Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.
As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:
- He found a malware that infects hardware.
- He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.
- It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.
- It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.
- It loads a Hypervisor.
- When the BIOS is infected, it doesn’t let you boot from external devices regardless of settings. Most of the times, it goes for internal disk.
- It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.
- Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it!
“I didn’t even mount the volume and it was infected.”
- It bricks the USB drives if you eject them unsafely, but they come back to life when you plug them in an infected system.
- In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.
- When trying to extract those files, they disappear from the burnt CD.
- People are pointing to Russia as an origin of this malware as they are the only known developers of reset flash controllers’ software. The malware also blocks the reflashing Russian software sites.
- The first symptoms were found in a Macbook, 3 years ago.
- A list of the md5 of files was uploaded to this link.
Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.
What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.
[NOTE] If you are interested in a sample, keep an eye on malware.lu. @xylit0l posted this in kernelmode.info:
Re: New Bios Malware
by Xylitol » Sun Oct 13, 2013 9:23 pm
Talked to r00tbsd over irc, he have an image of the infected bios but got no time
for the moment to add it on malware.lu.
(Please note that Spanish and English comments are merged so you may need to use an online translator to understand other users' comments)
Propongo bautizarlo, por su “dureza”, como Chuck Norris :-)
], 30 de October de 2013, 4:14 pm
], 31 de October de 2013, 11:44 am
], 31 de October de 2013, 5:42 pm
Edited and corrected. Thank you.
], 31 de October de 2013, 5:59 pm
], 5 de November de 2013, 9:47 am
Yes, we know that link and it is an interesting one. Schneier also posted recently a brief post:
However, we think that true or false it is interesting enough to invest some time on it. Indeed, it has generated some good and interesting conversation, don’t you think?
], 5 de November de 2013, 10:23 am
@Odom that guy (Phillip Jaenke) has a point, and he gives some good reasons to think it’s not a BIOS malware. But he is not saying this is not a malware, even if this is something working at OS level, it is still impresive.
Anyway lets see what the time shows, Dragos is not showing any irrefutable evidence, but at least he has been delivering dumps and file dump diffs, other reverse engineers can check it now if they want (e.g. https://plus.google.com/103470457057356043365/posts/bop8ufrMp7s).
], 5 de November de 2013, 10:48 am
Podemos tener un problema serio a gran escala con esto. Si los rusos pusieran el mismo empeño en otras cosas que el ponen en diseñar malware…dominarían el mundo :)
A ver si llegan al fondo del asunto.
], 5 de November de 2013, 1:12 pm
I have the same issue, all the same symptoms. I work in IT – I tried different things to remove it but it always comes back. Yes, I removed the bios battery, power, memory and it still comes back. I pulled the wireless card, bluetooth, etc., doesn’t matter, it still manages to reappear. It seems like someone has control of the system because it can’t be that smart!!! Example – changing registry and it disables the editor or it changes permissions and then you are unable to do anything. I managed to boot to a cd that cant be written to and can start to make changes but when I start to own the system it reboots. I’m actually on the cd OS now, this is really happening, but it just seems unbelievable; it must go out and contact a site or some person(s) that can watch what you are doing and start the process. I know crazy, but it’s happening, I’m not a beginner – been doing this for 20+ years. I’m not sure if the average person would even know. (I think my issue started via my android phone) Ok, I’ll check back later.
], 5 de November de 2013, 2:46 pm
I have two workstations and a SQL server that have very and similar problems. I have 17 years of work experience, and this is the strangest type of problems I’ve seen first hand.
Check out the Experts-Exchange.com help request I posted for details that are very similar to this BadBIOS virus.
Experts-Exchange.com article title: BIOS Virus symptoms but isn’t CIH virus
], 5 de November de 2013, 8:43 pm
Pues no me lo creo.
Un virus con esa capacidad de camuflarse y esconderse incluso en la bios del propio ordenador deberia de tener un codigo ultradepurado, y ya no hablemos de multiples plataformas, control de dispotisivos hardware directos, creacion de un pseudolenguaje para entenderse los unos con los otros, y todo eso en cuanto..4 Kb? porque la bios hay que dejarla que tenga lo que debe tener o si no no funciona…ni arranca el ordenador…
esto me huele a bulo barato barato.
y eso de que infecta OpenBSD y windows y Mac, vamos, tiene exploits de todos los sistemas pa dar y tomar… alucine..
vamos que NO ME LO CREO. quiero pruebas reales del tema y por favor.. si no estan seguros, no publiquen esto que la gente se lo cree.
], 5 de November de 2013, 9:05 pm
Just an idea.
What if this virus(badBIOS) was send to us through the satellites(sound weaves) orbiting around our planet, let’s say by those who like to spy on us NSA/GCHQ (the golden 5 spying countries). To design such a monster you need monstrous skills therefore only people with experience and provided expensive equipment/materials can design it.
It’s a possibility.
], 21 de November de 2013, 11:10 am
Leave a comment
(Los datos que nos proporciones serán incorporados al fichero LECTORES DEL BLOG cuyo responsable es S2 Grupo, cuya única finalidad es la gestión de las acciones e interacciones que se desarrollen con los usuarios de los blogs de S2 Grupo, entre los que se encuentra Security Art Work. Los datos recogidos no serán en ningún caso cedidos a terceras partes ni tratados para una finalidad distinta a la indicada. Puedes ejercer tus derechos de Acceso, Rectificación, Cancelación y Oposición enviando un correo a email@example.com, en el que deberás proporcionarnos la información necesaria para verificar tu identidad. Para cualquier otra consulta o duda relativa a cómo gestionamos tus datos personales, puedes utilizar el mismo correo electrónico.)