Share

Related Links

Related Stories

  • How GCHQ hacked Belgacom
    In September Der Spiegel published details from Snowden leaks indicating that GCHQ had been behind the hacking of Belgian telcommunications company Belgacom, in an operation codenamed Op Socialist. On Friday it published further details indicating how the breach had been effected.
  • Le Monde Reveals How the NSA Spies on France
    French newspaper Le Monde yesterday revealed details from Edward Snowden-leaked documents showing that NSA spying included surveillance on millions of French telephone and SMS communications.
  • NSA Creates Detailed Graphical Analyses that Include Americans' Metadata
    The latest Edward Snowden leaks show that the NSA not merely collects metadata (everything about a communication excluding the content) from Americans and non-Americans alike, it generates automatic graphical analyses from that data.
  • NSA Shown to Operate a MITM Hack in Brazil
    In case any doubts remain, new Snowden revelations first published in Brazil, show that the NSA engages in economic espionage, uses mainstream hacking techniques, and spies on diplomats and the banking system.
  • Did the NSA Subvert the Security of IPv6?
    Following the Snowden leaks revealing Bullrun – the NSA program to crack the world's encryption – there is an emerging consensus that users can no longer automatically trust any security.
  • NSA and GCHQ Crack Majority of Encrypted Traffic
    Given the effort taken by the NSA and GCHQ spy agencies to monitor the greater part of the world’s internet traffic, it was never likely that they would simply ignore all of the encrypted traffic. The latest of the Edward Snowden files show that they did not.

Top 5 Stories

News

BadBIOS – the God of Malware?

17 November 2013

Over the past few weeks, Dragos Ruiu has provided details of a mystery infection that first attacked his computers some three years ago. He can't find it, he can't get rid of it, it survives reboots and clean installs, and seems to spread via wireless audio waves. It's either the God of Malware, an elaborate hoax, a publicity stunt – or Dragos Ruiu has gone mad.

Take your pick, because all four have been suggested. The one thing that few are doing is dismissing Dragos Ruiu, a highly respected researcher and consultant, and the man behind CanSecWest, PacSec and the Pwn2Own hacking contest. The malware has been dubbed BadBIOS; but what needs to be borne in mind is that no-one other than Ruiu has seen any sign of it.

Paul Ducklin listed some of the supposed capabilities of badBIOS: multi-platform; stops CD reboots; spreads via software-defined radio code even with all wireless hardware removed; infects the firmware on USB sticks; blocks Russian sites that deal with reflashing software; and spreads via the speakers on one machine to the microphone on another. But nobody other than Ruiu has seen any of this; and Ducklin concluded that we're just going to have to wait and watch.

Roger Grimes at InfoWorld asks if Ruiu had found a superbug, or gone crazy. He then proceeds to explain why he doesn't think there is a superbug.

But Jacob Appelbaum tweeted, "I think I know when and why @dragosr was owned. I also think I know who likely did it and many of the details. A hint: #NSA #CSE #GCHQ" 

A new report on New Scientist focuses in on the ability to jump air-gaps. "'We have recorded high-frequency audio signals between our computers and have seen the computers mysteriously change their configuration even when they don't have network connections, Wi-Fi cards or Bluetooth cards,' Ruiu told New Scientist. 'And we ran them on batteries so they were not receiving anything though [sic] the power lines.'"

Most experts believe that this would be theoretically possible, but immensely difficult. Orla Cox, security operations manager with Symantec, told New Scientist, "If badBIOS can jump air gaps with audio it would be the most sophisticated piece of malware we have seen." She also suggested that it would require more resources and skill than most people have available.

Paul Roberts, posting on the Veracode blog, concludes, "Many of the attack vectors Ruiu describes are technically possible and, under the right circumstances, could produce the kinds of infections he believes are plaguing his network, while being difficult to detect. And, as computing systems and the sensors they contain become more powerful and smaller, you can count on malicious actors to figure out new ways to leverage them."

The unspoken concern, unspoken by any other than Appelbaum, is that given the resources, ability and behavior of the likes of the NSA and GCHQ, if something is technically possible, they more than anyone else are likely to have explored its practical application. But, as everyone else says, we just don't know. It might be a hoax; or it might be something very new and very, very bad.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comments

damorosi says:

30 January 2014
The following comment comes from one of our readers, who wished to remain anonymous:

I just read your 17 November 2013 article "BadBIOS – the God of Malware?". I own a Mac and had what seemed to be a similar virus. Similar in that it proved nearly impossible to find or to eradicate! I've found the solution and would make two suggestions:

1) You should publish the solution as a news story for all the Mac owners out there who have been plagued by this problem.

2) You should inform the reader with handle "PMace80" who commented on the aforementioned article that his X's cousin in Spain might be suffering from this same problem. I would do so but don't wish to register with your site to send a comment at him.

Basically, the problem is that on reboot, or exactly two minutes after waking from sleep, the Mac kernel starts consuming over 75% of the CPU's resources. As you might suspect, that slows the Mac down to a crawl! Like others, I:

* methodically removed files from the directories one would suspect might harbor a virus.

* I reinstalled Mac OS X Lion (10.7).

* I erased the disk and reinstalled Lion.

Same problem. I hadn't even restored my own files so the problem was occurring on a clean Mac! Sound like Bad Bios?

Then I found this:

http://www.rdoxenham.com/?p=259

The simple explanation given on that page is:

So, it’s all to do with temperature control- you
‘remove’ a large portion of the CPU share from other
applications and carry out low-overhead tasks
continually until the CPU temperature drops. This
sounds like a great solution to cooling, but it’s very
intrusive. It’s agressive nature drags the system to a
halt in a lot of ways, despite the fact that the CPU in
my MacBook Air rarely exceeds 70 degrees (centigrade).
Considering the TJ Max of my little 2.13GHz Core2Duo is
85 degrees I’d rather kernel_task not take this
invasive action.

Thankfully, this “feature” is built into a kext, in
which each model identifier specifies how to control
the temperature of the CPU via this invasive action.
The simple fix is to remove the entry for your model
identifier from this kext- if it “doesn’t know” what to
do with your particular model, it won’t take any
action. Now, here comes the disclaimer… by taking the
same action as I will outline below, I take absolutely
no responsibility for any damage or loss caused to you
or your property, you do this of your own free will.
You’re over-ruling functionality that was designed to
prolong the life of your equipment, despite the fact
that it’s invasive and very annoying it’s there for a
reason. Anyway, on to the fun stuff…

I applied the steps in the article and my Mac now works wonderfully. I was able to do a restore of all my old files and the fix still works.

I think it was occurring in my Mac because the battery is dead. That seems to trigger the problem for some other users as well.

You can read the steps to fix your Mac in the article but they are simply to:

1. Go to About this mac under the Apple Menu in the upper left and click on More info

2. Click on system report

3. make a note of what it says after Model Identifier

4. go to your boot drive – System -Library – Extensions – IOPlatformPluginFamily.kext -Contents – Plugins – ACPI_SMC_PlatformPlugin.kext – Contents – Resources – find the name from step 3 and move it to a folder that you can find again if needed.

5. Restart and you’re done

I'm surprised that Apple hasn't done more to publicize or fix this problem. To the extent that it brought my system to its knees, it is a problem.

PMace80 says:

21 November 2013
Sorry for the blank post.

PMace80 says:

21 November 2013

PMace80 says:

21 November 2013
The wait may be over, I was recently contacted by my younger sister to assist her X's cousin in Spain with a malware problem she is having on her Mac that no-one can seem to diagnose or fix. In having her describe to me the things she was experiencing it sounds nearly identical to the things Dragos has described as happening as a result of badBIOS. She explains she has gone to the point of physically destroying old routers and thumb drives because there is no logical way this infection could be repropagating itself after cleaning/dismanteling her computer(s). I have never in my life posted in a forum but I felt the word should be spread that Dragos may no longer be alone.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×