Saturday, 02 November 2013 14:10

badBIOS: worst Malware to date, or Social Experiment

Written by

Reading time is around minutes.

While it is commonly understood that Malware is a major threat to anyone with a computer, tablet or phone, what is not acknowledged is that Malware is much more than that. In the late-1990s a bit or Malware was released that actually infected the basic operating system that runs every computer, the BIOS (Basic Input/Output System). This bit of malware called Chernobyl was designed to wipe a systems BIOS on a preset date. 

Chernobyl (CIH) was a very interesting creation in that it did not change the size of the files or systems it infected. Instead it filled in gaps in existing code to hide its presence. This was important as there was very little room in a BIOS. CIH was a seriously damaging bit of malware that destroyed many computers in its day. What is odd is that after CIH there was very little done to protect the BIOS/Firmware in devices, it is still possible to infect the firmware in computers, batteries, USB drives, keyboards, and more. It did help to push the fledgling data recovery market though.

With this in mind we are taking a look at a new threat that was announced recently named badBIOS. This potential threat was discovered by Dragos Ruiu and, if his claims are true, it looks like he has discovered the worst malware found to date. You see badBIOS infects the firmware in system and from there can control a number of basic system functions. According to Ruiu, badBIOS can infect traditional BIOS, EFI and UEFI which covers almost the entire gamut of computer systems. Additionally (if the information that Ruiu claims is true) by infecting the BIOS of a system it does not matter what OS is running. The BIOS controls the hardware at a level that the OS only interprets.

Now simply having a malware that can infect your system BIOS and lock you out of it (and the OS) is bad enough. However, Ruiu has claimed that badBIOS is even more sinister than this. It apparently can infect any USB drive or device plugged in by infecting the firmware in its controller. It can also communicate using ultrasonic waives that are received by other devices microphones when no other means is available. This last point is interesting as not every system has an audio card or microphone, it also means that this last resort type of communication can only be run at close proximity. Another interesting point is that, again according to Ruiu, it communicates using IPV6.

If this sounds frightening it is because it is. If this is a real piece of malware it represents a new method of attack and one that is going to be very difficult to remove. You could technically replace the BIOS chip on a board, or through the use of a subsystem like Asus’ BIOS flashback, overwrite the entire BIOS with good code. However, there are some holes in the claims by Ruiu that make us skeptical. Although everything he lists is technically possible and within the capabilities of the some of the more advanced malware developers out there, it is not the easiest thing to do. Ruiu has also not provided any proof to his claims and there have been no reports of infection outside of his lab.

So we now have a situation where we potentially have a bit of malware that is unlike anything else we have seen or we have a security researcher that is using an array of technical possibilities to build a boogeyman of a virus in the mind of the press and the consumer. Ruiu is not releasing any information until later at PacSec (in about two weeks). We are not sure what his presentation will show, is this an elaborate hoax intended to create a Chicken Little response or is this a reality that he stumbled on and is really trying to alert us to. To be honest there is not enough information to decide one way or another simply because everything Ruiu describes is possible with current technology and by people that are developing malware. On the other hand if this was a real threat then you would think that Ruiu would want to bring in as many people as possible to help identify and counter the threat badBIOS represents. We will all know for sure at PacSec in Tokyo, let’s hope this is not the threat that it could be and ends up being a social experiment run by Ruiu to see how society reacts to a security threat of this magnitude.

Tell us what you think in our Forum

Read 2718 times Last modified on Saturday, 02 November 2013 14:13

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.