Attacks/Breaches
11/4/2013
04:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?

Security researcher believes unusually advanced malware might be transmitting stolen data via ultrasonic sounds, but other experts remain skeptical.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Is advanced malware quietly infecting the BIOS on targeted systems that aren't connected to the Internet, then relaying stolen data to Internet-connected computers using ultrasonic sound?

That's the conclusion reached by Dragos Ruiu, a respected security consultant who organizes the annual CanSecWest conference in Vancouver. He's lately been documenting his research into an advanced -- and persistent -- threat that appears to spread via USB drives, and to infect the BIOS firmware that enables applications and operating systems to interact with computer hardware.

Ruiu said he first spotted evidence of the related malware three years ago, when he found that a MacBook Air on which he'd installed a fresh copy of OS X was updating a part of its firmware tied to the startup routine, after which it refused to let him boot the device from an external CD drive.

Later, Ruiu found that data stored on a computer running the free Open BSD operating system mysteriously disappeared. Then, a few weeks ago, he noticed that a computer that didn't have the next-generation Internet networking protocol IPv6 enabled was nevertheless transmitting packets using IPv6.

[ Which Windows operating system has the biggest problem with malware? Read Windows XP Malware: 6X As Bad As Windows 8. ]

In addition, he also found machines transmitting small amounts of encrypted network data, even when their Wi-Fi and Bluetooth cards were removed, networking cables unplugged, and which were running on battery power with their power cords unplugged, thus eliminating the possibility of power-line networking connections. Furthermore, the odd behavior affected not just Macs but also Windows and Linux systems, and only ceased when the microphone, external speaker, and speaker attached to the motherboard were removed.

"So it turns out that annoying high frequency whine in my sound system isn't crappy electrical noise that has been plaguing my wiring for years," Ruiu said in an Oct. 16 blog post. "It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers."

Ruiu surmised that malicious BIOS firmware -- which he dubbed "badBIOS" -- was being used to store a "hypervisor" that was able to survive reboots, or even the BIOS being reflashed. "Infected systems seem to reprogram the flash controllers on USB sticks (and CD drives, more on that later) to attack the system," he wrote recently.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," Ruiu told Ars Technica last week.

But does Ruiu's analysis of the BIOS malware -- which has been described by some commentators as being more advanced than Stuxnet or Flame -- hold water?

"I'm not sure what to make of this. When I first read it, I thought it was a hoax," said Bruce Schneier, chief security technology officer of BT, in a blog post Monday. "But enough others are taking it seriously that I think it's a real story. I don't know whether the facts are real, and I haven't seen anything about what this malware actually does."

"The weirdest part is how it uses ultrasonic sound to jump air gaps," he said.

Other security researchers, meanwhile, have noted that everything Ruiu has described is technically feasible. "Everything Dragos describes is plausible. It's not the mainstream of 'hacking,' but neither is it 'nation state' level hacking," said Robert David Graham, CEO of penetration testing firm Errata Security, in a blog post. "That it's all so plausible [lends] credence to the idea that Dragos isn't imagining it."

Indeed, technically speaking, writing malware that could interact with USB flash drive controllers wouldn't be a big challenge. "There are only like 10 different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible," Ruiu recently posted online. "Coincidentally the only sites I've found with flash controller reset software are .ru sites, and seem to 404 on infected systems," referring to sites registered using the top-level domain name for Russia (.ru).

But with those bits of evidence hand, it's still not clear exactly what Ruiu might have stumbled on, or who might have built it. Accordingly, Ruiu, and other security researchers, as well as detractors, continue to sift through related clues and explanations.

In the meantime, don't expect definitive answers anytime soon, Graham said. "Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference [in March 2014]," he said. "Until then, I guess we are all just blowing smoke about whether this is 'real' or not."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/6/2013 | 1:40:33 AM
re: Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?
This fellow argues Dragos Ruiu got it wrong:
http://www.rootwyrm.com/2013/1...
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/6/2013 | 12:19:42 AM
re: Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?
The common computer speaker and microphone are incapable of transmitting and receiving ultrasonic waves. While theoretically possible the number of high end audio equipped PCs should be close to zero.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.