A security researcher Dragos Ruiu claimed that three years ago he noticed a strange behavior exhibited by one of his Air Mac machines. The machine mysteriously updated its UEFI even after he installed a fresh copy of the OS. Ruiu initially noticed that data was being deleted and added on the infected machine, and when he tried to boot the OS from a CD, the option was disabled. He reported that another BSD machine in his lab showed the same signs of infection.  After three years of investigation he concluded that the machine was infected with a sophisticated and unusual malware.

Ruiu started monitoring his network traffic and noticed that small amount of data was transmitted to and from destination addresses IPv6 including machines with IPv6 disabled. As part of his investigation he added additional Windows and Linux machines to his experiment.  He reported that the malware infected all the machine regardless of their OS and model.

The infection vector seemed to be delivered to the boot firmware (BIOS, UEFI) via a USB-rootkit using a rouge USB stick.

The most interesting observation reported by Ruiu was that when he disconnected the machines from the network and unplugged the Ethernet cable and disabled the Wi-Fi, the machines continued to transmit data. Ruiu claimed that the machines used high-frequency transmission to bridge airgaps (machines that are not wired) between microphones and speakers of two machines. According to some researchers, this behavior is theoretically possible. However, it was never confirmed by Ruiu whether the reported behavior was caused by the malware or some other system side effect. In addition, some researchers believe that it is impossible to transmit enough data to perform malware update using the limited bandwidth provided by this airgaping.

Although BIOS based malware is not new, a malware that can infect boot firmware regardless of the manufacturer has never been reported. This level of sophistication would require a polymorphic code with great level of intelligence that can identify the hardware maker to tailor the infection. If this malware is proven to be real then this would be a great technical advancement in malware creation

No malware code has yet been provided by Ruiu to the security community for peer-review and reverse engineering.

http://www.dfinews.com/news/2013/11/badbios-mysterious-malware-jumps-airgaps?et_cid=3578430&et_rid=454848423&location=top#.Ungb8ZTwLp0

http://www.infoworld.com/t/malware/badbios-next-gen-malware-or-digital-myth-230047

This entry was posted on Monday, November 4th, 2013 at 8:58 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.