in which the story's told but it seems strange to me that they've had the problem for 3 years but it's only recently that they've suspected a USB drive?

I would have thought that one of the first things after seeing the symptoms on varying hardware would be to isolate what's common to all.

And I'm probably being a bit thick here but:

However, if true (insofar as the other 30-50% goes) it makes for a very strong argument for Coreboot or UEFI - although Microsoft's gamesmanship with UEFI also makes me wonder if this story might be just a little too conveniently timed. Especially since desktop system/OS sales are down now that most companies are keeping their non-UEFI/SecureBoot legacy PCs for as long as possible rather than replacing them.
-40hz (November 01, 2013, 06:26 AM)

Doesn't the MacBook, (and possibly all recent Macs), use EFI?

Yet, here's a piece of software that has infected it and, presumably, other UEFI based computers - I would have thought that it made a case against Coreboot/UEFI.

ie. You'd be safer with the old Award/AMI BIOSes.

NVM: I missed the reference distinguishing the two.

ewemoa · « **Reply #6 on:** November 01, 2013, 08:19 PM »

Was reminded of the concern I felt when I encountered Intel vPro.

Renegade · « **Reply #7 on:** November 01, 2013, 08:23 PM »

Sorry, I was referring to the 'theory' about the high frequency networking side of it.
-4wd (November 01, 2013, 05:57 PM)

Ah. Got it.

Some news asking if it's a hoax or not:

http://news.softpedi...or-Hoax-396177.shtml

On Thursday, Ars Technica ran a story about badBIOS, a nasty piece of malware allegedly discovered three years ago by security consultant Dragos Ruiu on an Apple laptop. The malware is so sophisticated that some wonder if the story is real or just a hoax.

If it's not a hoax, it's darn scary. If it is a hoax, then GOOD!

I'm not sure though. There's enough really sophisticated stuff out there that makes something like this plausible.

Stoic Joker · « **Reply #8 on:** November 02, 2013, 08:13 AM »

IIRC f0dder posted something a few (3?) years back regarding a low-level hardware based virus that could potentially be cross platform. It was in the theoretical/experimental phase at that point, but it does allow for this - to the best of my recollection - to be at least partially based in fact. Even if parts of the story were created with a bit of Hollywood's lights and magic.

40hz · « **Reply #9 on:** November 02, 2013, 11:37 AM »

at least partially based in fact. Even if parts of the story were created with a bit of Hollywood's lights and magic.
-Stoic Joker (November 02, 2013, 08:13 AM)

This.

I don't rule out the possibility. (Anything is possible, either with software, or in a cartoon.) But I'm a little skeptical of the immanent threat aspect portrayed so far. BIOS infectors are nothing new. They were being proposed back in the days of DOS. So were GPU based infections later on. But there's a big difference between developing a virus as a "proof of concept in the lab" exercise and having one that can successfully propagate in the wild.

If this puppy were half as virulent and stealthy as claimed, it would be all over the place by now. But so far, it's apparently confined to a single location. Which makes no sense since it can supposedly jump the air gap - which would mean virtually any laptop that was ever booted this environment should have been infected and gone on to spread this virus fairly quickly out in the wild.

Dunno. There's something that seems either misreported, missing, or exaggerated in this story. And the details seem very sparse and slow in coming - which is also weird since real malware fighters share info and go public fairly quickly once a threat is strongly suspected or identified. This seems more like the guy is trying to keep a large part of whatever he supposedly found to himself.

Nope. I don't rule it out. But I think I'm still going to reserve any judgment for the time being.

40hz · « **Reply #10 on:** November 02, 2013, 12:30 PM »

Article with some more info on this over at Errata Security. Link here.

Despite some reservations, Errat Security feels Dragos Ruiu is on the level with all this.

First, a disclaimer

The story so far is this: Dragos's laptops appear to be have been infected by a virus more advanced than anything seen so far, more advanced than Stuxnet or Flame, two previous examples of state-sponsored advanced viruses.

We don't know of any of this is real. Dragos could be having a psychotic episode where paranoia has gotten the best of him. Our industry is rife with paranoia, where our "Occam's Razor" is tuned to believing that the most plausible explanation for everything "hackers". Weird sounds coming from the speakers? OMG it's a hacker!!

Also, Dragos hasn't given us anything we can independently verify. If it's a bad BIOS, Dragos can extract it and publish it. If a USB drive infects a system, Dragos can use a USB sniffer and dump all the packets going across the USB bus. If it's ultrasonic audio, Dragos could record the sound in WAV files. He could publish all this stuff, and we could see for ourselves whether it's real or not. That he hasn't casts doubt on what he's found.

But at the same time, this is Dragos Ruiu, a well-respected researcher for 15 years. If he says he's got an infected BIOS, I'm going to believe him. Sure, he's probably gotten some things wrong: just because "they" really are ought to get you doesn't mean that "they" are responsible for every phenomenon you can't explain. But on the whole, I (and many other old-time experts) believe that in the end, most everything he suspects will be confirmed.
.
.
.
Everything Dragos describes is plausible. It's not the mainstream of "hacking", but neither is it "nation state" level hacking. That it's all so plausible leads credence to the idea that Dragos isn't imagining it. Of course, since Dragos is an expert, his imagination is likely be full of factually correct details anyway, so maybe the plausibility of these hacks isn't such guarantee of truth.

Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference. Until then, I guess we are all just blowing smoke about whether this is "real" or not.

40hz · « **Reply #11 on:** November 05, 2013, 09:41 PM »

This from ArsTechnica (link here):

Researcher skepticism grows over badBIOS malware claims
Peers have yet to reproduce the odd behavior infecting Dragos Ruiu's computers.
by Dan Goodin - Nov 5 2013, 9:30pm EST

Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings.

"I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing."

As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware and allows infected machines to communicate even when they're not connected over a network.

Since the article was published, researchers have attempted to reproduce the behavior Ruiu described. So far there have been no reports of success, and some of the more skeptical researchers are beginning to say Ruiu has misinterpreted or misrepresented the data. Ruiu, meanwhile, continues to stand by his conclusions. <more>

Starting to look a little iffy...

TaoPhoenix · « **Reply #12 on:** November 06, 2013, 01:33 AM »

"Executive Summary is ..."

"Researcher skepticism grows over badBIOS malware claims
Peers have yet to reproduce the odd behavior infecting Dragos Ruiu's computers."

It's pretty risky to risk your entire career on a bogus security claim...

Unless...

Is that even his real name? Purposely not going TinFoilHat, does a bad SecRes report make ANY sense in ANY other realm of logic?

40hz · « **Reply #13 on:** November 06, 2013, 06:11 AM »

Right now I think it's more an issue of a breach of professional etiquette.

The rule in this sort of game is go public with full information and engage the larger security community as soon as a genuine threat is positively identified. "Many eyes make for quick solutions" when it comes to combating malware. Ruiu's holding back so many details isn't the way it's done in this field.

There's also a hint of competition in the air. These security folks can sometimes behave like a couple of professional beauties attending a major public social gathering.

Either way, time will tell.

rgdot · « **Reply #14 on:** November 06, 2013, 09:16 AM »

"even when their power cords ... were removed"

Any discussion after this?

Deozaan · « **Reply #15 on:** November 06, 2013, 09:18 AM »

"even when their power cords ... were removed"

Any discussion after this?
-rgdot (November 06, 2013, 09:16 AM)

In other words, even when they were running on battery.

rgdot · « **Reply #16 on:** November 06, 2013, 09:57 AM »

So why start the sentence with 'even when their'?

Deozaan · « **Reply #17 on:** November 06, 2013, 10:07 AM »

So why start the sentence with 'even when their'?
-rgdot (November 06, 2013, 09:57 AM)

Let's see the full sentence:

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.
-Renegade (November 01, 2013, 02:51 AM)

That means the infected machines could transmit small amounts of network data to other infected machines. Even machines with power cords unplugged (running on battery). And with Ethernet cables unplugged. And with their Wi-Fi and Bluetooth cards removed.

The idea was that possibly it was transmitting data through the power line, so they made sure to run it on battery without the power cord plugged into the wall. They also disconnected all other standard networking hardware.

rgdot · « **Reply #18 on:** November 06, 2013, 10:37 AM »

So we are worried someone has invented communications without needing layer 1? How likely is that?

My point is a security guy thinks a machine running on battery is functionally different than on cord. If you are worried about data moving up or down you need to remove communications interfaces and hardware, even if you are worried about data over power lines.

Stoic Joker · « **Reply #19 on:** November 06, 2013, 11:39 AM »

So we are worried someone has invented communications without needing layer 1? How likely is that?
-rgdot (November 06, 2013, 10:37 AM)

Anything wanted bad enough by the right people tends to get created or found by someone shortly thereafter...generally for a price.

My point is a security guy thinks a machine running on battery is functionally different than on cord. If you are worried about data moving up or down you need to remove communications interfaces and hardware, even if you are worried about data over power lines.
-rgdot (November 06, 2013, 10:37 AM)

He did. It was only after disconnecting the obvious stuff that he got down to the unlikely stuff, and was then left with the truly ridiculous stuff because activity was still being seen. Which landed the debate on the practicality of trying to send usefully sized data using sounds outside the normal range of hearing with laptop speakers and microphones. Which as ludicrous as this may sound, if the object is to just get a foot in the door of an isolated system it could be a viable option if a very short yet finely pointed message could be crafted.

40hz · « **Reply #20 on:** November 06, 2013, 12:40 PM »

^If it were me, right now the thing I'd be looking for is somebody in the lab with a USB key and an axe to grind - or a very cruel sense of humor.

So...if I had to place a bet on:

multiple breakthroughs in malware engineering that are so radical they border on alien technology, or...
somebody in my lab getting sloppy - or who got sloppy and decided it was better not to 'fess up after the boss went crazy thinking he found something BIG, or...
somebody just dicking with me

I'd probably put the bulk of my money on #2 to win, plus a buck or two on #3 to place.

Just sayin'...

Stoic Joker · « **Reply #21 on:** November 06, 2013, 03:11 PM »

So you're going with the people are generally meaner than they are smart angle ... $:-\$ ... I'm ok with that

But I was really just trying to clarify the issue at its face value, not endorse it.