Sign in with
Sign up | Sign in

'BadBIOS' System-Hopping Malware Appears Unstoppable

By - Source: Tom's Guide US | B 46 comments
Tags :

A new piece of system-hopping malware appears both unstoppable and especially virulent.

The badBIOS malware, uncovered by one of the security sphere's foremost researchers, can withstand virus scans, system wipes and even deep registry cleaning; infects Windows, Macs and Linux PCs; and may be able to spread itself via sound waves — if it's for real.

The curious case of badBIOS began three years ago, when Dragos Ruiu, a celebrated Canadian security consultant, noticed irregularities with his MacBook Air, according to a report from Ars Technica. The system updated its firmware without Ruiu's approval, and when it was done, it could delete his files and change system settings autonomously.

Although Ruiu attempted to root out the problem at the source, it only got worse. His computer refused to boot from a CD, opting instead to use its compromised internal protocols.

MORE: 25 Free and Useful Windows Desktop Gadgets

When the malware jumped to other systems over his network, Ruiu did the logical thing and removed the MacBook's Wi-Fi and Bluetooth cards, and unplugged its Ethernet cable. Disconnecting the computer from the network did not help: The MacBook Air continued to broadcast the malware to nearby systems, even those running Windows, Linux or the Unix-based operating system Open BSD.

USB sticks plugged into infected machines were immediately infected — and would infect other machines, even though no files were present on the USB sticks. Infected laptops unplugged from networks, running on batteries, and with Wi-Fi and Bluetooth cards removed still managed to infect other machines in the same room.

At his wit's end, Ruiu disconnected every system, gave them full wipes and reinstalled their operating systems. Ever since then, the malware — which he dubbed "badBIOS" because it seems to persist at the Basic Input/Basic Output (BIOS) system that cold-boots a computer before the operating system takes over — has resurfaced now and again to delete data and transmit itself without a network.

In fact, the only thing that could stop the malware's spread, according to Ruiu, was disabling a computer's speakers and microphone. That implied that the malware was being transmitted by sound, similar to how dial-up modems or fax machines transmit data over analog telephone lines.

However, existing data transmission by sound tends to be very loud, and Ruiu heard nothing. But research has been done into data transmission using either extremely low or extremely high sound frequencies, beyond the range of human hearing.

Another possibility is that the malware was being transmitted by the weak radio signals all electronic devices emit. Researchers in tech labs have shown that malefactors can theoretically transmit malware over radio frequencies, but it's never been observed in the wild.

The malware does not seem to have any kind of purpose other than to delete random data, tamper with system preferences and spread itself. It does not slam Ruiu with advertisements or attempt to send his data back to an outside server.

On one hand, the whole story sounds too convenient to be true: An unstoppable bit of malware with a mysterious purpose that works across Windows, Mac and Linux can spread itself through a method known only to top security scientists.

This is not an everyday threat; this is the beginning of a Tom Clancy novel.

On the other hand, Ruiu is a proven security research pro, and already one of the big players in the industry. By keeping the entire Web updated about the badBIOS saga — even going so far as to post his system data to Reddit in an attempt to suss out how the malware survives system wipes — he has put his reputation on the line, with nothing to gain except possible peace of mind.

If badBIOS turns out to be a hoax or a publicity stunt, Ruiu has nothing to gain and everything to lose. Of course, if it's real, the security world now faces a very big problem: If badBIOS ever leaves the confines of Ruiu's office, any system that comes in contact with it is essentially nuked.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 8 Hide
    skit75 , November 1, 2013 10:40 AM
    I call BS. It isn't even close to April. I did need a good laugh before the weekend though.
  • 5 Hide
    therealduckofdeath , November 1, 2013 10:41 AM
    Skynet has been successfully activated.
  • 5 Hide
    COLGeek , November 1, 2013 10:57 AM
    Must be an alien plot to exterminate all "intelligent" life on the planet....
  • Display all 46 comments.
  • 2 Hide
    whiteodian , November 1, 2013 11:05 AM
    November Fools Day! I believe every first of the month should be a Fools Day and it looks like my idea is spreading.
  • 7 Hide
    pyromanicadeluxe , November 1, 2013 11:05 AM
    I would like to officially announce that I have built a time machine and will be going to the year 1846.
  • 6 Hide
    elmo2006 , November 1, 2013 11:07 AM
    "In fact, the only thing that could stop the malware's spread, according to Ruiu, was disabling a computer's speakers and microphone."

    That's when I stopped reading and posted this comment. Quack job!
  • 9 Hide
    warezme , November 1, 2013 11:11 AM
    This sounds pretty fake to me. However a localized high energy electromagnetic field of varying frequencies could cause enough havoc to all computer systems nearby. This could account for lost files, random reboots and just strange behavior. Even if it were audio induced code it would have to be purposely detected, stored, understood, compiled and executed by the receiver intentionally to RUN.
  • 4 Hide
    Onus , November 1, 2013 11:20 AM
    Skynet or Jane, perhaps? Might it be user error? Halloween prank?
  • 2 Hide
    clonazepam , November 1, 2013 11:27 AM
    I'm a fan of the Walking Dead too! Airborne zombie virus!
  • 2 Hide
    dgingeri , November 1, 2013 11:35 AM
    This sounds more like a demon possession or haunting.
  • 3 Hide
    tntom , November 1, 2013 11:40 AM
    In order for this to work there would have to be a pre-existing exploit. Like say in the audio driver that would be listening all the time. Such transmission would be really slow. All the computers would have to have either a similar driver issue of multiple chips and manufactures.
  • 2 Hide
    Vorador2 , November 1, 2013 11:45 AM
    Halloween was yesterday. The "scary" stories are a bit late.

    I'm a bit more worried about real malware, like Cryptolocker. That one is nasty.
  • 4 Hide
    sykozis , November 1, 2013 11:57 AM
    I call hoax as well....
  • 3 Hide
    ap3x , November 1, 2013 11:58 AM
    Something sounds fishy about this. Can't be real, something like this would be all over the news.
  • 5 Hide
    Paul Connell , November 1, 2013 12:09 PM
    Yup, as has been suspected, this is utter BS. First, it says he only disconnected the initially infected systems from his network *after* it had already apparently infected others. And then the article states that he continued to transfer files (and the infection) using memory sticks. And if the virus could survive system wipes, then why would he assume it was being re-spread through the speakers as opposed to simply resurfacing from the initial infection?

    And spreading through the speakers? Come on. Unless there's something already on the receiving end continually monitoring the speakers to receive, compile and run the code, it's nonsense.
  • 4 Hide
    JamesSneed , November 1, 2013 12:14 PM
    Add me to the list calling BS at least how this is written. I can see it plausible that the virus is using some USB controller hack to get in from any USB flash drives etc like the PS3 jail breaks did. Transmitting ultrasonic frequency via PC speakers for communication isn't going to happen unless you have some serous studio monitor quality speakers.
  • 2 Hide
    John Bauer , November 1, 2013 12:15 PM
    Sounds like someone felt like writing a horror story for Halloween.
  • 4 Hide
    Durandul , November 1, 2013 12:17 PM
    @Vorador2 or that Norton program. That is one well written piece of spam.
  • 6 Hide
    timaahhh , November 1, 2013 12:39 PM
    Wonder if holy water will do the trick. Ah well I'll add a proton pack to my list of needed tech tools.
  • 0 Hide
    JamesSneed , November 1, 2013 12:42 PM
    Did a little more looking into this. Looks like Dragos did notice a high pitch noise from his speakers and is now suspecting the virus to have written itself to RealTek audio chips firmware since it came back after a BIOS flash and fresh install of the OS. An audible high pitch noise is much more plausible way to communicate to another computer that already has the virus loaded in RelTek firmware. As implausible as that is, I suppose it is doable with typical PC hardware.

    https://plus.google.com/103470457057356043365/posts
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter