Security researcher Dragos Ruiu has revealed that he has encountered malware which purportedly can infect PCs running different operating systems. One of his statements says that it infected a BSD system without even mounting the infected media. If this is true and the malware is somehow bypassing the OS and using the hardware itself (e.g. directly infecting the BIOS, by mechanisms as yet undetermined) then we will quite possibly have an incredible new emerging threat to all x86 users. Granted this could be a hoax but as the number of people in the community who report this is genuine grow so does my fear that this is genuine.
We have postulated for years that malware could directly target the underlying hardware or device firmware but there hasn’t been many examples of such malware seen in the wild. This is different to firmware that reflashes the BIOS to either render the computer unbootable (CIH/Chernobyl), create a persistent infection by using a module that replaces a file that is executed on boot with itself which in turn chainloads the real executable (ala Computrace’s computer theft solution that was on many Dell laptops) or creates a virtualized environment (the much talked about “Blue Pill”) with the malware acting as a hypervisor. All of these previous scenarios are not nearly as scary because the vectors they use are traditional. One needed to execute compromised code by, say clicking on an evil attachment or inserting a disk with an evil executable set to autorun.
Dragos writes on his Facebook page:
Infected systems seem to reprogram the flash controllers on USB sticks (and cd drives, more on that later) to attack the system (bios?). There are only like ten different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible. Coincidentally the only sites I’ve found with flash controller reset software, are .ru sites, and seem to 404 on infected systems.
I believe that what Dragos refers to now as #badBIOS is the same malware that he spoke of about two weeks ago labelling it as BIOS SDR. He spoke of the latter as being able to use the sound card as an SDR to breach an air gap. Sounds like crazy conspiracy theorist stuff I know but the guy has credibility (pwn2own was his creation).
A post on the excellent blog kabelmast summarizes what Dragos has revealed so far. Also of interest will be Dragos’ twitter page where he has posted a sample of some mysterious files which were modified on an infected system. I have not yet had a chance to look at these files so cannot comment on their contents or the veracity of these reports.
This has also hit reddit so no doubt people will be scratching their heads. Given that this is likely using the thumb drive’s flash controller to somehow gain access to the BIOS software samples aren’t very useful as we don’t get to see the actual dropper. Someone needs to analyze the firmware of the controller and it appears that Dragos is now speaking of auctioning infected devices so it is unlikely that this particular goat is going to get his hands on a physical sample of an evil flash drive any time so.
If confirmed I don’t think the vector is all that surprising. We have seen flash controller firmware uh, reflashed before – for example by eBay bad guys who purchase tiny sticks and write firmware that falsifies the size reported. I guess if one found a way to inject code into the BIOS somehow (buffer overrun?) then this would be the natural next step.
Mike the Crypto Goat 