BadBIOS – the God of Malware?

BadBIOS: the God of Malware, or an elaborate hoax?
BadBIOS: the God of Malware, or an elaborate hoax?

Take your pick, because all four have been suggested. The one thing that few are doing is dismissing Dragos Ruiu, a highly respected researcher and consultant, and the man behind CanSecWest, PacSec and the Pwn2Own hacking contest. The malware has been dubbed BadBIOS; but what needs to be borne in mind is that no-one other than Ruiu has seen any sign of it.

Paul Ducklin listed some of the supposed capabilities of badBIOS: multi-platform; stops CD reboots; spreads via software-defined radio code even with all wireless hardware removed; infects the firmware on USB sticks; blocks Russian sites that deal with reflashing software; and spreads via the speakers on one machine to the microphone on another. But nobody other than Ruiu has seen any of this; and Ducklin concluded that we're just going to have to wait and watch.

Roger Grimes at InfoWorld asks if Ruiu had found a superbug, or gone crazy. He then proceeds to explain why he doesn't think there is a superbug.

But Jacob Appelbaum tweeted, "I think I know when and why @dragosr was owned. I also think I know who likely did it and many of the details. A hint: #NSA #CSE #GCHQ" 

A new report on New Scientist focuses in on the ability to jump air-gaps. "'We have recorded high-frequency audio signals between our computers and have seen the computers mysteriously change their configuration even when they don't have network connections, Wi-Fi cards or Bluetooth cards,' Ruiu told New Scientist. 'And we ran them on batteries so they were not receiving anything though [sic] the power lines.'"

Most experts believe that this would be theoretically possible, but immensely difficult. Orla Cox, security operations manager with Symantec, told New Scientist, "If badBIOS can jump air gaps with audio it would be the most sophisticated piece of malware we have seen." She also suggested that it would require more resources and skill than most people have available.

Paul Roberts, posting on the Veracode blog, concludes, "Many of the attack vectors Ruiu describes are technically possible and, under the right circumstances, could produce the kinds of infections he believes are plaguing his network, while being difficult to detect. And, as computing systems and the sensors they contain become more powerful and smaller, you can count on malicious actors to figure out new ways to leverage them."

The unspoken concern, unspoken by any other than Appelbaum, is that given the resources, ability and behavior of the likes of the NSA and GCHQ, if something is technically possible, they more than anyone else are likely to have explored its practical application. But, as everyone else says, we just don't know. It might be a hoax; or it might be something very new and very, very bad.

What’s Hot on Infosecurity Magazine?