#badBIOS Malware May Utilize TTF Exploit

The #badBIOS malware that Dragos Ruiu is currently analyzing allegedly modifies TrueType font files on compromised systems. Obviously the “evil thumb drives” that infect the machines use some kind of exploit that allows low level access. This likely occurs during USB device enumeration. Once on the system TTF files are modified (amongst many other things). No doubt this is one way that the malware can execute their payload which likely ensures that any future thumb drives that are inserted into the machine from that point on have their firmware reflashed to continue spreading itself.

Microsoft released a security bulletin (MS13-081) on October 8 that mentioned a vulnerability in TTF handling that may allow arbitrary code to be executed, stating that:

The security update addresses these vulnerabilities by correcting the way that Windows handles specially crafted OpenType Font files and specially crafted TrueType Font (TTF) files, and by correcting the way that Windows handles objects in memory.

No doubt that until further information is released by Ruiu I cannot conclusively verify any of the information presented.

UPDATE: Mircea over at Trilema seems to believe that this is all bunk. At this point it is difficult to conclusive say but as they say extraordinary claims require extraordinary evidence.

2 thoughts on “#badBIOS Malware May Utilize TTF Exploit

  1. The only reason I have to doubt his claims is the claim that he made regarding the virus spreading to an airgapped system via radio waves. That’s rather outlandish although technically possible.

    • Yeah I feel the same way. If this was a random guy making these claims I would laugh it off but given he is reasonably well known (he’s no Bruce or Moxie but nevertheless he isn’t an unknown) I guess I will wait and see.

      If true it will be very interesting as he claimed the laptop has been infected for some time (ie like a year) so the malware we see could be an old sample. Which means it’s been in the wild with nobody noticing until now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s