Malware Alert: Is BadBIOS Rootkit Jumping Air Gaps?

Security researcher believes unusually advanced malware might be transmitting stolen data via ultrasonic sounds, but other experts remain skeptical.

9 Android Apps To Improve Security, Privacy (click image for larger view)
Is advanced malware quietly infecting the BIOS on targeted systems that arent connected to the Internet, then relaying stolen data to Internet-connected computers using ultrasonic sound?
Thats the conclusion reached by Dragos Ruiu, a respected security consultant who organizes the annual CanSecWest conference in Vancouver. Hes lately been
documenting
his research into an advanced -- and persistent -- threat that appears to spread via USB drives, and to infect the BIOS firmware that enables applications and operating systems to interact with computer hardware.
Ruiu said he first spotted evidence of the related malware three years ago, when he found that a MacBook Air on which hed installed a fresh copy of OS X was updating a part of its firmware tied to the startup routine, after which it refused to let him boot the device from an external CD drive.
Later, Ruiu found that data stored on a computer running the free Open BSD operating system mysteriously disappeared. Then, a few weeks ago, he noticed that a computer that didnt have the next-generation Internet networking protocol IPv6 enabled was nevertheless transmitting packets using IPv6.
[ Which Windows operating system has the biggest problem with malware? Read
Windows XP Malware: 6X As Bad As Windows 8
. ]
In addition, he also found machines transmitting small amounts of encrypted network data, even when their Wi-Fi and Bluetooth cards were removed, networking cables unplugged, and which were running on battery power with their power cords unplugged, thus eliminating the possibility of power-line networking connections. Furthermore, the odd behavior affected not just Macs but also Windows and Linux systems, and only ceased when the microphone, external speaker, and speaker attached to the motherboard were removed.
So it turns out that annoying high frequency whine in my sound system isnt crappy electrical noise that has been plaguing my wiring for years, Ruiu said in an Oct. 16
blog post
. It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers.
Ruiu surmised that malicious BIOS firmware -- which he dubbed badBIOS -- was being used to store a hypervisor that was able to survive reboots, or even the BIOS being reflashed. Infected systems seem to reprogram the flash controllers on USB sticks (and CD drives, more on that later) to attack the system, he wrote recently.
The suspicion right now is theres some kind of buffer overflow in the way the BIOS is reading the drive itself, and theyre reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table, Ruiu
told Ars Technica
last week.
But does Ruius analysis of the BIOS malware -- which has been described by some commentators as being more advanced than Stuxnet or Flame -- hold water?
Im not sure what to make of this. When I first read it, I thought it was a hoax, said Bruce Schneier, chief security technology officer of BT, in a
blog post
Monday. But enough others are taking it seriously that I think its a real story. I dont know whether the facts are real, and I havent seen anything about what this malware actually does.
The weirdest part is how it uses ultrasonic sound to jump air gaps, he said.
Other security researchers, meanwhile, have noted that everything Ruiu has described is technically feasible. Everything Dragos describes is plausible. Its not the mainstream of hacking, but neither is it nation state level hacking, said Robert David Graham, CEO of penetration testing firm Errata Security, in a
blog post
. That its all so plausible [lends] credence to the idea that Dragos isnt imagining it.
Indeed, technically speaking, writing malware that could interact with USB flash drive controllers wouldnt be a big challenge. There are only like 10 different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible, Ruiu recently posted online. Coincidentally the only sites Ive found with flash controller reset software are .ru sites, and seem to 404 on infected systems, referring to sites registered using the top-level domain name for Russia (.ru).
But with those bits of evidence hand, its still not clear exactly what Ruiu might have stumbled on, or who might have built it. Accordingly, Ruiu, and other security researchers, as well as detractors, continue to sift through related clues and explanations.
In the meantime, dont expect definitive answers anytime soon, Graham said. Dragos has only been analyzing this for a few weeks. Presumably, he wont give us the full details for us to check out until the next CanSecWest conference [in March 2014], he said. Until then, I guess we are all just blowing smoke about whether this is real or not.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps