badBIOS: The unstoppable malware that infects firmware, jumps 'Airgaps'

By on November 4, 2013, 11:30 AM
windows, bios, malware, security, os x, badbios, airgaps

Can you imagine a computer malware that can make infected systems communicate even if they don't have any wireless hardware and physical connection between them? Seems like something straight out of a sci-fi movie, but Dragos Ruiu, a security consultant and the organizer of CanSecWest and PacSec conferences, has made some startling claims about a scary malware that manages just that by infecting the BIOS.

Here are some of the claims Ruiu made about the malware, which he termed "badBIOS", on Google+ and Twitter:

  • It is platform independent. Windows, OSx, BSD systems have been tested positive so far.
  • It can alter system settings, prevent infected systems to boot from CD drives.
  • The malware propagates through any USB memory stick after it is plugged from an infected system into an uninfected system.
  • The infected USB memory stick becomes unusable if ejected unsafely from an infected system. Strangely though, it works fine again when inserted back into the infected system.
  • It contains a hypervisor and uses a software defined radio (SDR) to jump Airgaps.
  • It can use the speakers of an infected machine to transmit data through ultrasonic transmissions that is received by the microphone of another infected machine.
  • It blocks reflashing software websites of Russian origin.
  • The malware renders infected systems useless for further research.

The malware first infected Ruiu's MacBook Air three years ago, though he doesn't know how. There have been reactions from many fellow security experts and most of them don't discard his claims right away. "If he says he's got an infected BIOS, I'm going to believe him", Robert Graham, a security expert, said in a blog post.

Ruiu will provide additional information about the malware at the PacSec conference scheduled to be held in Tokyo on November 13-14, 2013. In the meantime, you can read ArsTechnica's report on badBIOS and this analysis on reddit for more details.




User Comments: 29

Got something to say? Post a comment
CyberFlux CyberFlux said:

None of us are safe! Lock your doors, cover your windows and get in your basement! It's happening!!

cliffordcooley cliffordcooley, TechSpot Paladin, said:

^^^ Mockery, so not funny!

CyberFlux CyberFlux said:

^^^ Mockery, so not funny!

There's nothing funny about BadBIOS

lmike6453 said:

Can you imagine a computer malware that can make infected systems communicate even if they don't have any wireless hardware and physical connection between them?

I was hoping to learn of such a technology but it looks like that this malware does no such thing?

The speaker/microphone mention is a physical connection

1 person liked this | Guest said:

No way do I believe this.

1 person liked this | MilwaukeeMike said:

Can you imagine a computer malware that can make infected systems communicate even if they don't have any wireless hardware and physical connection between them?

I was hoping to learn of such a technology but it looks like that this malware does no such thing?

The speaker/microphone mention is a physical connection

Same... I was hoping for a discussion on entanglement.

Getting information from a speaker is hi-tech?! Pfft! That whole mouth-to-ear data transmission has been around for a while. About time computers caught up.

1 person liked this | Burty117 Burty117, TechSpot Chancellor, said:

Speakers and microphones are not wireless technology -_- so yeah, the article is correct.

1 person liked this | insect said:

Speakers and microphones are not wireless technology -_- so yeah, the article is correct.

Guess you missed the part about "physical connection". Sound waves are a physical phenomenon.

Skidmarksdeluxe Skidmarksdeluxe said:

I wonder if the NSA will try it out on their systems.

1 person liked this | spencer spencer said:

Reminds me of the wireless tech built into modern intel chips and some Amd ; this "security feature" allows certain radio signals to activate a computer wirelessly and have full access to the systems hardware giving those that know the signal( the feds; probably a few hackers and select corps) the ability to plant whatever they want on your drive or (drives). Personally that sounds very scary; of course if the government hates your existence or just want you gone they have other methods if not by framing then by the NDAA or Patriot act.

2 people like this | Guest said:

Absolute tosh ! I know nothing about the intricacies but really ? utter nonsense.. if a "badbios" had been sharing for 2 years to other networks and pc's with out anyone knowing it was there. %50 or some crazed random number of all machines would be infected.. scare tactics to increase Virus protection software... 4 PC's for the last 5 years that I know of .. owned by myself and close friends have not used any anti virus.. Unless you use "obvious dirty web sites" there aint much threat.. oh ye and don't open dirty links in emails xD

Guest said:

"It can use the speakers of an infected machine to transmit data through ultrasonic transmissions that is received by the microphone of another infected machine."

"It is platform independent. Windows, OSx, BSD systems have been tested positive so far."

It sure as hell isn't transmitting without an OS and/or internet connection being involved at some point or another. Especially since the OS hands over the (sound) data over to the audio driver which must translate the data in way that the compatible audio device can understand and then send that data back to the driver + OS after it leaves the device to be translated AGAIN. Can this BIOS VIRUS really translate data from all of these OSes, somehow contain a HYPERVISOR, and do all of the other things it says it can do? Without NEEDING the internet to download these functions? I think not. To me it seems it still needs a fully functioning computer WITH an OS, internet, and some extra space on a hdd/ssd for all those things it's supposedly able to do in order to work.... which most viruses use anyways. Not many viruses infect the bios but that's nothing new either. To me, it seems like anyone capable of understanding computers and a basic understanding of networking would notice this. This CAN'T be a small, practically undetectable virus for that matter... not WITH all of those functions. It's really just another bios virus that destroys/alters the cmos as usual but is maybe better at spreading than most cmos viruses... given the opportunity. The sound idea for data communication was creative for a virus though. Still, both machines must ALREADY be infected in order to communicate the data through sound waves anyways. Now if it could communicate using sound to an uninfected machine, somehow, THAT really would be scary.

2 people like this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

Guess you missed the part about "physical connection". Sound waves are a physical phenomenon.
By that line of thought there is no such things as non-physical violence. And to be honest there is not much difference in sound wave versus radio waves. So by your reasoning Wifi signals are physical connections.

Guest said:

Air gap? I don't think so. Nothing air gapish about moving around a memory stick that is also bootable. Sheesh, nothing strange about this. An air gap defense mean nothing at all is connected to the safe machine. Nothing means what it sounds like.

Another way to avoid this completely is to use a bios with a read only jumper. Many have this feature since bios viri have been around for a decade.

Guest said:

Sound waves? Not going to happen. There is no way for a sound wave to be translated into program data even if the machine has a mike. That capability does not exist in any computer I have met and I have been programming since 1964 (vacuum tubes ).

Guest said:

I find that hard to believe. If you've been programming as long as you say, you are no doubt aware of something called a modem, which translates digital information (1's and 0's) into a waveform that is transmitted through copper wire.

Creating something to transform digital data to audio waves and back again is not out of the realm of possibility. Its the basis on how a microphone connected to your computer works in the first place.

Guest said:

A computer does not have a modem built in. Evan if it did it still would not convert the sounds it hears into executable code. If both machines were infected as stated it would be possible to create some noise that could be received by a microphone and converted to code. The rate at which this could be done would probably be limited to a rate of a few hundred bytes per second at best. Computer loudspeakers are not the best in the world. Not only would the rate be very limited but so would the range. Extremely limited in fact. I have done a lot of work with computers at the design level, assembly programming and up from there. That includes some very unusual experimentation with computer modified sound systems and sound sent over lasers.

A software defined radio is not happening at all. They require very special chips to operate.

At age 64 I have one of the very latest computer systems with 8 cores and 32 gigs of ram with a 760 nvidia video card. I keep up with everything that is going on. I am also a "specialist" in everything to do with sciences, from biology to astrophysics.

jester376 said:

I think this writer needs to find new sources for his articles. I have conclude with everyone eles' answers. Almost everything that this virus says it can do is just literally impossible, and it would hit worldwide by now if its been ongoing for 2 years.

Guest said:

I will reserve opinion until after Steve Gibson does an analysis. He debunks a lot of panic and theory.

NTAPRO NTAPRO said:

I remember reading about this from Malwarebytes. They questioned the validity of the claims also.

Guest said:

If the virus accesses the mic and speakers of a computer than, yes, of course it could use this to transmit sound and decode it back to data. Very very old technology. However, the speakers and mics in the vast majority of computers can not playback or pickup ultrasonic frequencies (>20khz) amongst other issues.

psycros psycros said:

Reminds me of the wireless tech built into modern intel chips and some Amd ; this "security feature" allows certain radio signals to activate a computer wirelessly and have full access to the systems hardware giving those that know the signal( the feds; probably a few hackers and select corps) the ability to plant whatever they want on your drive or (drives). Personally that sounds very scary; of course if the government hates your existence or just want you gone they have other methods if not by framing then by the NDAA or Patriot act.

This is unquestionably what's going on, assuming there's an iota of truth here. The virus would clearly be Spookware designed to exploit backdoors the industry was forced to include in newer chipsets. This wouldn't be the slightest bit surprising given that our worse fears about the NSA have been confirmed.

Guest said:

That is the most unlikely yet. Computer cases are intentionally designed to NOT emit radio frequency noise so they will not interfere with other radio frequency devices both in the home and in business. Further, hiding such devices on a motherboard is not at all easy, especially when one knows the function of every single device on the board.

The closest they have come is to detect RF emitted by the video signals from the video cables and the monitors. Under ideal conditions it is possible to rebuild the signal to display the image on the screen. That has become far harder to do with the advent of LCD screens. They use far lower power signals so the RF from them is far shorter range.

Guest said:
  • It can use the speakers of an infected machine to transmit data through ultrasonic transmissions that is received by the microphone of another infected machine.

BS. I call Hoax. No way are we technologically advanced enough to send Data through sound waves.

Guest said:

Its November 4th .. Not April 1st ... someone marked the wrong date on the Calender again..

Guest said:

" No way are we technologically advanced enough to send Data through sound waves."

Sarcasm aside there's still the issue of compatibility.

Guest said:

So, it transmits data between two infected computers... Why? They're already infected thru USB, what data needs to be transmitted? Seriosly...

Guest said:

I don't think anyone commenting so far really "gets" it. If this exists (and I'd be surprised if it doesn't even if this instance proves to be fake), this isn't your typical spam spewing or ransomware virus. It's more like Stuxnet. It would likely be targeted and very dangerous. And scary.

The point of the sound based communication isn't to infect a non-infected computer, it's to get data off of or on to a computer that was infected via USB, but isn't connected to the internet. If there is another infected computer that IS connected to the internet within range, it can be used to proxy the data. What types of computers are not allowed to have any access to the internet and would require this type of data transmission? Stuff you really don't want the enemy to have access to. Highly sensitive information, power grid control systems, dam control systems, financial trading systems, etc. And since they're not connected to a network, the only way to get data onto or off of these systems would be a removable device like a USB stick.

And it would be damn near undetectable. All communication between your operating system and the computer would be filtered through it. Normally it would just pass this communication unaltered to the real hardware, but it could monitor and alter anything it wanted to (memory access, data from the hard drive, network packets, keystrokes, etc) w/o any software having any way to know that it was there.

It wouldn't have to be very big, roughly the same size as the existing BIOS, even less if it just updates the parts that it wants instead of totally replacing it.

The rate of infection could be massive, and we'd have no clue since it wouldn't have any impact normally. The scariest use of something like this would be a massive cyberattack - either alone or in conjunction with a physical attack. Infected computers that were connected to the internet could be given a date and time for a coordinated attack days or weeks ahead of time. During that time those could use the sound based communication to give this date and time to any infected non-connected computers they come in range of. Only a few bytes of data, easily transmittable. At the specified time, suddenly a significant portion of the computers in the targeted country would either stop working, or would start working against the target. Including some supposedly hardened computers that control critical systems like water, power, manufacturing, traffic control, etc. Bad stuff ensues.

An extension of this could work on systems that aren't equipped w/ a microphone or speaker. Computers in close proximity (say a bunch of servers in a rack) could probably communicate without it. The transmitting computer could send by changing c-states rapidly. The generated EMF could probably be detected by the voltage sensors in nearby servers.

Anyways, I just wanted to counter the people chiming in and saying that it's not possible. It's not only very possible, I'd go so far as to say it's likely. The only questions in my mind are: who is it targeting and what's the current infection rate? Both are questions that we won't know the answers to until it's actually used.

jagdpanzerIV said:

Even an airgap seems to be no protection now, hard to believe this awful thing has happened but if it can then it's the worst computer related thing to happen since the first virus.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.