'BadBIOS' System-Hopping Malware Appears Unstoppable

A new piece of system-hopping malware appears both unstoppable and especially virulent.

The badBIOS malware, uncovered by one of the security sphere's foremost researchers, can withstand virus scans, system wipes and even deep registry cleaning; infects Windows, Macs and Linux PCs; and may be able to spread itself via sound waves — if it's for real.

The curious case of badBIOS began three years ago, when Dragos Ruiu, a celebrated Canadian security consultant, noticed irregularities with his MacBook Air, according to a report from Ars Technica. The system updated its firmware without Ruiu's approval, and when it was done, it could delete his files and change system settings autonomously.

Although Ruiu attempted to root out the problem at the source, it only got worse. His computer refused to boot from a CD, opting instead to use its compromised internal protocols.

MORE: 25 Free and Useful Windows Desktop Gadgets

When the malware jumped to other systems over his network, Ruiu did the logical thing and removed the MacBook's Wi-Fi and Bluetooth cards, and unplugged its Ethernet cable. Disconnecting the computer from the network did not help: The MacBook Air continued to broadcast the malware to nearby systems, even those running Windows, Linux or the Unix-based operating system Open BSD.

USB sticks plugged into infected machines were immediately infected — and would infect other machines, even though no files were present on the USB sticks. Infected laptops unplugged from networks, running on batteries, and with Wi-Fi and Bluetooth cards removed still managed to infect other machines in the same room.

At his wit's end, Ruiu disconnected every system, gave them full wipes and reinstalled their operating systems. Ever since then, the malware — which he dubbed "badBIOS" because it seems to persist at the Basic Input/Basic Output (BIOS) system that cold-boots a computer before the operating system takes over — has resurfaced now and again to delete data and transmit itself without a network.

In fact, the only thing that could stop the malware's spread, according to Ruiu, was disabling a computer's speakers and microphone. That implied that the malware was being transmitted by sound, similar to how dial-up modems or fax machines transmit data over analog telephone lines.

However, existing data transmission by sound tends to be very loud, and Ruiu heard nothing. But research has been done into data transmission using either extremely low or extremely high sound frequencies, beyond the range of human hearing.

Another possibility is that the malware was being transmitted by the weak radio signals all electronic devices emit. Researchers in tech labs have shown that malefactors can theoretically transmit malware over radio frequencies, but it's never been observed in the wild.

The malware does not seem to have any kind of purpose other than to delete random data, tamper with system preferences and spread itself. It does not slam Ruiu with advertisements or attempt to send his data back to an outside server.

On one hand, the whole story sounds too convenient to be true: An unstoppable bit of malware with a mysterious purpose that works across Windows, Mac and Linux can spread itself through a method known only to top security scientists.

This is not an everyday threat; this is the beginning of a Tom Clancy novel.

On the other hand, Ruiu is a proven security research pro, and already one of the big players in the industry. By keeping the entire Web updated about the badBIOS saga — even going so far as to post his system data to Reddit in an attempt to suss out how the malware survives system wipes — he has put his reputation on the line, with nothing to gain except possible peace of mind.

If badBIOS turns out to be a hoax or a publicity stunt, Ruiu has nothing to gain and everything to lose. Of course, if it's real, the security world now faces a very big problem: If badBIOS ever leaves the confines of Ruiu's office, any system that comes in contact with it is essentially nuked.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • skit75
    I call BS. It isn't even close to April. I did need a good laugh before the weekend though.
  • therealduckofdeath
    Skynet has been successfully activated.
  • COLGeek
    Must be an alien plot to exterminate all "intelligent" life on the planet....
  • whiteodian
    November Fools Day! I believe every first of the month should be a Fools Day and it looks like my idea is spreading.
  • pyromanicadeluxe
    I would like to officially announce that I have built a time machine and will be going to the year 1846.
  • elmo2006
    "In fact, the only thing that could stop the malware's spread, according to Ruiu, was disabling a computer's speakers and microphone."

    That's when I stopped reading and posted this comment. Quack job!
  • warezme
    This sounds pretty fake to me. However a localized high energy electromagnetic field of varying frequencies could cause enough havoc to all computer systems nearby. This could account for lost files, random reboots and just strange behavior. Even if it were audio induced code it would have to be purposely detected, stored, understood, compiled and executed by the receiver intentionally to RUN.
  • Onus
    Skynet or Jane, perhaps? Might it be user error? Halloween prank?
  • clonazepam
    I'm a fan of the Walking Dead too! Airborne zombie virus!
  • dgingeri
    This sounds more like a demon possession or haunting.