APT or fANTasy: The Strange Story of BadBIOS

Yesterday over on Veracode’s blog I wrote about the ongoing saga of “BadBIOS” – a piece of malicious software that might be the most sophisticated virus ever written, or a figment of the imagination of Dragos Ruiu, the esteemed security researcher who says he discovered it on systems he owned.

Is BadBIOS the most sophisticated malware ever – or a figment of someone’s imagination?

The story of BadBIOS reads like something out of science fiction. Ruiu has described it in interviews and blog posts as BIOS-based malware that can back door systems running a variety of operating systems – OS X, Windows and even OpenBSD. But it’s also described as an ephemeral kind of ‘we-don’t-know-what,’ that can’t be isolated or analyzed. One Twitter follower of Ruiu’s suggested designating it a “heisenbug” which he defined as “a software bug that seems to disappear or alter its behavior when one attempts to study it.”

That would be funny if this weren’t deadly serious. For, really, one of two things is going on. The first is that Ruiu is correct in his analysis of BadBIOS. If that’s true, he’s discovered a totally new type of malware the sophistication of which makes Stuxnet look like Brain – the first widespread boot sector virus that cropped up in the mid 1980s. Besides being a BIOS-based malicious program that infects systems at a level beneath the operating system (not unheard of, but pretty unusual), BadBIOS is capable of surviving a BIOS refresh – even on an air-gapped systems that aren’t connected to anything. How? Ruiu claims that BadBIOS can communicate with other BadBIOS infected hosts using high-frequency sound waves transmitted over the infected system’s speakers and microphones.

The second is that there is no BadBIOS – that Ruiu is chasing ghosts in the machine(s). In that case, the random “chunks” of data Ruiu is seeing emitted from “infected” systems are just that – inconsequential hiccups produced by complex machines, or explainable and legitimate (if poorly documented) features specific to the given system. The initial analysis of an “infected” BIOS dump by one, noted researcher suggests the latter. 

Experts whose job it is to analyze malware and break into systems have voiced skepticism. “PCAP, or it didn’t happen,” one quipped in a private email, referring to the packet capture tools that are used to monitor the output of infected systems.

But who knows – Ruiu could be on to something. And even if he isn’t on to something with BadBIOS, he could still be “on to something” in the long run: his flights of fancy providing a window into how advanced attacks might work two  or 10 or 20 years hence.

Check out my full blog post here.

Comments are closed.