badBIOS, a Bad-To-The-Bone, Halloween Malware

"Our forensic procedures are weak when faced with challenges like this"

“Our forensic procedures are weak when faced with challenges like this”

As a cyber security enthusiast, I like to think I know a thing or two about how to stay safe against viral threats.  But no article could have been more frighteningly fitting for arstechnica to post on Halloween, even for me. The article tells the story of Dragos Ruiu, a security icon responsible for the pwn2own hackathon franchise, who three years ago stumbled upon malware that took over a clean install of OS X on his Macbook Air.  He was unable to boot from CD, and found the machine was deleting data and undoing configuration changes without prompting. This is when it starts to get freaky.  The virus started propagating, even to machines completely disconnected from any traditional access point.  No networking, no power cables (running on batteries) fresh installs, with no contact with infected devices.

Immediately, the new device was infected.  It is believed at this time to have two eery methods of propagation.  One is a low level firmware hack that infects your hardware when an infected flash drive is plugged in, even if the drive is not mounted.  The other, straight out of science fiction, is high frequency audio from an infected computers speakers, which are transmitting malware to other computers within earshot.  That’s right. The virus can transfer to uninfected computers that are completely off the grid if they have speakers and are within hearing range of an infected computer.

While this certainly sounds farfetched, Arstechnica did their homework.  If this was a hoax, they would have found it.  “Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”  Triulzi makes not in the article about low level firmware hacks similar to the flash drive exploit have been tested in laboratory settings, and that early networking communications happened sonically.

The unknowns are the most disturbing piece of the puzzle. Why waste the most important zero-day exploit since stuxnet on a security professional with no obvious value to exploit, especially one that is capable of determining what is going on?  It has certainly captured my interest. I hope we learn enough about it before it is launched on a high profile target.  While it is interesting that this malware won’t die, so to speak, it will be less of an academic problem and more of a cause for panic if this virus is used to introduce something more dangerous. badBIOS may be the delivery mechanism, but the future payload may truly be from our nightmares.

Happy Halloween to my Security Colleagues!

~PL

Posted in IT, Science, Security. Tagged with , , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *