Skip to main content

'BadBIOS' System-Hopping Malware Appears Unstoppable

A new piece of system-hopping malware appears both unstoppable and especially virulent.

The badBIOS malware, uncovered by one of the security sphere's foremost researchers, can withstand virus scans, system wipes and even deep registry cleaning; infects Windows, Macs and Linux PCs; and may be able to spread itself via sound waves — if it's for real.

The curious case of badBIOS began three years ago, when Dragos Ruiu, a celebrated Canadian security consultant, noticed irregularities with his MacBook Air, according to a report from Ars Technica. The system updated its firmware without Ruiu's approval, and when it was done, it could delete his files and change system settings autonomously.

Although Ruiu attempted to root out the problem at the source, it only got worse. His computer refused to boot from a CD, opting instead to use its compromised internal protocols.

MORE: 25 Free and Useful Windows Desktop Gadgets

When the malware jumped to other systems over his network, Ruiu did the logical thing and removed the MacBook's Wi-Fi and Bluetooth cards, and unplugged its Ethernet cable. Disconnecting the computer from the network did not help: The MacBook Air continued to broadcast the malware to nearby systems, even those running Windows, Linux or the Unix-based operating system Open BSD.

USB sticks plugged into infected machines were immediately infected — and would infect other machines, even though no files were present on the USB sticks. Infected laptops unplugged from networks, running on batteries, and with Wi-Fi and Bluetooth cards removed still managed to infect other machines in the same room.

At his wit's end, Ruiu disconnected every system, gave them full wipes and reinstalled their operating systems. Ever since then, the malware — which he dubbed "badBIOS" because it seems to persist at the Basic Input/Basic Output (BIOS) system that cold-boots a computer before the operating system takes over — has resurfaced now and again to delete data and transmit itself without a network.

In fact, the only thing that could stop the malware's spread, according to Ruiu, was disabling a computer's speakers and microphone. That implied that the malware was being transmitted by sound, similar to how dial-up modems or fax machines transmit data over analog telephone lines.

However, existing data transmission by sound tends to be very loud, and Ruiu heard nothing. But research has been done into data transmission using either extremely low or extremely high sound frequencies, beyond the range of human hearing.

Another possibility is that the malware was being transmitted by the weak radio signals all electronic devices emit. Researchers in tech labs have shown that malefactors can theoretically transmit malware over radio frequencies, but it's never been observed in the wild.

The malware does not seem to have any kind of purpose other than to delete random data, tamper with system preferences and spread itself. It does not slam Ruiu with advertisements or attempt to send his data back to an outside server.

On one hand, the whole story sounds too convenient to be true: An unstoppable bit of malware with a mysterious purpose that works across Windows, Mac and Linux can spread itself through a method known only to top security scientists.

This is not an everyday threat; this is the beginning of a Tom Clancy novel.

On the other hand, Ruiu is a proven security research pro, and already one of the big players in the industry. By keeping the entire Web updated about the badBIOS saga — even going so far as to post his system data to Reddit in an attempt to suss out how the malware survives system wipes — he has put his reputation on the line, with nothing to gain except possible peace of mind.

If badBIOS turns out to be a hoax or a publicity stunt, Ruiu has nothing to gain and everything to lose. Of course, if it's real, the security world now faces a very big problem: If badBIOS ever leaves the confines of Ruiu's office, any system that comes in contact with it is essentially nuked.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.