Attacks/Breaches
11/4/2013
04:56 PM
50%
50%

Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?

Security researcher believes unusually advanced malware might be transmitting stolen data via ultrasonic sounds, but other experts remain skeptical.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Is advanced malware quietly infecting the BIOS on targeted systems that aren't connected to the Internet, then relaying stolen data to Internet-connected computers using ultrasonic sound?

That's the conclusion reached by Dragos Ruiu, a respected security consultant who organizes the annual CanSecWest conference in Vancouver. He's lately been documenting his research into an advanced -- and persistent -- threat that appears to spread via USB drives, and to infect the BIOS firmware that enables applications and operating systems to interact with computer hardware.

Ruiu said he first spotted evidence of the related malware three years ago, when he found that a MacBook Air on which he'd installed a fresh copy of OS X was updating a part of its firmware tied to the startup routine, after which it refused to let him boot the device from an external CD drive.

Later, Ruiu found that data stored on a computer running the free Open BSD operating system mysteriously disappeared. Then, a few weeks ago, he noticed that a computer that didn't have the next-generation Internet networking protocol IPv6 enabled was nevertheless transmitting packets using IPv6.

[ Which Windows operating system has the biggest problem with malware? Read Windows XP Malware: 6X As Bad As Windows 8. ]

In addition, he also found machines transmitting small amounts of encrypted network data, even when their Wi-Fi and Bluetooth cards were removed, networking cables unplugged, and which were running on battery power with their power cords unplugged, thus eliminating the possibility of power-line networking connections. Furthermore, the odd behavior affected not just Macs but also Windows and Linux systems, and only ceased when the microphone, external speaker, and speaker attached to the motherboard were removed.

"So it turns out that annoying high frequency whine in my sound system isn't crappy electrical noise that has been plaguing my wiring for years," Ruiu said in an Oct. 16 blog post. "It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers."

Ruiu surmised that malicious BIOS firmware -- which he dubbed "badBIOS" -- was being used to store a "hypervisor" that was able to survive reboots, or even the BIOS being reflashed. "Infected systems seem to reprogram the flash controllers on USB sticks (and CD drives, more on that later) to attack the system," he wrote recently.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," Ruiu told Ars Technica last week.

But does Ruiu's analysis of the BIOS malware -- which has been described by some commentators as being more advanced than Stuxnet or Flame -- hold water?

"I'm not sure what to make of this. When I first read it, I thought it was a hoax," said Bruce Schneier, chief security technology officer of BT, in a blog post Monday. "But enough others are taking it seriously that I think it's a real story. I don't know whether the facts are real, and I haven't seen anything about what this malware actually does."

"The weirdest part is how it uses ultrasonic sound to jump air gaps," he said.

Other security researchers, meanwhile, have noted that everything Ruiu has described is technically feasible. "Everything Dragos describes is plausible. It's not the mainstream of 'hacking,' but neither is it 'nation state' level hacking," said Robert David Graham, CEO of penetration testing firm Errata Security, in a blog post. "That it's all so plausible [lends] credence to the idea that Dragos isn't imagining it."

Indeed, technically speaking, writing malware that could interact with USB flash drive controllers wouldn't be a big challenge. "There are only like 10 different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible," Ruiu recently posted online. "Coincidentally the only sites I've found with flash controller reset software are .ru sites, and seem to 404 on infected systems," referring to sites registered using the top-level domain name for Russia (.ru).

But with those bits of evidence hand, it's still not clear exactly what Ruiu might have stumbled on, or who might have built it. Accordingly, Ruiu, and other security researchers, as well as detractors, continue to sift through related clues and explanations.

In the meantime, don't expect definitive answers anytime soon, Graham said. "Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference [in March 2014]," he said. "Until then, I guess we are all just blowing smoke about whether this is 'real' or not."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/6/2013 | 1:40:33 AM
re: Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?
This fellow argues Dragos Ruiu got it wrong:
http://www.rootwyrm.com/2013/1...
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/6/2013 | 12:19:42 AM
re: Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?
The common computer speaker and microphone are incapable of transmitting and receiving ultrasonic waves. While theoretically possible the number of high end audio equipped PCs should be close to zero.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.