Take your pick, because all four have been suggested. The one thing that few are doing is dismissing Dragos Ruiu, a highly respected researcher and consultant, and the man behind CanSecWest, PacSec and the Pwn2Own hacking contest. The malware has been dubbed BadBIOS; but what needs to be borne in mind is that no-one other than Ruiu has seen any sign of it.
Paul Ducklin listed some of the supposed capabilities of badBIOS: multi-platform; stops CD reboots; spreads via software-defined radio code even with all wireless hardware removed; infects the firmware on USB sticks; blocks Russian sites that deal with reflashing software; and spreads via the speakers on one machine to the microphone on another. But nobody other than Ruiu has seen any of this; and Ducklin concluded that we're just going to have to wait and watch.
Roger Grimes at InfoWorld asks if Ruiu had found a superbug, or gone crazy. He then proceeds to explain why he doesn't think there is a superbug.
But Jacob Appelbaum tweeted, "I think I know when and why @dragosr was owned. I also think I know who likely did it and many of the details. A hint: #NSA #CSE #GCHQ"
A new report on New Scientist focuses in on the ability to jump air-gaps. "'We have recorded high-frequency audio signals between our computers and have seen the computers mysteriously change their configuration even when they don't have network connections, Wi-Fi cards or Bluetooth cards,' Ruiu told New Scientist. 'And we ran them on batteries so they were not receiving anything though [sic] the power lines.'"
Most experts believe that this would be theoretically possible, but immensely difficult. Orla Cox, security operations manager with Symantec, told New Scientist, "If badBIOS can jump air gaps with audio it would be the most sophisticated piece of malware we have seen." She also suggested that it would require more resources and skill than most people have available.
Paul Roberts, posting on the Veracode blog, concludes, "Many of the attack vectors Ruiu describes are technically possible and, under the right circumstances, could produce the kinds of infections he believes are plaguing his network, while being difficult to detect. And, as computing systems and the sensors they contain become more powerful and smaller, you can count on malicious actors to figure out new ways to leverage them."
The unspoken concern, unspoken by any other than Appelbaum, is that given the resources, ability and behavior of the likes of the NSA and GCHQ, if something is technically possible, they more than anyone else are likely to have explored its practical application. But, as everyone else says, we just don't know. It might be a hoax; or it might be something very new and very, very bad.
30 January 2014
The following comment comes from one of our readers, who wished to remain anonymous:
I just read your 17 November 2013 article "BadBIOS – the God of Malware?". I own a Mac and had what seemed to be a similar virus. Similar in that it proved nearly impossible to find or to eradicate! I've found the solution and would make two suggestions:
1) You should publish the solution as a news story for all the Mac owners out there who have been plagued by this problem.
2) You should inform the reader with handle "PMace80" who commented on the aforementioned article that his X's cousin in Spain might be suffering from this same problem. I would do so but don't wish to register with your site to send a comment at him.
Basically, the problem is that on reboot, or exactly two minutes after waking from sleep, the Mac kernel starts consuming over 75% of the CPU's resources. As you might suspect, that slows the Mac down to a crawl! Like others, I:
* methodically removed files from the directories one would suspect might harbor a virus.
* I reinstalled Mac OS X Lion (10.7).
* I erased the disk and reinstalled Lion.
Same problem. I hadn't even restored my own files so the problem was occurring on a clean Mac! Sound like Bad Bios?
Then I found this:
The simple explanation given on that page is:
So, it’s all to do with temperature control- you
‘remove’ a large portion of the CPU share from other
applications and carry out low-overhead tasks
continually until the CPU temperature drops. This
sounds like a great solution to cooling, but it’s very
intrusive. It’s agressive nature drags the system to a
halt in a lot of ways, despite the fact that the CPU in
my MacBook Air rarely exceeds 70 degrees (centigrade).
Considering the TJ Max of my little 2.13GHz Core2Duo is
85 degrees I’d rather kernel_task not take this
Thankfully, this “feature” is built into a kext, in
which each model identifier specifies how to control
the temperature of the CPU via this invasive action.
The simple fix is to remove the entry for your model
identifier from this kext- if it “doesn’t know” what to
do with your particular model, it won’t take any
action. Now, here comes the disclaimer… by taking the
same action as I will outline below, I take absolutely
no responsibility for any damage or loss caused to you
or your property, you do this of your own free will.
You’re over-ruling functionality that was designed to
prolong the life of your equipment, despite the fact
that it’s invasive and very annoying it’s there for a
reason. Anyway, on to the fun stuff…
I applied the steps in the article and my Mac now works wonderfully. I was able to do a restore of all my old files and the fix still works.
I think it was occurring in my Mac because the battery is dead. That seems to trigger the problem for some other users as well.
You can read the steps to fix your Mac in the article but they are simply to:
1. Go to About this mac under the Apple Menu in the upper left and click on More info
2. Click on system report
3. make a note of what it says after Model Identifier
4. go to your boot drive – System -Library – Extensions – IOPlatformPluginFamily.kext -Contents – Plugins – ACPI_SMC_PlatformPlugin.kext – Contents – Resources – find the name from step 3 and move it to a folder that you can find again if needed.
5. Restart and you’re done
I'm surprised that Apple hasn't done more to publicize or fix this problem. To the extent that it brought my system to its knees, it is a problem.
21 November 2013
Sorry for the blank post.
21 November 2013
21 November 2013
The wait may be over, I was recently contacted by my younger sister to assist her X's cousin in Spain with a malware problem she is having on her Mac that no-one can seem to diagnose or fix. In having her describe to me the things she was experiencing it sounds nearly identical to the things Dragos has described as happening as a result of badBIOS. She explains she has gone to the point of physically destroying old routers and thumb drives because there is no logical way this infection could be repropagating itself after cleaning/dismanteling her computer(s). I have never in my life posted in a forum but I felt the word should be spread that Dragos may no longer be alone.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.