General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsMalware that can survive hard disk wipes, BIOS flashes, even communicate over airgaps. Meet badBIOS.
This particular piece of malicious code won't just pwn your operating system. It'll put itself into your machine's BIOS and UEFI firmware. It'll do this, when you do absolutely nothing more than plug a USB flash drive with the code into your system. It'll infect PCs and Macs, and even did shenanigans on a system running Free BSD. Even if you unplug your wi-fi, your Bluetooth, and your hard Ethernet connections, so your system's completely isolated (airgapped), it can communicate with other infected systems using high-pitched sounds over your speakers, and listening with your microphone. If you try to nuke and reinstall, it'll block you from booting from your CD or DVD drive. If you succeed in wiping your hard drive, it comes back.
This is the Malware from Hell.
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.
"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."
In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.
I wonder if a three-letter agency is responsible for this. Building this kind of malware takes talent.
Katashi_itto
(10,175 posts)backscatter712
(26,355 posts)The trojans always activate first. Then the basestars jump into Colonial space and launch their missiles. Before long, it'll be the end of the Twelve Colonies!
Katashi_itto
(10,175 posts)Desert805
(392 posts)[img][/img]
Recursion
(56,582 posts)That's the operating system equivalent of the survivalist with a tinfoil hat and a safe full of AR-15's in his off-the-grid cabin in Montana.
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed
My first thought was "Halloween prank story". But then I remembered most computers now have infrared transmitters and receivers for multimedia remotes...
joshcryer
(62,265 posts)Which is actually quite nifty since the laptop has a sound card and mic.
Surreal.
Recursion
(56,582 posts)But that required having a CRT...
NYC_SKP
(68,644 posts)Unless they were playing with such a thing and got "lucky", meaning they stumbled upon it.
But nobody that isn't pure evil would make such a thing on purpose, something that would shut down commerce, etc.
This takes a Ted K Uni-bomber kind of mentality.
Recursion
(56,582 posts)"When shown the (leaked PowerPoint slide and note) by The Post and asked for comment, two engineers with close ties to Google responded with strings of profanity."
No they are not too inept.
backscatter712
(26,355 posts)They can certainly cook something like this up.
Buddha_of_Wisdom
(373 posts)Thought I came across one, but turned out the client screwed around with the some settings that shouldn't be, and basically used a Syskey encryption to a point where I had to reinstall XP (yes, he was running XP which made resetting the passwords impossible) on top of the screwup, and got him up and running shortly thereafter.
So I'd like to stay ahead of those ransomware and merely defeating them after what others couldn't do - so I can get in some business. Again.
backscatter712
(26,355 posts)Last edited Thu Oct 31, 2013, 11:42 PM - Edit history (1)
Cryptolocker encrypts your files using 2048-bit RSA encryption, and the decryption key's stored on a remote server - and they're happy to send you the key, if you send them the ransom.
Unless there's a bad implementation of the crypto, I'd say anyone hit with this malware is SOL. Hope they've got backups.
Yavin4
(35,421 posts)Maybe we need condoms for USB flash drives.
backscatter712
(26,355 posts)It operates at a very low level, close to the bare iron.
When you stick an infected USB flash drive in your system, the PC's USB subsystem detects a new device, says "Hello, who are you". The flash drive is supposed to respond with "Hello, I'm a USB flash drive." so the USB subsystem can get instructions from Windows (or Mac OS X or Linux or FreeBSD) that say "OK, you set this device up as a filesystem, so the user can access the files on the drive."
Except that in this step, the USB flash drive, instead of saying "Hello, I'm a USB flash drive." says "Hello, I'm a USB fla...bhads;hjgtewfuhtg3r q9tj-7fs 3j79g h7yt4fn7t4h8gfrh8ghtrfd", where that last string is a hackerly trick called a buffer overrun attack. If the system's vulnerable to such attacks, the buffer overrun attack will blow through the end of the piece of memory that the USB subsystem's using to pick up and store messages from the USB key, goes way past that, and overwrites some code in the stack that points to executable code, so instead it points to malware code.
Boom, your USB subsystem has just been hijacked, in a subroutine that's executing down in the BIOS, not up in Windows, and from there, it plants its seeds in strategic places in your system.
Egnever
(21,506 posts)Strikes me as odd that only one guy has seen this. All of the comments from security professionals though taking it seriously worries me.
Sounds unbelievable. Will definitely be keeping an eye on this.
joshcryer
(62,265 posts)So he may be coming to wrong conclusions about the data being transmitted by sound, but if what he said was correct, that is the only explanation I can come up with. He said he unplugged everything else.
It's an incredible find if so. NSA level stuff.
edit: He'll be revealing what he found at CanSecWest next week according to this article: http://blog.erratasec.com/2013/10/badbios-features-explained.html
grantcart
(53,061 posts)Everybody start making your monthly payments to Cyberdyne Systems.