© Copyright 2013 Critical Watch

badBIOS: Weapons-grade Malware

Critical Watch Logo

By Jesper "JJ" Jurcenoks, November 11, 2013

Director of Research, Jesper Jurcenoks explains badBIOS on the whiteboard

badBIOS, Facts, speculations, and misunderstandings

First there was Stuxnet, then there was FLAME, the latest weapons grade malware is badBIOS accidentally discovered by Dragos Ruiu 3 years ago. More on the discovery in section 2

Reverse engineering the specs for badBIOS

Imagine you are a General at a national intelligense agency: what would you specs for the next cyber spy tool look like?

  1. Build on available technology - can't wait for new breakthroughs (no magic)
  2. Undetectable by anti-virus
  3. Stealth - undetectable by forencics investigation
  4. Able to withstand normal disinfection methods like reinstalling OS
  5. Calling home should be undetected by data leak prevention and IPS/IDS
  6. Able to penetrate the most secure computers even those with air gap (no connection to the internet)
  7. Data extraction, command and control even across an air gap

Is the badBIOS technology even available?

As a top malware engineer how would you solve a task like this?

  1. Employ technology available in 2010
  2. Undetectable by Anti-virus - this one is easy: most virus go undetected until specifically submitted to AV-researchers, I recently covered how to hide your malware from AV 1
  3. Stealth: Rootkits routinely intercepts system calls like process monitor and file access so that the rootkit cannot be detected from within the infected system2 Rootkits routinely disables or modifies antivirus software to avoid detection2. Rootkits have been demonstrated that turn the operating system into a virtual machine that runs within the rootkit hypervisor3 making detection from within the compromised OS virtually impossible. Foresics investigation ultimate tool is removing the harddrive and plugging it into another machine as a secondary datadrive then carefully reading the data on the disk from a non-infected computer - but as I wrote about a few month back, even this can be prevented - by infecting the firmware on the harddrive it is possible to only serve non-infected data via the SATA interface4     
  4. Withstand simple disinfection: No problem, Virus routinely infect many parts of the OS so that even if several items are found and removed the remaining infections will reinfect the entire system. Withstand a complete harddisk wipe and OS reinstall: not very common but:
    1. technology has existed since 2009 where an infection of the BIOS was able to reinfect the OS upon reinstallation5,
    2. a Virus executing in the Video Card's graphics processing unit (GPU)6
    3. from the network card7
    4. Rootkit persistence via the Extensible Firmware Interface (EFI) since 2007, with Details of Mac Exploit25
  5. Hiding covert command and control channels amoung benign traffic is a routine exercise for rootkit authors. Security researchers has been trying to fight it for years. Originally this happened on IRC Channels, but today the traffic is hidden in HTTP, SMTP8 and even DNS traffic9.
  6. So how to infect a computer that is not connected to the Internet? When I reverse engineered my first virus in 1988 the infection vector was the boot-sector of a floppy disk, data was exchanged via removeable media that was walked from one computer to another (so-called sneakernet). Today's sneakernets use USB drives, a much more sophisticated device than a floppy disk. USB Drivers contain their own small CPU that can be programmed, this explains how your new wireless USB modem can automatically change between being seen as a USB drive with drivers and the USB modem that talks to your phone company.  Instructions for hacking the USB stick to do all kinds of nasty tricks is freely available on in the internet10, only about 10 different chipsets exist, so covering most or all is not impossible. In order to infect a host machine via the USB interface requires that vulnerabilities exist in common USB Drivers - in reality they are abundant, USB driver authors errorneously tend to treat USB signaling as trusted input11 12
  7. Jumping the air gap with continous real-time communication (which is required for command and control) is the hardest part for most people to imagine. Bluetooth has been suggested but was not very common on computers 3 years ago. Sound Cards on the other hand are default on almost all computers, and most oem implementations are based on realtek's design, meaning once you support realtek you virtually done. Using soundwaves to transmit data has been around forever as seen in the 1983 movie Wargames, but until middle of October 2013 no one had publicly speculated that ultrasound could be used for jumping an air gap for rootkit command and control. Once the idea was out - proofs of concept was quickly developed by the security community17 - even transmitting data to another room via a hallway13
Try Now


Malware like badBIOS enters your system via vulnerabilities

Critical Watch has more than 60,000 vulnerabilities in our testing library

Get Critical Watch Automated Vulnerability Assessment today
and be protected against malware like badBIOS

 

 

BuyPricing...

badBIOS Detection and symptoms

badBIOS initial infection

In 2010 in the weeks before his PacSec conference Dragos was installing 2 new Apple systems, one at a customer and one in his office when he noticed that the one in the office did a firmware upgrade on its own. Having two identical systems it was possible to spot the differences between them, files on the infected system changed compared to the reference system. Any attempts to reflash the BIOS on the Mac, or perform any other deep forencics was prevented as the infected computer refused to boot from CD-ROM. With his major conference taking all his attention Dragos decided to just wipe all the systems and move on. Little did he know at the time that the infection was wipe tolerant. When the convertion season was over Dragos looked at the systems again, But even with all his expertise  he could neither 1) determine the infection vector nor 2) disinfect his systems. Eventually he concluded that the worm was not destructive and that there was nothing he could do at that point, but leave the systems infected.

badBIOS breakthrough

Then in the beginning of October this year Dragos and his team had a breakthrough with badBIOS. If a USB key has removed too quickly from an infected system, it would be bricked when seen in non-infected systems. Even more interesting if inserted into an infected machine it would start working again. This was proof that the infected machines wrote to the microcode of the USB sticks. With renewed energy Ruiu and team attacked the infected machines. Using cheap computers as guinea pigs he proved that it was possible to infect: Windows, FreeBSD and MAC OS X (MAC OS X is a kind of FreeBSD). When he tried to perform forensics on the system, disabling components, change registry keys, etc. it became obvious that he was not just fighting a program but a remote human operater who was intelligently countering his moves. He was fighting a rootkit operator in realtime. It was someone with powershell or similar low bandwidth access over a covert channel. Removing the Ethernet cable, wifi card and bluetooth, did not stop the remote access. It was not until he cut the wires to the speaker that he regained control of the system. During his research Dragos concluded that the rootkit is modular, it starts small but then downloads additional modules to expand its capabilities21. He has found that the rootkit uses SQL and stores them in files called .SQM14

 

badBIOS Facts

  • Infection Vectors:
    • Local: USB microcode
    • Remote: Unknown
  • ​Command and Control channels
    • Air gap jump: ultrasound
    • remote: unknown
  • Features:
    • Modular
    • SQL
  • Payload:
    • Infection
    • Information extration
    • Surveillance
  • Operating systems
    • Windows
    • Mac OS X
    • FreeBSD

Try Critical Watch FusionVM now and fix your USB Vulnerabities

badBIOS Standards & IDs

CAPEC-449

CAPEC-458

Did NSA make badBios?

So far there i no smoking gun, only circumstantial evidence.

  1. badBIOS shows a level of sophistication that is reserved for State-sponsored cyber-weapons, this is not only in the same caliber as Stuxnet or FLAME, it is even more sophisticated.
  2. Stuxnet is generally considered 1) of state sponsored origin 2) to be created by the US Intelligence community with the help of Israel.
  3. Flame is generally considered to be made by the same people who made Stuxnet, as there is common origin in the codebase of the two
  4. Flame is modular just like #badBios
  5. Flame uses SQL to store structured data, badBIOS uses SQL

Does NSA have anything like badBIOS?

As a result of the recent Snowded leaks we have unique insight into NSA's workings.

  1. NSA has a program called GENIE which was developed to spread like a worm and install itself stealthly for the purpose of infiltrating high value tagers, it has been around since 2008 and by the end of 2011 it had infected 85,000 computers15
  2. Jumping an air gap is a unique feature that has never been published before, NSA's GENIE is able to Jump an air gap16

FusionVM Advantages:

  • Powerful flexible reporting
  • Credentialed Scan
  • Policy compliance cheks
  • Pre-scan Early warning system

​More FusionVM advantages and pricing...

Submit

Subscribe to our useful learning series of articles and receive more articles like this.

Share page 

Badbios uses the built-in microphone and speaker to communicate across the air gap

High Security installations uses a principle called "air gapping" to seperate the secure computer systems (green) from the insecure systems connected to the internet (red).

Left notebook receives 20khz carrier generated by notebook on right while dubstep plays background - by @ErrataRob

Left notebook receives 20khz carrier generated by notebook on right while dubstep plays background - by @ErrataRob

Dragos Ruiu by Gohsuke Takama

Dragos Ruiu by Gohsuke Takama

badBIOS ultrasound recording of 35 kHz spectrum isolated and slowed down 20x note repeating pulses.

badBIOS Symptoms:

  • No boot from CD
  • Free disk space disappering
  • Inaudiable but measurable sound in the 35 kHz spectrum
  • Unexplained changes to the system

badBIOS Critique

Many security researchers has publicly doubted Dragos's findings and conclusions, even the existence of badBIOS18 going as far as name calling and alleging impure motives

Other have made claims that the conclusions of Dragos Ruiu are technically impossible, e.g. claiming that since all BIOS are written specifically for a particular model it would be impossible to create a virus that would would be able to broadly infect diverse BIOS. Specifically that such a virus would have to contain complete BIOS images for each and every system to be infected19. This Author does not doubt that all BIOS images are unique, while containing a common origin (Award/Phoenix), but I also believe it is possible to have a virus that only targets that common origin while leaving the system specific parts unchanged. Claims that any modification to a BIOS will cause a Bios Checksum error should be easily overcome as the method for recalculating a BIOS checksum is in opensource.20

Some people claim that the fact that the badBIOS has not been examined by other researchers is proof it does not really exist! - (Remember: absense of proof is not proof of absense). I have described above why badBIOS has been very hard to extract which has hampered efforts so far.specialized non-intel hardware is currently being acquired specifically for the purpose of the USB Analysis.24

From my personal computer experience since 1982 (wow has it really been 31 years! - I suddenly feel old), I conclude that every claim from Dragos is not only possible, they are very plausible. Please assume that badBIOS is the real thing.

badBIOS Misunderstandings

Some people have claimed that badBIOS can infect across the air gap via ultrasound or software defined radio22. these are all misunderstandings, badBIOS can communicate across an air gap, but it cannot infect. These and other misunderstanding regarding badBIOS is part of the basis why some people doubt the existance of badBIOS.

File diff showing badBIOS infection23

Subscribe to our useful learning series of articles and receive more articles like this.

Conclusion - NSA and badBIOS

At this time it is not possible to conclude that NSA made badBIOS, however:

  1. badBIOS is weapons grade malware requireing the resources of a nation state for creation and operation.
  2. NSA has a program called GENIE with capabilities similar to badBIOS
NSA Glossary of their Secret programs: Mentioning air gap

NSA Glossary of their Secret programs: Mentioning air gap16

Malware like badBIOS enters your system via vulnerabilities

Critical Watch has more than 60,000 vulnerabilities in our testing library

Get Critical Watch Automated Vulnerability Assessment today
and be protected against malware like badBIOS

Try NowBuyPricing...
Please correct the following errors: