Is badBIOS a dire computer virus, or an improbable hoax?

There’s a story making the rounds, first reported in Ars Technica, about a particularly virulent computer virus that has been nicknamed, “badBIOS.”

It’s an awful and amazing thing, that can infect PCs and Macs alive.  And I don’t buy it. Let me tell you why.

But first, in order to understand both the nature of the virus and the origin of the name, perhaps a little CompSci Ed is in order — but feel free to skip this part if you already know what I’m talking about.

What is BIOS?

Every computer has something called its “operating system” (or OS). For many PCs, this is Microsoft Windows, but it could also be any of the myriad flavors of UNIX, such as Open BSD, Linux, Red Hat, and so on; for Apple computers, it’s OS X. (Mobile computing: Android devices are running some flavor of Android; Apple tablets and phones run iOS.)

However, when you first power up your desktop or laptop, unless your computer’s manufacture chose to hide it, there’s a momentary text-only screen that shows basic system hardware information — what type of motherboard, CPU, connected storage devices, memory, and so on, as well as a prompt where you can (usually) press either Del or F2 to go into what’s called BIOS mode. When you do this, on a PC at least, you’ll often see a screen like this one:

Asus motherboard BIOS screen

Asus motherboard BIOS screen

This BIOS utility screen and the program behind it lets you view and control the innermost hardware settings of your computer.

The term ‘BIOS’ stands for ‘Basic Input/Output System’ — and it is a layer of semi-permanent computer program that exists between your operating system and the computer hardware. Unlike your computer applications (which change frequently) and operating system (which is updated sometimes and can be completely changed), for the vast majority of people, they’ll never change their computer’s BIOS. Heck, most people never even have to mess with their BIOS hardware settings.

For this reason, it’s safely programmed into non-volatile memory (meaning it stays there even when your computer has no power). It’s considered “firmware.”

It is possible to change a computer’s BIOS, in a process commonly known as “flashing” or “re-flashing.” Doing so is not without risks, because if you mess it up, there’s a chance you could “brick” your device (i.e., turn your computer into a doorstop). The reason this can happen is in the process of flashing the BIOS, you can not only crash the system, you can also accidentally destroy the computer’s ability to power up enough to re-flash the BIOS a second time.

After that, you’d need serious professional technical help to restore a computer with corrupted BIOS. Correctly functioning BIOS is essential.

What is badBIOS?

Computer code via Shutterstock

Computer code via Shutterstock

In theory, it is possible to alter a computer’s BIOS for nefarious purposes. Doing so would indeed be a serious matter because a BIOS infection would be immune to nearly every computer anti-virus package out there. You’d have control of a computer at the hardware layer.

Unless you did something about the BIOS itself, no matter how many times you wiped the computer’s hard drive and reinstalled the operating system, the infection would remain. The only way to clean it out is to re-flash the BIOS with a fresh, clean copy. Fixed and done, right?

Well, according to one security consultant, Dragos Ruiu, he claims to have a computer infection that goes far deeper than a mere BIOS problem.

So on to the Ars Technica story:

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

(Emphasis added here and in further story quotes.) As a computer professional myself who’s been building her own computers since the mid 1980s, already several things in that story set my skeptic’s hackles on edge. Starting with the fact he claims his initial infection was on an Apple computer running OS X. (Almost nobody in the professional hacking community writes viruses targeting Macs. There are a few out there, but mostly spread via infected web pages. And I’ve never heard of any successful Linux/BSD virus ‘in the wild.’)

According to the story, Ruiu says he has no idea how his system contracted the initial virus, but has theorized it was a USB memory stick or drive.  He also reported that within hours of scrubbing a computer, the infection behavior — random data deletions, inability to boot from CD ROM, undone configuration changes — would return spontaneously.

He reported this even happened if he re-flashed the BIOS back to its original state and used a completely fresh (empty) hard disk. Crazier still:

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

What Ruiu means by “air-gapping” is he means not only is the computer in question not connected to a network using an Ethernet cable, he’d also disabled (removed) the WiFi (wireless Internet) and Bluetooth (a short-range networking system) and also ran the laptop on batteries, just to make sure there wasn’t some weird AC power data transmission modulation going on.

Ruiu’s badBIOS theory

Ruiu believes that in addition to reprogrammed network controller hardware, somehow data is being transmitted using a computer’s speakers and microphone. And he further claims that when he disconnected that particular audio hardware on a previously infected (and air-gapped) laptop, afterwards the re-infections stopped.

To understand this, we have to go a layer lower in the hardware. Your computer’s BIOS talks to the individual hardware controllers on the system motherboard. What Ruiu is suggesting is that once the BIOS was infected, it reprogrammed both the network controller and the audio controller hardware to serve as permanent, intelligent, self-activating back doors.

He’s further suggested that merely having an infected computer on the same network as uninfected machines, they’ll all eventually be infected, too.

Another angle on his theory is that USB drives and memory sticks can also be programmed to carry badBIOS, but show no trace of it whatsoever. Even wiped and reformatted USB drives still have it, and according to Ruiu, a fresh drive or stick is instantly infected upon insertion into an infected computer.

He seems to think this is a “multi-stage payload” virus, where the initial piece installs the permanent back doors, and then apparently the other parts are loaded later and result in the odd system behaviors.

badBIOS, in summary

So badBIOS supposedly has the following qualities:

  • Infects PCs and Macs alike, including PCs running Windows, Linux and Open BSD, and further including multiple versions and releases of all these operating systems — meaning it is 100% OS-independent, and also essentially hardware independent as well
  • Easily transmitted via USB drives and memory sticks and can bypass both secure operating systems (such as Linux) and anti-virus software invisibly; able to infect new USB drives/sticks at will
  • Manifested behavior (besides extreme virulence) is an inability to boot from CD or DVD (making reinstalling the OS difficult but not impossible), randomly deletes data, and resets configuration changes
  • Can re-infect a scrubbed (including BIOS re-flashed) computer without any physical or WiFi/Bluetooth network connection
  • Is (thus far) completely invisible and undetectable except through the reported anomalous computer behavior and malfunctions

Color me skeptical

I’ll explain now why I’m having trouble believing this:

Able to infect computers regardless of operating system: Yes, it’s not hard to infect PCs, especially those unprotected by anti-virus software. But it’s much harder to infect computers running Apple’s OS X (which has an XNU UNIX-like hybrid kernel), and much, much more difficult to infect Linux-based (and Open BSD) machines. The reason being that Linux and other UNIX variants simply do not allow code to be run arbitrarily, and certainly not the kind of privileged code processes it would take to re-write BIOS on the fly. It’s actually quite difficult to infect a UNIX/Linux system because it protects operating system files through encryption and would never allow some random program to reach through and diddle with the computer’s BIOS.  What I can’t wrap my brain around is this idea that a single nigh-undetectable virus can infect any computer regardless of OS.

BIOS and component firmware is altered even while the computer is running: I’ve re-flashed a number of computers, and there isn’t an OS out there that won’t react (and usually crash hard) if you start diddling with the BIOS while the OS is up and running. Most times, the computer needs to be run temporarily in a special protected mode to make it happen.

Able to infect many different incompatible hardware platforms using the same initial virus payload: Not only are we talking different computer manufacturers, we’re also talking about different basic component-level hardware. Every motherboard manufacturer, for example, runs their own customized BIOS firmware, too, none of it exactly alike. (Although to be fair, it’s often similar.)

Permanent embedding in network and audio hardware: Here I’m reaching a bit, but I can think of no plausible scenario where on-board network and/or audio hardware can be permanently — and invisibly — reprogrammed to hold an undetectable virus. Also independent of network or audio hardware manufacturer.

Here we’re getting into the territory of whether something is theoretically possible versus whether it is plausible. Unfortunately, for me, the improbabilities just keep multiplying:

(OS independent) x (BIOS independent) x (H/W independent) x (infects at will) x (undetectable) x (self-repairing) x (inexplicable visible behavior) = As improbable as a pair of space missiles suddenly transforming into a bowl of petunias and a whale, both plummeting towards Magrathea.

In addition:

Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

Most of all, the detail I cannot get past is how this alleged super-virus — from Ruiu’s description — gives every appearance of being incredibly, improbably sophisticated in its ability to propagate and self-repair, yet it allegedly draws attention to itself by modifying settings, undoing configuration changes, altering machine behavior, and deleting data.

The manifested behavior makes no sense. You’d think something this mind-blowing would be programmed to avoid giving any sign of being there.

Or this dude...

Or this dude…

It’s as if Catwoman or James Bond broke into an ultra secure vault filled with valuables and riches, bypassing elaborate tripwires, alarms, and guards, and dropping through the skylight on wires. But instead of quietly stealing the diamond under the laser-protected, gas-cannister equipped glass dome and disappearing silently into the night, decided instead to just to leave that skylight wedged open, the wires dangling in plain sight, while engaging in some noisy, petty vandalism.

Plausible? Yes, but…

Could something like this be done? In theory, yes, sure. If:

  • Every computer, regardless of OS, could be forced to execute unknown code upon USB drive insertion
  • An utterly invisible computer virus payload was sophisticated enough to deal with every hardware platform and every variant version of BIOS
  • And it can reprogram both hardware and audio controllers, rendering BIOS wipes useless
  • And you can believe something this sophisticated, virulent, and pernicious would then draw attention to itself

My issue with Ruiu’s claims has to do with the stacked improbabilities. Added to the fact that thus far he appears to be the only victim of this insidious virus in the entire world.

I’m prepared to eat my words if some genuine, concrete evidence of this Skynet-level code is actually found, but I have my doubts.


Published professional writer and poet, Becca had a three decade career in technical writing and consulting before selling off most of her possessions in 2006 to go live at an ashram in India for 3 years. She loves literature (especially science fiction), technology and science, progressive politics, cool electronic gadgets, and perfecting Hatch green chile recipes. Fortunately for this last, Becca and her wife currently live in New Mexico. @BeccaMorn

Share This Post

  • PA

    http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

    UEFI provides an OS independent hardware abstraction layer to reduce OS hardware dependency. If BadBIO lives in UEFI, it can operate in an OS independent manner BELOW the OS.

  • http://poodyheads.wordpress.com/ zorbear

    It sounds like her friend only pranked managers who were major jerks — not something that I think would happen to you…I hope…
    :-P

  • Jim Olson

    I’d still find out. I have zero pranking tolerance. Which, in the twisted way that people who do pranks think, makes them want to do it even more. I’ve had to make an example of more than one employee. Pranking is about power and humiliation and the perverse thrill that the prankster gets from seeing his or her victim react. Zero tolerance for that.

  • Kubik

    I happen to know a bit about BIOS as I am programming and modifying it since 1996 :) The extension ROM (usually called Option ROM, OpROM for short) mechanism you described is somewhat limited, though, because it’s only executed in real 16bit mode and is no longer used during (modern) OS runtime. You’d need to be able to force some of your code being executed in OS as a driver, which would be tricky, although probably not impossible. Another problem with this approach is that the OpROM is often found on PCI or PCIe cards, and you need to update the flash on the card, which is hardware specific for each card. Some OpROMs can reside in the BIOS flash memory itself, but making BIOS aware of it might actually need some advanced hacking.

    With UEFI, there’s a whole bunch of new options you have, because everything is standardised. The only thing you need to do is to insert your driver into the BIOS flash. From now on, the driver can use all the services provided by BIOS. This approach has two ‘benefits':
    – easy access to System Management Mode (SMM), thus the driver can run ‘on background’ even when OS runs – any OS.
    – platform independency. I am not quite sure about that as I never actually saw Mac, but given the fact Macs use (U)EFI and run on the same hardware as PC, there’s a chance the same virus would spread in both PC and Mac ecosystems.

    Keep on mind there are initiatives and features to make BIOS secure, and it’s up to manufacturer of the particular system to enable or disable them.

  • Anubis

    What you say is true and ultrasound propagation has been proven possible, but in order to transmit to the “target” computer it needs to already be infected, otherwise nothing is done with the received audio information.

  • Anubis

    “I got rid of my landline service because we could hear listeners.” pretty obvious that all of your problems stem from somebody physically tapped into the line, which explains how they are able to relatively easily obtain any private details sent through the internet from your property. And infect your computer; you probably connect to the internet before firewalling up.

    HAARP cannot control the weather, it can manipulate it to a slight degree. Just as it can slightly influence geoplate activity to contribute towards earthquakes but its simple physics and very limited. ISON will be pretty to look at for a while and then go out of visual range. Russia > USA.

  • Anubis

    You are 100% correct without realising it. Almost every BIOS in existence allows bootstrapping of other low level firmware, of which at a very low level all of it is identical. After the POST a BIOS will scan 0x0C0000 to 0x0F0000 (2kb segments) for two bytes 0x55 and 0xAA and an accurate size marker. The extension ROM then has full control and can inject interrupt routines wherever it pleases. All OSs use interrupt requests, hence this vulnerability is truly cross-platform and more architecture specific than anything else. There is typically 600kb of storage space to be used which is far more than adequate to instantiate an infection stub.

  • Anubis

    The unfortunate reality is that the common
    component between these motherboards (surprisingly this aspect has been
    pushed to one side with a whole bunch of unlikely theories) is the low
    level BIOS hardware. If somebody wanted to infect patient zero they
    simply require physical access and an MSI TL399 handheld. From here you
    access the JSPI1 headers and godmode as you please. Because the chip can
    physically be programmed this way AFTER manufacture it is inherently
    insecure. Once this takes place, game over; the system block BRR can be
    modified very easily to ignore a bad checksum or to simply hardcode the
    original unaltered checksum… aka your BIOS is good. At this point no
    motherboard currently manufactured has any kind of defense against
    accessing the NVRAM through an undervolted RTC. Thus you can bootstrap
    ANY HARDWARE FIRMWARE YOU PLEASE.

    This doesn’t explain any transmission mechanism however it does open
    up every single transmission mechanism you can imagine, almost. Such an
    infection stub would merely open the door and keep it open, forever. Or
    until you brick your mobo.

  • Kubik

    Actually, I don’t see some of the “Color me skeptical” bullets as completely impossible. If the badBIOS would install its runtime part as an BIOS SMI driver, it gets complete control of the computer, indepedently of what OS is being used. I can imagine the badBIOS carrying support for common file systems, thus being able to manipulate files on the fly. I recall we had product that was partly implemented in BIOS and was able to reinstall drivers when user deleted them in Windows, so that would be theoretically possible.

    The ‘different platform’ bullet is not quite right either, as long as you’re on the x86 architecture and use UEFI BIOS, the interfaces are standard and well documented, including the SMI driver part.

  • http://motls.blogspot.com/ Luboš Motl

    We have been infected by BadBIOS v3.0. It spreads through digital cameras’ firmware and everyone whom you photograph with the camera catches the HIV virus. Moreover, the central bankers in the countries that collect taxes from the digital cameras get infected by the mad cow disease. Yesterday, the Czech National Bank showed the infection when it intervened against its own currency and weakened it by 6% relatively to the U.S. dollar. All of it was caused by BadBIOS v3.0 that is independent of the OS, hardware, and even genetic code, race, and gender of the human transmitters of the disease.

  • Net Lace

    No not the ONLY one, We have it. We have tried 3 different routers, countless restores, bought new pcs even. My daughters computer now also has OS X. I ran a MS Essentials and it took 4 hours, then on the next boot it showed OS X down on the lower left corner. These laptops are not Mac’s there Dell Pc’s. We hear radio/Tv sounds in the air. We hear a beep sound like recording stop noise.. This is a new house and all the problems started with AT&T installing new service. The wireless light never goes off unless unpluged. I got rid of my landline service because we could hear listeners. My bank account was hacked twice and the ONLY way they could have got my card # is via phone. This is bad folks. And btw…. AT&T is CROOKED. Life as we THOUGHT it was is OVER…. If Haarp can control the weather, nothing is impossible. Wonder what Ison has for us? We were warned even by Janet Napolitano to expect cyber and natural disasters….. The USA and others are far more advanced than we ever dreamed, enough said.

  • hallam

    Rootkit code is quite common now. And we are seeing it in more than just the PC BIOS. Modern PCs appear with CPUs all over the place. There are ethernet ports with a full TCP/IP stack and a Web server all running an ancient version of Linux that is full of holes like a swiss cheese and can’t be patched.

    Self healing has been observed as well.

    Communicating via audio is possible. And in fact there is a recent demonstration of a cryptographic key being extracted from a machine by analyzing the sound made by the machine. Its an extension of differential power analysis.

    But the idea that merely hearing a sound would cause a computer to be infected is nonsense. Generating a sound is not gong to cause a buffer overrun or out of bounds branch. It just isn’t. If the scheme is genuine then something else is going on.

  • TimLSR

    Unless you pull the flash chip off of the motherboard or have a way to flash the BIOS without using the infected BIOS code contained within to boot up the motherboard, the infected code will run and could attach itself to the new flash code.

    Before you discount data transmission via computer audio hardware, consider that ultrasonic was an idea and single carrier wave is what other interpreted that to mean. We can and do easily transmit data over what would sound like background fan-like noise.

  • HeartlandLiberal

    Cool ASUS. My preferred brand of MoBos for all my home builds. Except I do have to SuperMicro boards my two development and archive servers.

    Skepticism about badBIOS seems to be growing. Here is a good source if you want to pursue the issue.

    Go to the Internet Storm Center: https://isc.sans.edu/

    In search box, enter ‘badBIOS’.

    Under the second section in the results, ‘News’ category, there are multiple entries from the last few days. Many skeptical, many still not sure.

    Considering that the code in the BIOS is more in the nature of firmware, and not accessible and writable in the same way you write to stuff on the drives or RAM on a computer, I have to wonder if these claims are legit.

    Flashing the BIOS is a complicated thing, requiring basically suspending the normal operation of the computer, because you are replacing the basic code that lets the machine come alive. And it involves scary warnings you must always take seriously, like whatever you do don’t turn off the power or experience a power interruption, because if you do, your BIOS is toast, in an unfinished and unstable state.

    Used to be that flashing BIOS was a royal pain in the nether regions, involving booting to a diskette. Nowadays most MoBo manufacturers provide sophisticated programs that let you launch the process much more easily, often from within the BIOS itself. E.g.

    http://www.youtube.com/watch?v=NQKQj_aASCQ

    But then again, I would not reject the claims out of hand, knowing that with a computer, all things are possible sometimes for a creative mind bent on causing havoc.

    I would just like to see concrete proof.

  • http://poodyheads.wordpress.com/ zorbear

    Ahhhh…you’re so sweet!

    :-)

  • AlainCo

    chose your example better…
    Cold fusion is getting industrial

    http://www.lenrnews.eu/lenr-summary-for-policy-makers/

    Elforsk, the swedish research consortium of electricity industrial, don’t hesitate to publish an article abou the successful test they done
    http://www.elforsk.se/Global/Trycksaker%20och%20broschyrer/elforsk_perspektiv_nr2_2013.pdf#page=4

    Toyota just published in peer reviewed journal article (japanese Journa of Applied Physics) about replication experiment of Mitsubishi (Iwamuera – paper itself published in PR journal too)

    http://jjap.jsap.jp/link?JJAP/52/107301/

    Badbios virus is less supported by industry than is cold fusion.

    less validated by thousands of experiments and dozens of know labs across the planet…

    anyway that you are not aware of that, while you are aware f badBios probable hoax, show how the media are not doing their job to inform.

    They parrot, and follow the fashion , the consensus, the terror.

    best regards.

  • Julien Pierre

    I would have gone for something less innocent, like :
    Shall we play a game of Global Thermonuclear War ?

  • Julien Pierre

    Too many things don’t add up, sorry. This will be shown to be a hoax, or at least some elements of it will be.

  • http://www.newmillgay.com/ The_Fixer

    My pleasure, my dear!

  • http://www.rebeccamorn.com/mind BeccaM

    I was hoping you’d weigh in, Fixer. Thanks!

  • http://www.newmillgay.com/ The_Fixer

    First, that was a very good explanation of the technical stuff for people who don’t often delve into such things, Becca.

    Second, as both a computer guy and an audio guy, I have a lot of problems with this presumed virus. I am inclined to agree with your assessment.

    In addition to its magical cross-platform abilities, the fact that it supposedly overwrites the BIOS in an undetected manner is just crazy. I have used BIOS reflashing programs that ran within Windows, but they always required a reboot. A very conspicuous reboot. Even the simpler BIOS flashing prgrams that run in DOS require a reboot. Nowhere in this account do I see that happening.

    Now on to the “airgap” problem (and it’s a big one). First off, in order for such a data transfer to happen undetected, it would have to happen in the ultrasonic part of the audio spectrum. Problem is, computers, particularly laptop computers, have speakers that are not capable of producing sound in the ultrasonic part of the spectrum very well, if at all. They are also poorly placed, which poses a second problem (which I will get to in a second).

    The microphones in such computers have a better chance of working ultrasonically, but not much better than the speakers. They also are not optimally placed for the purpose of sending data via audio.

    Now let’s get down the the technical audio part of it. Audio at high frequencies, particularly ultrasonic frequencies, is easily reflected – it bounces off hard surfaces and bounces off of it a lot. Most laptop speakers (particularly Macs) fire upward. The first thing that sound will hit is the ceiling. And then it will bounce off that, and bounce back to the table that the computer is sitting on, or the floor. And then it bounces up to the ceiling again. It may do this several times before it hits the target, and often will bounce off other hard surfaces in the process (assuming it is strong enough to do so). There is also a phenomenon called multipathing (and it’s exactly what it sounds like – the sounds takes multiple paths to arrive at its destination).

    Repeated reflection and multipathing have the effect of distorting the audio signal, which then distorts the data that it is supposed to be carrying. This assumes a room with hard surfaces. When we get into a carpeted room, a room with draperies, or a room with an acoustic ceiling, the the ultrasonic sound gets absorbed at some point, or at least loses a lot of its “punch” and just dies off (it gets attenuated, in technical terms).

    Couple these situations with speakers and microphones that are very inefficient at these ultrasonic frequencies, and you have an extremely low level of probability for successful data transmission. I’d say nearly impossible unless they were sitting right next to each other and the speakers and microphones were aimed right at each other. It would also have to be in a room with a balance of reflective and absorptive surfaces – it would have to be “just right”.

    There would also have to be a level of interaction between the operating system and hardware in both the administrator/root space and system space without being noticed. That’s a tall order for a virus that is so small that it is undetectable on a USB drive. There just isn’t enough space in the controller chip inside the USB drive for that to happen. Same for the multi-platform capability. That would have to be a program of some size. That would be detectable, even if the operating system was told to incorrectly report the size of the drive (again, more complexity in what is supposed to be a small program).

    My theory? He had a series of unusual, but not impossible hardware failures. I have seen this happen before. It’s difficult to troubleshoot, but not impossible.

    tl;dr: I agree, Becca. It may not be a hoax, but it’s not a virus. I just said it in a long and semi-technical way.

  • http://www.rebeccamorn.com/mind BeccaM

    I spent quite a few hours in MUDs during those years, too. On average, gaming and the desire to play the newest ones always drove my hardware upgrades. And, with MMOs and the like, the desire for low-latency broadband as soon as such could be had.

    I thought about going CS, but ended up with 3/4 of an EE degree and an actual degree in tech writing.

  • http://www.americablog.com/ Naja pallida

    If it wasn’t for Novell Netware being so terribad, I’d probably never have gotten seriously into computers. Waaaaaay back in college I used to exploit its complete lack of any kind of notable security to store warez on the university mail server. I also found out that you could still use telnet and IRC without even logging on to the network, so nobody saw your user id logged in for hours on end, and wondered what you were doing. That’s also when I learned MUD programming, and wasted almost every waking moment when I wasn’t actually in class on IRC and Usenet. Probably also why I switched majors to CS after my first year; who knows where I’d be now without it. :)

  • http://www.rebeccamorn.com/mind BeccaM

    Yep. Pretty much.

  • http://www.rebeccamorn.com/mind BeccaM

    That’s why he was very careful never to get caught, especially when pranking the managers.

  • Jim Olson

    Your friend would have lost his job quicker than he could imagine if I’d caught him. That sort of pranking has no place in anyplace where I’m the manager.

  • discus_sucks_ass

    even a cursory read makes it sound implausible at best. if it is true we are all screwed anyway.

  • http://www.rebeccamorn.com/mind BeccaM

    I like your prank, too. Simple, easy and quick to do, no lasting harm — and some fun for those who got the joke. :-)

  • http://poodyheads.wordpress.com/ zorbear

    When home computers first hit the market, every Radio Shack had one set up in their stores for people to play with. I went around to every store in my area and slid in a basic program that put the word “Name:” up on the screen. Upon typing your NAME, the screen would come back with: “I’m sorry NAME, but I can’t do that…”

    I thought I was smart, but your “friend” is a genius…
    ROTFLMAO!!!

  • http://www.rebeccamorn.com/mind BeccaM

    Thanks.

  • http://www.rebeccamorn.com/mind BeccaM

    Or as I suggested further up the comment thread, someone is messing with him personally, on purpose.

    Many, many years ago, there was this guy I worked with who liked to play pranks on people. And also a mid-level manager nobody liked. This first guy, who was also a Monty Python fan, decided it would be hilarious to hack a command-line executable, insert a bit of code, and cause it to display the name “DINSDALE!” in capital letters in the middle of this manager’s PC screen at random intervals.

    Never more often than once every 5 or 10 minutes, and it stayed up for just a couple seconds.

    We were all on one of those early Novell Netware networks, which pretty much left people’s hard drives wide open.

    In would go the executable, where it ran for a few days until the manager finally broke down and went to the IT dept to come look at his computer. My friend, hearing this transpire, would quickly swap the hacked shell for the original unhacked one.

    Half an hour later, no ‘DINSDALE!’ The IT techs would leave in annoyance and disgust. A few hours later, it’d start right back up again.

    This went on for about three weeks. I think there were at least 4 or 5 IT visits in the interim.

    Then, on a rainy Friday afternoon, my friend loaded another file that began flashing ‘DINSDALE!’ continuously. The manager literally tore out of his office and ran for the IT section, hollering, “It’s there! It’s really there and it’s not stopping! Dinsdale, Dinsdale, Dinsdale!!!”

    My friend quietly removed his hacked program and never spoke of it again. Until one night when I plied him with enough single-malt scotch to spill the beans…

  • http://www.rebeccamorn.com/mind BeccaM

    There’s just too many details in the story that jumped out at me as implausible. Starting with a magic BIOS firmware virus that somehow remains completely invisible despite three years of looking for it.

  • discus_sucks_ass

    just advancing a possibility not delivering wisdom from on high. And I would think if you installed a new BIOS chip it would all go away if that was the infected part. and cut the traces from the audio subsystem (extreme air gapping ;p) there does not seem any way for him to keep getting that firmware update. If he still does all it could be are gremlins…

  • RepubAnon

    It does seem highly unlikely – a single platform-independent, very small piece of malware? This sounds more like the “cold fusion” of malware than a real threat.

    I’d be careful of saying “he isn’t that important” though – it assumes that Mr, Ruiu was a target. If his computer suffered the computer equivalent of “collateral damage” via a supervirus intended to target some other machine, it might explain why the system discrepancies showed up.

    However, it seems more likely to be some bad hardware components.

  • http://www.rebeccamorn.com/mind BeccaM

    Even if it were, there’d be forensic signs of the code moving from the USB drive on through the OS and down into the BIOS and controller levels. (And it remains my contention that no Linux system can be forced to run privileged code simply by mounting a USB drive. The operating system doesn’t work that way.)

    The malware wouldn’t be invisible. From Stuxnet to Flame, they’re all visible as long as you know where to look. If it’s not in the operating system files (easy to detect), the next places to look are the disk boot sector. Presumably one could pull the BIOS, but patching BIOS on the fly or leveraging any UEFI elements to make it do malware things is going to leave traces. (Or, far more likely since one is attempting to be a universal BIOS virus, crash machines left and right.) If not that, then pull the danged audio and network controller chips and do a dump.

    I don’t know — I’m positive MyrddinWilt knows his biz — but the overwhelming proportion of people who stroke their chins and say, “Oh yes, perfectly plausible” have (in my opinion) spent way too much time watching the Matrix.

    Computer code isn’t magic. It only does what the underlying hardware will support and only what it’s programmed to do. It’s not intelligent or self-aware. (Not yet anyway…)

  • http://www.rebeccamorn.com/mind BeccaM

    Great article, thanks Perljammer. Definitely required reading for those who want to take a dive into the deep weeds.

    If anything, Mr. Jaenke does an even better job than me of disproving the likelihood this ‘badBIOS’ virus is for real.

    I like the one commenter who remarked (emphasis mine):

    Either the motives and methodology of the people behind this alleged malware are suspect, or the motives or methodology of Dragos Ruiu are suspect. Occam’s Razor points to the latter. The idea that he has been working on his computers believing they’re infected by invisible malware (which coincidentally seems to be inspired by Rutkowska’s most evil theories) that communicates over HF transmissions in order to prevent him removing it for over three years sounds very John Nash, honestly. Even if someone had the technology to do this, and convert all of these proof-of-concept or theoretical attacks into practical forms, he simply isn’t that important.

  • discus_sucks_ass

    if it was the USB flash drive that was the origin I can see how it could be in the controller chip if someone had access to it’s manufacture. Loading a virus or worm then while it is loading it’s drivers might be possible. but using the audio as a vector seems awfully low bandwidth to transmit much info.

  • perljammer

    I’m with you on this one, Becca. I found an excellent piece on this here: http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

  • http://www.rebeccamorn.com/mind BeccaM

    You might need to have a talk with my wife’s family about that. Before she passed on, our Matriarch formally ‘adopted’ me into the fam.

    I think her words were something to the effect, “You’re not getting away. You’re stuck with us.” ;-)

  • http://www.rebeccamorn.com/mind BeccaM

    Different name. Same concept and purpose.

  • Dan Corjulo

    hey all you experts, Mac don’t have bios, never have. they use Extensible Firmware Interface. Completely different.

  • http://adgitadiaries.com/ karmanot

    WOW! Just excellent.

  • pappyvet

    Can we adopt you Sis ?

  • http://www.rebeccamorn.com/mind BeccaM

    I wish I could share the opinion that this was ‘credibly feasible’ — but I don’t. It’s credibly feasible to build a space elevator, but that doesn’t mean it’s happening anytime soon.

    Adding together all the capabilities of this sub-BIOS virus, I don’t think it’s possible to do it with nearly zero footprint code. Much less do so on computer systems (such as Linux) that don’t allow code to run outside of protected memory spaces.

    Again, we have here allegations of an ultra-virulent unkillable super-virus — and that’s 99% of all it does. The remainder being nuisance acts of random attention-attracting vandalism. For all its capabilities, all badBIOS is allegedly doing is being annoying. Why would it do this? It makes no sense.

    Like I said above: If there’s independent verification this code exists and has been found having overwritten network and audio controller hardware, I’ll eat my words. But ‘plausible’ and ‘proven to exist’ are two entirely different things.

  • http://www.rebeccamorn.com/mind BeccaM

    I can’t say one way or the other, because if it’s not ‘hoax’ and not ‘actually for-real’, then we’re dealing with possible delusion or frame-up, and I didn’t want to suggest those.

    As I mentioned above, it is the lack of independent, neutral verification at this time that remains problematic in the claims.

    Hoax was an attempt at using Occam’s Razor in explanation. However, there’s an even simpler solution that I also can’t discount: Someone with access to Ruiu’s equipment — whether physically or remotely, or both — has been f*cking with him.

  • http://www.rebeccamorn.com/mind BeccaM

    Flatterer. ;-)

  • MyrddinWilt

    The elements are all possible. The only thing that is a little odd here is that both the machine that was compromised and the thing it was talking to must have been compromised.

    I can imagine circumstances in which an attacker would be motivated to produce such a system. In particular attacking SCADA control systems. So it absolutely could be a legit attack

    But even if it was not, it is a completely credible feasibility demonstration. That is why I wouldn’t use the word ‘hoax’. Finding the attack would be clever, inventing it would be genius.

    I am currently in the IETF fix the Internet to stop the NSA meeting. Will probably be having further discussion of this in the bar after.

  • http://AMERICAblog.com/ John Aravosis

    Let me just add that smart chicks are hot.

  • Roman Berry

    “Hoax” is not a word I would use. To be a hoax would be for this to be a deliberate fabrication/falsehood, and while skepticism is warranted, there is zero indication that Ruiu has set out to deceive anyone in any way. In fact, he has done just the opposite, supplying not just his data but in fact much of the hardware in question to other security researchers in an effort to see if what he thinks he is seeing is in fact really there. That is not the path of a hoaxer.

    I have seen some speculation that Ruiu has been affected by the stress of the things that he (and other researchers) actually *have* seen, documented and verified and that maybe what he need to do is step away for a little while for a break. I see that as a possibility myself, and I really (and I do mean really, really) hope that is what it is. Because if that isn’t is and Ruiu is right…the consequences are beyond my ability to readily contemplate.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS