badBIOS - some next level malware

Unarmed Gunman

Unarmed Gunman

Medium Pimpin'
May 2, 2007
7,339
288
0
The D
www.googlehammer.com
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.
...

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

...

"badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

...

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

...

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
Click to expand...

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
 


I'm calling bullshit. How does this malware infect the BIOS without elevated privileges? What exploit does it use?

If someone had an infected boot CD or USD stick inserted while the computer was booting to operating system, it would seem more plausible, but that narrows the window of attack down significantly.

Also the BIOS varies substantially between computers making this malware attack even more difficult to do. Loading the malware into the Master Boot Record would be more practical, though that would not make it resistant to hard disk wipes.

Sounds like more like a spooky story for Halloween if you ask me.
 
be-afraid-be-very-afraid-297x300.jpg
 
It's a hoax. There's too much secrecy around this. Wireshark doesn't work with speakers and he is not saying how he is capturing the packets.
 
Airgaping has been around for a while. It's just like when you used to put your rotary phone onto a modem and it would use those sounds to communicate. I could see it saving itself in the rom/ram.

As far as the unplugged thing goes that is sort of misleading. It says they ran it on battery to to weedout any sort of power line / av communication.

I built a script over the past years that creates what I call a "bubble". That uses a similiar methods.
 
from r/netsec:

An "infected" BIOS dump has been posted.

So far the story does not check out.

1. download http://ftp.dell.com/bios/R289597.exe (Alienware M11xR2 BIOS, vA04)
2. extract Win_M11xR2A04.exe, extract NAP10MEC.fd from it
3. save from offset 020000 until end of file into NAP10MEC.bin
4. fc /b NAP10MEC.bin infected1.bin >diff.txt

The differences are:
a) EFFS in the ME region (13000~E3000) which contains system-specific data generated during normal functioning of the ME
b) UEFI nvram volume (790000~7A0000 - has $VSS signature)
c) a few random bytes (e.g. 3DEB00 and 6E6040 - looks like dumping errors)

There are NO differences in the UEFI code (besides the dumping errors).
Conclusion: no BIOS rootkit detected (unless Dell put it there, which I rather doubt).
 
You must log in or register to reply here.
Top Bottom