Por

Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.

As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:

He found a malware that infects hardware.



He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.



It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.



It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed. (https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3)

It loads a Hypervisor.



When the BIOS is infected, it doesn’t let you boot from external devices regardless of settings. Most of the times, it goes for internal disk. (https://twitter.com/dragosr/status/388632113496350721)

It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.



Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it! “I didn’t even mount the volume and it was infected.” (https://twitter.com/dragosr/status/393021493149302785)

It bricks the USB drives if you eject them unsafely, but they come back to life when you plug them in an infected system. https://twitter.com/dragosr/status/393026712197279746)

In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.



When trying to extract those files, they disappear from the burnt CD.

People are pointing to Russia as an origin of this malware as they are the only known developers of reset flash controllers’ software. The malware also blocks the reflashing Russian software sites. (https://twitter.com/dragosr/status/393023050750234624)

The first symptoms were found in a Macbook, 3 years ago. (https://twitter.com/dragosr/status/394223528813146112)

A list of the md5 of files was uploaded to this link.

Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.

What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.

[NOTE] If you are interested in a sample, keep an eye on malware.lu. @xylit0l posted this in kernelmode.info:

Re: New Bios Malware by Xylitol » Sun Oct 13, 2013 9:23 pm Talked to r00tbsd over irc, he have an image of the infected bios but got no time for the moment to add it on malware.lu.

Sources:

[1] https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga

[2] https://plus.google.com/103470457057356043365/posts

[3] https://www.wilderssecurity.com/showthread.php?t=354463

[4] https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware

[5] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/

[6] https://twitter.com/dragosr

[7] https://twitter.com/rich_addr

[8] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195