What Can We Learn From badBIOS

As time passes it becomes increasingly likely that we are unlikely to see compelling confirmatory evidence from Dragos Ruiu regarding his claims surrounding the malware he has coined badBIOS. One of his latest tweets begins with the disclaimer “No matter which way things work out with this search” which appears to be a stark contrast to the convincing way he spoke about his discovery just a few weeks earlier.

I’ve mentioned on this blog that malware of the type described is indeed technically plausible. One could produce a piece of traditional Windows malware that pulls the current BIOS image and attaches its own code to the image before reflashing. The small payload could simply ensure persistence in much the same way as the venerable anti-theft solution Computrace which was embedded into laptop BIOS images as an ISA component to assure persistence even if the HDD was replaced or erased. Computrace’s BIOS code had rudimentary NTFS support that allowed it to replace a file that Windows executes on boot (rpcnet.exe) with itself. The original file is renamed and is loaded by the persistence code once it has done its thing. In much the same way a trojan could either include its own code (if it was small enough) or run a small downloader to reinfect the machine. As many PCI devices include option code that the BIOS will execute on boot (e.g. PXE code from a NIC or a RAID controller’s array test code) this could also be a potential means of ensuring your code is executed at boot time.

The most controversial claim that Dragos made was that the malware was able to breach an airgap by using a laptop’s built in microphone and speaker. I have elaborated on this in a previous post and even linked to a functional proof of concept. Suffice to say that using the audio hardware to create a low speed mesh network is indeed possible but may be of low utility as throughput would be limited and the risk of detection would be significant. The latter could be minimized by incorporating some kind of negotiation to test the upper usable frequency of the hardware as high frequency characteristics differ wildly between vendors and are dependent not only on the DAC but also the speakers itself (with ceramic speakers being much more favorable) and vice versa on the receiving end. Another technique would be to first sample the ambient noise in the room. It is possible that while a quiet room would allow for an ideal SNR if stealth is the goal a moderately noisy environment may be more useful to mask the noise generated. By using the system clock and sampling the ambient noise the malware could determine a likely time when the environment is unattended (e.g. if it is 0300 local time and the area has been silent for many hours it is a fair bet everyone has gone home). Using the minimum effective amplitude would also make sense.

The most incredible remark that Ruiu has made was that the malware was cross platform and could spread via a USB thumb drive on both Windows and BSD with the latter occurring even when the device hasn’t even been mounted. While we can speculate that the malware was somehow modifying the flash controller of the infected USB thumb drives to present some kind of string that would exploit the system during USB device enumeration I believe the likelihood of not only this occurring but also of the bug being leveraged to allow some kind of cross platform infection is remote. This appears to be the weakest of his arguments.

If we assume for the sake of this argument that Dragos has misdiagnosed the existence of badBIOS, what can we learn from the experience? Well, certainly the first lesson to any aspiring security researcher would be to organize themselves prior to going public. Our hypothetical researcher should have concrete proof that an issue exists and have elucidated the purpose and origin of the malware. It would also help to have a sample of the malware to share with others. Even if this delays your disclosure by weeks or months, it is imperative that you can successfully defend your findings. Failing to adhere to this advice could be disastrous to your reputation and by extension your future career prospects.

Secondly, if you need external help then there should not be an issue in asking for it. Sometimes a second set of eyes will be able to resolve an issue that an individual could be stuck attempting to understand for an extended period of time. From Ruiu’s public discourse on Google+ and Twitter it appears that he has been sitting on badBIOS for approximately three years. Bringing in the community at an early stage and doing so without poorly researched grandiose claims of a new “advanced persistent threat” (ad nauseum) would be well advised.

My final point is that you can bet that malware authors have been reading all about Ruiu’s allegations regarding badBIOS’s feature set and at least some of them will attempt to emulate some of the traits that Ruiu suggested badBIOS possessed. This means that malware that leverages audio hardware or perhaps ensures its own persistence by appending itself to your current BIOS image (in much the same way as Mebromi) are likely just around the corner. In a way, just speaking about badBIOS will likely bring something similar into existence in the medium term.

We can hope that this has drawn some attention toward some aspects of the PC architecture that really aren’t all that robust. Perhaps the ability to flash a BIOS from within the operating system has seen the end of its useful life. In this day and age where all BIOS setup tools have their own integrated flashing tool with USB support then it would make sense to deprecate and eventually remove the ability to reflash except within setup. Cryptographically signing BIOS updates won’t necessarily mitigate some of the issues we have touched on so long as vendors continue to produce BIOS customization tools for their OEMs that invariably leak or are reverse engineered.

I sincerely hope that Dragos Ruiu’s analysis is at least partially on target, however as time goes by I am becoming increasingly skeptical that we will obtain the evidence that we are looking for to confirm the existence of such an advanced threat. Nevertheless as security professionals we must consider the entire system as a whole to assess its overall security. The ability to reflash the BIOS (and other peripherals that, by extension could allow arbitrary code injection on startup) from within user mode remains a concern of mine that is yet to be fully mitigated.

10 thoughts on “What Can We Learn From badBIOS

  1. Knowing what I know (and he has kids so presumably his physical security isn’t on a sufficient level that protects the comps w/ the malware) it’s still possible. Of course the malware is going to obfuscated. This is what they do, make you look crazy. Why he could be targeted, anyone’s guess. Could be entirely wrong, or could be simply another agent just searching for someone else to reveal their malware…

    I’m so sick of these conspiratorial games, but such is the insecurity and insanity of our world. Ever wonder how many 0-days are found on accident? When I”m done w/ all the projects on my list, this may be another area I check out.

    PS: Your story on s.com makes me madder than all hell.

    • Re my story – it is entirely true. I have spoken to several people who have been subject to the same kind of abuse. Seems like the cops have figured out “ways” in which they can either hold you for a protracted period of time without laying charges and traumatize you at the same time. I remain disgusted at the conduct of these so called police.

      • I do, and I thank you. I really just want it to end and start rebuilding my life back to somewhat normal again…

        It’s basically how awful you would imagine. Anytime you leave a device unattended it will eventually show signs of malware, and it’s done. Cables by your home get obvious “upgrading”. Agents just pop up and get in all aspects of your life if you go out any.

        They were looking for my secrets to either possibly recruit me (never after the treatment they gave me) or steal my methods.

        But there’s yet another revelation that is too damaging if I say I know about. It just cements even more that these people do not care at all about this country and its advancement; instead it can be a hellhole as long as they are on top.

        You have to understand (if you aren’t an agent yourself) just how badly they will wreck your trust and just “pop-up” everywhere…It’s just been a massive waste of money which is still affecting me so they just need their funds cut off.

      • I am not a member of any US federal or domestic law enforcement agency but I am privy to how they go about achieving their said objectives and it is ruthless. I have spoken on s.com about my time working in a major internet exchange point and the evidence I found there that indicated mass surveillance and that was well before either the Snowden disclosures or the hoohah in San Fran about the “secret” room.

        I would suggest that you don’t buy into the paranoia even though I can understand why that would be a natural response. The end game is likely to get you committed to a psych facility. Clearly you have either said or done something to make them believe you’re a threat because these kinds or ops take time and lots of money.

  2. I would like to physically verify these claims if possible; I can make myself totally open b/c of all the violations that I have no problems doing so at this time.

    I’m kind of curious how you knew Julian Assange.

    That’s what gets me, why they used all these resources on me; it doesn’t make sense besides trying to trump up a reason for their existence. I’m not special besides what they thought from a prior analysis or I got the attention of someone…They probably wanted to push me to actually kill someone b/c I see few other reasons. The amount of attacks launched is just unreal, and the amount of sloppiness as it went on was wayyy too obvious. These agents (I don’t know if they knew or not) were basically trying to bait me to kill them. They collect intel from cables in my neighborhood from cables that I said were compromised. Also, they compromised WIFI and waited for all member of my family to go to work or school and break in the home.

    • Proving it is going to be difficult.

      Re Assange – he used to run a BBS in Australia back in the late 90s, early 2000s. I met him at a Unix conference over there. He didn’t strike me as a very nice guy. Kinda arrogant.

      Re tracking access to your home, have you considered something very low tech and perhaps use some UV powdered dye around points of ingress. If you find the dye inside then you know that they have gained access and can narrow down how they’ve got in.

  3. Yeah I’ve thought of a lot of things. I still use doors so how would I know which is which? It happens sporadically. I’m sick of living my life like this and I don’t want to think about gov’t agents continuing to abuse me when I’m trying to focus on engineering.

    • … the best advice I can give you is try to ignore it. Given that you’ve established that they are likely trying to either send you insane or provoke you into a criminal act…

  4. Yeah well some of them have moved on which means they’re going to attack new victims and not be brought to justice. I very nearly did something that I was going to really regret b/c this needs to stop now; I ran the line and got further confirmation of my worst fears. Agents moved in the neighborhood. The police and courts aren’t protecting me and they may peddle some great advice like sh*t my pants and cry.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s