BadBIOS: Next-gen malware or digital myth?

Security researcher's ongoing investigation into disturbingly stubborn malware infection inspires curiosity -- and skepticism

[Ed. note: This story originally stated that it was believed that BadBIOS can infect other machines via ultrasonic audio. Rather, as amended below, it is believed that BadBIOS can communicate with other machines already infected with BadBIOS via ultrasonic audio.]

Security researcher Dragos Ruiu calls it "BadBIOS." According to him, it's a strain of malware that has persisted amongst the machines in his laboratory for almost three years and that has proven near-impossible to clean out. But some parts of his hypothesis about how it's spreading are so strange that even other experts are skeptical.

Ars Technica is reporting in detail about Ruiu's saga, which seems to involve a piece of malware so polymorphic that it seems to be able to spread by infecting everything from a system's BIOS on up.

What's strangest about this malware is that it even seems to be able to communicate with other infected computers that are airgapped -- that is, machines that aren't physically connected to a network.

BadBIOS appears to be OS-agnostic, as Ruiu has found it in Windows, BSD, and OS X machines. Reflashing the BIOS does not appear to help, either. Infected machines refuse to boot from external devices, and any USB drives plugged into a system are also infected -- possibly by way of the USB controller.

BIOS-infecting malware by itself isn't new; one of the first rootkits that infected system BIOSes, Trojan.Mebromi, was discovered back in 2011. But how is it possible that the BIOSes of machines from completely different manufacturers could all be vulnerable to such an attack?

Possibly by way of a general security hole in the UEFI (Unified Extensible Firmware Interface), the BIOS system used by all recent-model PCs. A Mac version of the same attack has also been hypothesized, since Macs use UEFI now as well. Another place the malware could be hiding, which explains a great deal about its behaviors overall, is within the PCI architecture itself or within the controllers for USB devices.

Any such malware would also have to contain multiple payloads for each of its infection targets -- not just different OSes, but UEFI, PCI, and USB firmware as well. While difficult to execute, it isn't theoretically impossible. It would just be a major technical accomplishment.

The single most difficult-to-swallow proposition about BadBIOS, though, is that it can transmit data to other infected machines via audio, by way of ultrasonic signals transmitted from the speakers of one machine and picked up by the microphone of another. This is also theoretically possible, as fellow security researcher Robert Graham demonstrated.

But here's the biggest question of all: Is all this really due to a single, monster malware, or has Ruiu made sincere mistakes with his research? There's always the possibility that the infection of the air-gapped machines has not been due to malware, but rather some kind of mishandling of the systems in question.

Possible but unlikely given Ruiu's pedigree, say other experts. Graham himself has weighed in and has taken two stances. On the one hand, he's critical of the fact that Ruiu hasn't, say, dumped the BIOS of any infected system and provided it for analysis yet. He wants to see more of what Ruiu himself has uncovered, and Ruiu has in fact promised all that in time.

On the other hand, a great many of the behaviors that Ruiu described do in fact seem plausible to Graham, and he has no overt reason to distrust Ruiu. "[Ruiu has been] a well-respected researcher for 15 years," writes Graham. "If he says he's got an infected BIOS, I'm going to believe him."

Another researcher, Arrigo Trulzi, is tilting toward giving Ruiu "the benefit of doubt until I see the code. I've seen enough to think most [of what Ruiu describes] is doable. The all-in-one. ..."

If indeed BadBIOS is the first in a breed of all-in-one malware that can not only infect a machine in multiple ways but spread that infection in multiple ways as well, new weapons are in order. Those who talk seriously about redesigning computing as we know it from a security-first perspective, such as Peter G. Neumann, might come to seem less like pie-in-the-sky idealists and more like folks who had the right idea all along.

This story, "BadBIOS: Next-gen malware or digital myth?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies