Nov 05, 2013 (04:11 AM EST)
Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps?
Read the Original Article at InformationWeek
That's the conclusion reached by Dragos Ruiu, a respected security consultant who organizes the annual CanSecWest conference in Vancouver. He's lately been documenting his research into an advanced -- and persistent -- threat that appears to spread via USB drives, and to infect the BIOS firmware that enables applications and operating systems to interact with computer hardware.
Ruiu said he first spotted evidence of the related malware three years ago, when he found that a MacBook Air on which he'd installed a fresh copy of OS X was updating a part of its firmware tied to the startup routine, after which it refused to let him boot the device from an external CD drive.
Later, Ruiu found that data stored on a computer running the free Open BSD operating system mysteriously disappeared. Then, a few weeks ago, he noticed that a computer that didn't have the next-generation Internet networking protocol IPv6 enabled was nevertheless transmitting packets using IPv6.
[ Which Windows operating system has the biggest problem with malware? Read Windows XP Malware: 6X As Bad As Windows 8. ]
In addition, he also found machines transmitting small amounts of encrypted network data, even when their Wi-Fi and Bluetooth cards were removed, networking cables unplugged, and which were running on battery power with their power cords unplugged, thus eliminating the possibility of power-line networking connections. Furthermore, the odd behavior affected not just Macs but also Windows and Linux systems, and only ceased when the microphone, external speaker, and speaker attached to the motherboard were removed.
"So it turns out that annoying high frequency whine in my sound system isn't crappy electrical noise that has been plaguing my wiring for years," Ruiu said in an Oct. 16 blog post. "It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers."
Ruiu surmised that malicious BIOS firmware -- which he dubbed "badBIOS" -- was being used to store a "hypervisor" that was able to survive reboots, or even the BIOS being reflashed. "Infected systems seem to reprogram the flash controllers on USB sticks (and CD drives, more on that later) to attack the system," he wrote recently.
"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," Ruiu told Ars Technica last week.
But does Ruiu's analysis of the BIOS malware -- which has been described by some commentators as being more advanced than Stuxnet or Flame -- hold water?
"I'm not sure what to make of this. When I first read it, I thought it was a hoax," said Bruce Schneier, chief security technology officer of BT, in a blog post Monday. "But enough others are taking it seriously that I think it's a real story. I don't know whether the facts are real, and I haven't seen anything about what this malware actually does."
"The weirdest part is how it uses ultrasonic sound to jump air gaps," he said.
Other security researchers, meanwhile, have noted that everything Ruiu has described is technically feasible. "Everything Dragos describes is plausible. It's not the mainstream of 'hacking,' but neither is it 'nation state' level hacking," said Robert David Graham, CEO of penetration testing firm Errata Security, in a blog post. "That it's all so plausible [lends] credence to the idea that Dragos isn't imagining it."
Indeed, technically speaking, writing malware that could interact with USB flash drive controllers wouldn't be a big challenge. "There are only like 10 different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible," Ruiu recently posted online. "Coincidentally the only sites I've found with flash controller reset software are .ru sites, and seem to 404 on infected systems," referring to sites registered using the top-level domain name for Russia (.ru).
But with those bits of evidence hand, it's still not clear exactly what Ruiu might have stumbled on, or who might have built it. Accordingly, Ruiu, and other security researchers, as well as detractors, continue to sift through related clues and explanations.
In the meantime, don't expect definitive answers anytime soon, Graham said. "Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference [in March 2014]," he said. "Until then, I guess we are all just blowing smoke about whether this is 'real' or not."