Is BadBIOS the mother of all malware?

The unfolding story surrounding BadBIOS has security experts at odds as to what is really happening and whether it even exists. If it does, it’s a doozy.
 

BadBIOS is supposed to have been first observed three years ago on a Macbook. It attacks the system at firmware level so you can’t get rid of it by rebooting or disabling it. And, you can’t reboot your system from a CD if you get it so, that takes care of one avenue for remedy.

The claim is that it can jump from Windows PCs to Macs to OpenBSD systems, which makes it quite lethal. One of the more outstanding claims is that is that it can spread through something called Software Defined Radio (SDR) even when you are not on a wireless network, using the speakers of a bad system to spread through the microphone of a clean system. It’s kind of like the Malware Whisperer. Your system can also get it from USB sticks and it should be neigh on impossible to remove from the USB stick, which will work quite nicely on an infected system.

According to the boffins at Sophos, who know a thing or two about this stuff:

   

There isn’t an obvious threat to everyone (like there was with Stuxnet, even before we knew its inner purpose); it doesn’t seem to be spreading in the wild (like Stuxnet was, despite having a specific target); and there are plenty of clear and present threats we can usefully concern ourselves with in the interim.

So that’s about that for now, I’m afraid – it’s a question of watching and waiting.

NB. It’s possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec. If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!

   

Phillip Jaenke is more sanguine on the issue:

 

Is it possible? Yes. In theory it is possible to release an extremely resilient and resistant BIOS level piece of malware. It also would only ever infect one specific machine ever, period. It also would not be even remotely capable of escaping detection using basic diagnostic techniques. Not even advanced security techniques; just basic BIOS diagnostics. Anyone who can follow a guide on updating the Intel RSTe OROM (about half the Internet) could compare dumps and instantly spot it.

So what do I think? I think that A) a number of security experts flapping their gums are good at security and know nothing about how hardware works and B) it’s absolutely not a BIOS/Firmware level piece of malware. There are far, far too many blatant and obvious detection points. There is no way it could hop from Apple to PC, or even PC to PC or Macbook 2013 to Macbook 2011. (Forget Macbook to Mac Pro.)

I’m not saying that UEFI or BIOS is secure – I’ll get to that in another post – but I am saying that calling it badBIOS is wrong.  It’s absolutely not. Either it is an extremely limited piece of BIOS malware or it is occurring at the OS and escaping detection through previously unknown methods. Half the claims made regarding what it does (disabling registry editing, etc.) are so far from reasonable and possible with the BIOS it makes me facepalm. Point blank, these things are absolutely not possible, period. This is something going on at the OS level, the end.

 

All this is the result of the findings of Dragos Ruiu on Twitter. Rulu, a security analyst, and is recognized internationally fas the organizer of CanSecWest and the PacSec conference. He is also the founder of Pwn2Own, a well known hacking competition. PacSec is being held in Tokyo on November 13-14. There may be more information available at the conference, but in the meantime, Rulu is claiming to rise to the challenge of skeptics like Sophos by offering to provide