badBIOS: Jumping the Gap
Is it possible there exists malware capable of infecting the deepest parts of a computer? That knows exactly when you’re looking for it and communicates over high-frequency speaker sounds?
To the average person, this may seem a little far-fetched. However, if you ask a man named Dragos Ruiu, you’ll likely be met with a confident “yes.”
Dubbed “badBIOS,” Ruiu discovered the malware three years ago when he noticed a strange behavior on his Macbook Air. Since then, it’s been an ongoing battle.
Ruiu, a security professional well-known for organizing the annual CanSecWest conference, is the founder of Pwn2Own, a contest where participants exploit popular software that’s also held at the conference.
Ruiu is confident the malware spreads through a USB stick, although this has not been confirmed.
Last week in a post on Google+ he wrote, “I lost another one yesterday confirming that simply plugging in a USB device from an infected system into a clean one is sufficient to infect.”
According to his analysis, the easiest way to determine if badBIOS infected a computer was its inability to boot from a CD-ROM drive. Ruiu believes this is to prevent users from booting into an OS that may not be supported by the malware.
“It’s trying to keep its claws, as it were, on the machine,” Ruiu wrote. “It doesn’t want you to boot another OS it might not have code for.”
Over the years, this functionality of the malware has remained, as Ruiu stated just last week that ”The tell is still that badBIOS systems refuse to boot CDs (this is across all os’es, including my Macs)”.
The malware is also reported to have defensive mechanisms. At one point, Ruiu tried searching for malware registry keys, only to find the search function wasn’t working anymore.
“We were editing some of the components and our registry editor got disabled,” Ruiu said, “It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an airgapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”
What’s most interesting about badBIOS, however, is it’s ability to bypass airgaps; that is, isolated areas for infected computers, disconnected from all other computers on the network.
“So it turns out that annoying high frequency whine in my sound system isn’t crappy electrical noise that has been plaguing my wiring for years,” he writes in an article. “It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers.” Riuiu states the airgapped computers act as if they were connected directly to the internet.
Of course, at this point, none of this has been proven true. In fact, none of Ruiu’s analysis or processes have even been reviewed. There hasn’t been any official analysis released yet by Ruiu, and it also seems peculiar that after three years of knowing about this, Ruiu takes this information to public ears only two weeks ago.
But it’s not been proven untrue, either.
In fact, the capabilities reported in the badBIOS malware aren’t entirely outside the realm of possibility. If you recall, the notorious Flame malware used for cyber espionage had capabilities to beacon from infected bluetooth devices. In addition, Dan Goodin from Ars Technica cites extensive research in Ultrasonic-based networking performed by MIT.
Could badBIOS take modern malware to the next level? We’ll keep you updated as we find out more. In the meantime, share your thoughts in the comments below.
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell