Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings.

"I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing."

As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware, and allows infected machines to communicate even when they're not connected over a network.

Since the article was published, researchers have attempted to reproduce the behavior Ruiu described. So far there have been no reports of success, and some of the more skeptical researchers are beginning to say Ruiu has misinterpreted or misrepresented the data. Ruiu, meanwhile, continues to stand by his conclusions.

Among the skeptics is Triulzi, a security researcher who five days ago voiced confidence that Ruiu's observations were reliable. Ars originally sought out Triulzi's opinion because he developed a highly stealthy piece of proof-of-concept malware five years ago that targeted the firmware of a computer's network interface controller, a feat that's on par with badBIOS's ability to infect a computer's BIOS. On Tuesday, Triulzi said he still thinks it's possible badBIOS has done everything Ruiu says it has. But after reviewing the data that Ruiu provided in response to requests for proof, Triulzi said he is more doubtful than he was before.

The data included BIOS images, disk images captured with the dd Unix command, and gigabytes worth of Process Monitor analysis, all from one or more computers that Ruiu said was infected with badBIOS. The hard drive data "are just perfectly normal disk images with nothing suspicious in them," he told Ars. Similarly, he found nothing out of the ordinary when examining the BIOS image or the Process Monitor data.

Triulzi isn't the only researcher to reach the conclusion that Ruiu's data doesn't show anything amiss. Tavis Ormandy, another security researcher who has also reviewed the data, posted comments to a Google Plus thread. He wrote:

Dragos, I've looked at your BIOS dump, your procmon logs, font files, and your disk images. I see nothing to suggest there is anything suspicious here; these are either all entirely consistent with what I would expect to see, or have very simple explanations that do not require a sophisticated attacker. My guess is it's just a combination of stress and healthy paranoia causing you to connect unrelated events. For example, it's completely normal for the long run of nuls after the partition table, and you can see it's consistent with the start blocks listed. $ fdisk -l d0

Disk d0: 5 MB, 5120000 bytes

255 heads, 63 sectors/track, 0 cylinders, total 10000 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000 Device Boot Start End Blocks Id System

d0p1 * 16065 481949999 240966967+ a6 OpenBSD

d0p2 62 976768064 488384001+ 85 Linux extended

d0p3 883575000 976768064 46596532+ b W95 FAT32

d0p4 642600000 883574999 120487500 ee GPT The images themselves are mostly consistent except for the truncation. dd can produce short runs as it stops on read errors unless you use conv=noerror, so the drive is probably failing. You can see that the images align if you ignore the truncation, which is what I would expect. I agree with Igor's assessment of the BIOS dump here http://www.reddit.com/r/netsec/comments/1o7jvr/bios_backdoor_bridges_airgapped_networks_using_sdr/ccpw67k and concur the other minor variations are likely dumping errors. Regarding the procmon logs, one is noisy and the other is much quieter, but the noise is mostly consistent with just general usage - I can see you were working on some documents, browsing facebook, installing some sysinternals tools and so on - nothing suspicious. Hopefully you trust my opinion on font exploitation, I've published on the topic multiple times, was nominated for a Pwnie award for some of my research, and have been credited in lots of Microsoft advisories on the topic. The behaviour you described is not consistent with font exploitation, and the font files you published all look well formed to me. If they're connected to any malware, it's just the regular kind, and not any exploitation attempt. I get the impression you're not going to believe me, but please at least think about taking a break from this :-)

argumentum ad ignorantiam

As every student in an intro to logic course learns, the absence of proof is not proof of absence. I continue to agree with Triulzi and other security researchers when they say it's perfectly feasible for a determined attacker to develop malware as advanced as badBIOS and unleash it wittingly or otherwise on Ruiu's machines. At the same time, extraordinary claims require extraordinary proof. If badBIOS is real, there should be no reason researchers can't independently verify its existence, especially if, as Ruiu says, it has infected more than a dozen computers and USB drives over a three-year span. So while the inability of Triulzi and Ormandy to corroborate Ruiu's findings isn't proof his badBIOS research is flawed, they are significant developments that I thought were worthy of an update.

Ruiu, for his part, continues to say badBIOS behaves precisely the way he has described in a series of social media posts and in interviews with Ars. He said he's continuing to make data available to researchers so they can independently evaluate it. "I've surrendered up a couple of my laptops. We had somebody fly in from New York and pick some up yesterday," he told Ars on Tuesday, declining to identify them by name. "They're going to have some smart guys force some eyes on it. We'll get some peer review and find out if I'm completely losing it or if we found something significant." Then, he paused for a moment and added: "By the way, I still don't think I'm losing it."