OFFICIAL SECURITY BLOG

badBIOS: Jumping the Gap

November 1, 2013 | BY

bios

Is it possible there exists malware capable of infecting the deepest parts of a computer? That knows exactly when you’re looking for it and communicates over high-frequency speaker sounds?

To the average person, this may seem a little far-fetched. However, if you ask a man named Dragos Ruiu, you’ll likely be met with a confident “yes.”

Dubbed “badBIOS,” Ruiu discovered the malware three years ago when he noticed a strange behavior on his Macbook Air. Since then, it’s been an ongoing battle.

Ruiu, a security professional well-known for organizing the annual CanSecWest conference, is the founder of Pwn2Own, a contest where participants exploit popular software that’s also held at the conference.

Ruiu is confident the malware spreads through a USB stick, although this has not been confirmed.

Last week in a post on Google+ he wrote, “I lost another one yesterday confirming that simply plugging in a USB device from an infected system into a clean one is sufficient to infect.”

According to his analysis, the easiest way to determine if badBIOS infected a computer was its inability to boot from a CD-ROM drive. Ruiu believes this is to prevent users from booting into an OS that may not be supported by the malware.

“It’s trying to keep its claws, as it were, on the machine,” Ruiu wrote. “It doesn’t want you to boot another OS it might not have code for.”

Over the years, this functionality of the malware has remained, as Ruiu stated just last week that “The tell is still that badBIOS systems refuse to boot CDs (this is across all os’es, including my Macs)”.

The malware is also reported to have defensive mechanisms. At one point, Ruiu tried searching for malware registry keys, only to find the search function wasn’t working anymore.

“We were editing some of the components and our registry editor got disabled,” Ruiu said, “It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an airgapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

What’s most interesting about badBIOS, however, is it’s ability to bypass airgaps; that is, isolated areas for infected computers, disconnected from all other computers on the network.

“So it turns out that annoying high frequency whine in my sound system isn’t crappy electrical noise that has been plaguing my wiring for years,” he writes in an article. “It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers.” Riuiu states the airgapped computers act as if they were connected directly to the internet.

Of course, at this point, none of this has been proven true. In fact, none of Ruiu’s analysis or processes have even been reviewed. There hasn’t been any official analysis released yet by Ruiu, and it also seems peculiar that after three years of knowing about this, Ruiu takes this information to public ears only two weeks ago.

But it’s not been proven untrue, either.

In fact, the capabilities reported in the badBIOS malware aren’t entirely outside the realm of possibility. If you recall, the notorious Flame malware used for cyber espionage had capabilities to beacon from infected bluetooth devices. In addition, Dan Goodin from Ars Technica cites extensive research in Ultrasonic-based networking performed by MIT.

Could badBIOS take modern malware to the next level? We’ll keep you updated as we find out more. In the meantime, share your thoughts in the comments below.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell


  • Carlos Almeida

    Hello Joshua Cannell, i think i have a a pc at work with some kind off virus of that type that you have described, i coudnt instaal with a win 7 cd but a windows xp i could, i can run other cd (type recover cd), a HDD disk goes bad when installed on the machine , but if it is foramted and put in another machine all goes well.
    with your blog post i will return to the machine i see what i can fin more ..thanks a lot.

  • Carlos Almeida

    Hello Joshua Cannell, i think i have a a pc at work with some kind off virus of that type that you have described, i coudn´t install with a win 7 cd but a windows xp i could, i can´t run other cd (type recover cd), a HDD disk goes bad when installed on the machine , but if it is foramted and put in another machine all goes well.
    with your blog post i will return to the machine i see what i can fin more ..thanks a lot…sorry for my poor english

  • https://www.facebook.com/nikolas.bourne Nikolas Bourne
  • Theodis Butler

    So computers are exploited remotely by sound. I better mute my mic!

  • https://www.facebook.com/zac.sanford.99 Zac Sanford

    I know most people don’t believe this is possible, but let me explain why it is. How long has the NSA been around? Who invented the first true OS? Who funded that project in the 60’s? So your gonna to tell me that a gov’t agency which spent 50 years of SECRET budgets (fueled by the Cold War) to spend, hasn’t made some serious advances. Everyone needs to pay a little bit more attention. Google just recently bought a quantum computer, do you really think they were the first to own one of these? There is no telling how deep the rabbit hole goes, I’ll just leave that to the imagination. I can tell you from a PERSONAL experience that this does exist. If you leave their little ultimate spy kit alone the Owner/Operators will not mess with you, If you don’t share some radical philosophy that has flagged you then you should not have this installed. Go be stupid on the internet (in the US), type in some naughty words in today environment (you know the nasty little ‘t’, ‘b’, or ‘j’ words), Be observant and see what happens. DHS and NSA do a wonderful job trampling the constitution. Dig into you OS after a couple of days or fully encrypted that hard disk. See if your world doesn’t become full of strange coincidences. We have no idea of the level of technology that exists in the world of black budgets.

  • Pingback: Yelling Across the Gap | Malwarebytes Unpacked

  • Pingback: Yelling Across the Gap! | Grinnell Computers – Computer Networks, Cabling, Computer Repair, Phone Systems

  • Pingback: Yelling Across the Gap - Sysnative Forums