There’s a story making the rounds, first reported in Ars Technica, about a particularly virulent computer virus that has been nicknamed, “badBIOS.”
It’s an awful and amazing thing, that can infect PCs and Macs alive. And I don’t buy it. Let me tell you why.
But first, in order to understand both the nature of the virus and the origin of the name, perhaps a little CompSci Ed is in order — but feel free to skip this part if you already know what I’m talking about.
What is BIOS?
Every computer has something called its “operating system” (or OS). For many PCs, this is Microsoft Windows, but it could also be any of the myriad flavors of UNIX, such as Open BSD, Linux, Red Hat, and so on; for Apple computers, it’s OS X. (Mobile computing: Android devices are running some flavor of Android; Apple tablets and phones run iOS.)
However, when you first power up your desktop or laptop, unless your computer’s manufacture chose to hide it, there’s a momentary text-only screen that shows basic system hardware information — what type of motherboard, CPU, connected storage devices, memory, and so on, as well as a prompt where you can (usually) press either Del or F2 to go into what’s called BIOS mode. When you do this, on a PC at least, you’ll often see a screen like this one:
This BIOS utility screen and the program behind it lets you view and control the innermost hardware settings of your computer.
The term ‘BIOS’ stands for ‘Basic Input/Output System’ — and it is a layer of semi-permanent computer program that exists between your operating system and the computer hardware. Unlike your computer applications (which change frequently) and operating system (which is updated sometimes and can be completely changed), for the vast majority of people, they’ll never change their computer’s BIOS. Heck, most people never even have to mess with their BIOS hardware settings.
For this reason, it’s safely programmed into non-volatile memory (meaning it stays there even when your computer has no power). It’s considered “firmware.”
It is possible to change a computer’s BIOS, in a process commonly known as “flashing” or “re-flashing.” Doing so is not without risks, because if you mess it up, there’s a chance you could “brick” your device (i.e., turn your computer into a doorstop). The reason this can happen is in the process of flashing the BIOS, you can not only crash the system, you can also accidentally destroy the computer’s ability to power up enough to re-flash the BIOS a second time.
After that, you’d need serious professional technical help to restore a computer with corrupted BIOS. Correctly functioning BIOS is essential.
What is badBIOS?
In theory, it is possible to alter a computer’s BIOS for nefarious purposes. Doing so would indeed be a serious matter because a BIOS infection would be immune to nearly every computer anti-virus package out there. You’d have control of a computer at the hardware layer.
Unless you did something about the BIOS itself, no matter how many times you wiped the computer’s hard drive and reinstalled the operating system, the infection would remain. The only way to clean it out is to re-flash the BIOS with a fresh, clean copy. Fixed and done, right?
Well, according to one security consultant, Dragos Ruiu, he claims to have a computer infection that goes far deeper than a mere BIOS problem.
So on to the Ars Technica story:
Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.
In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.
(Emphasis added here and in further story quotes.) As a computer professional myself who’s been building her own computers since the mid 1980s, already several things in that story set my skeptic’s hackles on edge. Starting with the fact he claims his initial infection was on an Apple computer running OS X. (Almost nobody in the professional hacking community writes viruses targeting Macs. There are a few out there, but mostly spread via infected web pages. And I’ve never heard of any successful Linux/BSD virus ‘in the wild.’)
According to the story, Ruiu says he has no idea how his system contracted the initial virus, but has theorized it was a USB memory stick or drive. He also reported that within hours of scrubbing a computer, the infection behavior — random data deletions, inability to boot from CD ROM, undone configuration changes — would return spontaneously.
He reported this even happened if he re-flashed the BIOS back to its original state and used a completely fresh (empty) hard disk. Crazier still:
Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.
“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”
What Ruiu means by “air-gapping” is he means not only is the computer in question not connected to a network using an Ethernet cable, he’d also disabled (removed) the WiFi (wireless Internet) and Bluetooth (a short-range networking system) and also ran the laptop on batteries, just to make sure there wasn’t some weird AC power data transmission modulation going on.
Ruiu’s badBIOS theory
Ruiu believes that in addition to reprogrammed network controller hardware, somehow data is being transmitted using a computer’s speakers and microphone. And he further claims that when he disconnected that particular audio hardware on a previously infected (and air-gapped) laptop, afterwards the re-infections stopped.
To understand this, we have to go a layer lower in the hardware. Your computer’s BIOS talks to the individual hardware controllers on the system motherboard. What Ruiu is suggesting is that once the BIOS was infected, it reprogrammed both the network controller and the audio controller hardware to serve as permanent, intelligent, self-activating back doors.
He’s further suggested that merely having an infected computer on the same network as uninfected machines, they’ll all eventually be infected, too.
Another angle on his theory is that USB drives and memory sticks can also be programmed to carry badBIOS, but show no trace of it whatsoever. Even wiped and reformatted USB drives still have it, and according to Ruiu, a fresh drive or stick is instantly infected upon insertion into an infected computer.
He seems to think this is a “multi-stage payload” virus, where the initial piece installs the permanent back doors, and then apparently the other parts are loaded later and result in the odd system behaviors.
badBIOS, in summary
So badBIOS supposedly has the following qualities:
- Infects PCs and Macs alike, including PCs running Windows, Linux and Open BSD, and further including multiple versions and releases of all these operating systems — meaning it is 100% OS-independent, and also essentially hardware independent as well
- Easily transmitted via USB drives and memory sticks and can bypass both secure operating systems (such as Linux) and anti-virus software invisibly; able to infect new USB drives/sticks at will
- Manifested behavior (besides extreme virulence) is an inability to boot from CD or DVD (making reinstalling the OS difficult but not impossible), randomly deletes data, and resets configuration changes
- Can re-infect a scrubbed (including BIOS re-flashed) computer without any physical or WiFi/Bluetooth network connection
- Is (thus far) completely invisible and undetectable except through the reported anomalous computer behavior and malfunctions
Color me skeptical
I’ll explain now why I’m having trouble believing this:
Able to infect computers regardless of operating system: Yes, it’s not hard to infect PCs, especially those unprotected by anti-virus software. But it’s much harder to infect computers running Apple’s OS X (which has an XNU UNIX-like hybrid kernel), and much, much more difficult to infect Linux-based (and Open BSD) machines. The reason being that Linux and other UNIX variants simply do not allow code to be run arbitrarily, and certainly not the kind of privileged code processes it would take to re-write BIOS on the fly. It’s actually quite difficult to infect a UNIX/Linux system because it protects operating system files through encryption and would never allow some random program to reach through and diddle with the computer’s BIOS. What I can’t wrap my brain around is this idea that a single nigh-undetectable virus can infect any computer regardless of OS.
BIOS and component firmware is altered even while the computer is running: I’ve re-flashed a number of computers, and there isn’t an OS out there that won’t react (and usually crash hard) if you start diddling with the BIOS while the OS is up and running. Most times, the computer needs to be run temporarily in a special protected mode to make it happen.
Able to infect many different incompatible hardware platforms using the same initial virus payload: Not only are we talking different computer manufacturers, we’re also talking about different basic component-level hardware. Every motherboard manufacturer, for example, runs their own customized BIOS firmware, too, none of it exactly alike. (Although to be fair, it’s often similar.)
Permanent embedding in network and audio hardware: Here I’m reaching a bit, but I can think of no plausible scenario where on-board network and/or audio hardware can be permanently — and invisibly — reprogrammed to hold an undetectable virus. Also independent of network or audio hardware manufacturer.
Here we’re getting into the territory of whether something is theoretically possible versus whether it is plausible. Unfortunately, for me, the improbabilities just keep multiplying:
(OS independent) x (BIOS independent) x (H/W independent) x (infects at will) x (undetectable) x (self-repairing) x (inexplicable visible behavior) = As improbable as a pair of space missiles suddenly transforming into a bowl of petunias and a whale, both plummeting towards Magrathea.
Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)
Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.
Most of all, the detail I cannot get past is how this alleged super-virus — from Ruiu’s description — gives every appearance of being incredibly, improbably sophisticated in its ability to propagate and self-repair, yet it allegedly draws attention to itself by modifying settings, undoing configuration changes, altering machine behavior, and deleting data.
The manifested behavior makes no sense. You’d think something this mind-blowing would be programmed to avoid giving any sign of being there.
It’s as if Catwoman or James Bond broke into an ultra secure vault filled with valuables and riches, bypassing elaborate tripwires, alarms, and guards, and dropping through the skylight on wires. But instead of quietly stealing the diamond under the laser-protected, gas-cannister equipped glass dome and disappearing silently into the night, decided instead to just to leave that skylight wedged open, the wires dangling in plain sight, while engaging in some noisy, petty vandalism.
Plausible? Yes, but…
Could something like this be done? In theory, yes, sure. If:
- Every computer, regardless of OS, could be forced to execute unknown code upon USB drive insertion
- An utterly invisible computer virus payload was sophisticated enough to deal with every hardware platform and every variant version of BIOS
- And it can reprogram both hardware and audio controllers, rendering BIOS wipes useless
- And you can believe something this sophisticated, virulent, and pernicious would then draw attention to itself
My issue with Ruiu’s claims has to do with the stacked improbabilities. Added to the fact that thus far he appears to be the only victim of this insidious virus in the entire world.
I’m prepared to eat my words if some genuine, concrete evidence of this Skynet-level code is actually found, but I have my doubts.