Information Security News
mailing list archives
Meet "badBIOS, " the mysterious Mac and PC malware that jumps airgaps
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 1 Nov 2013 09:04:35 +0000 (UTC)
By Dan Goodin
Oct 31 2013
Three years ago, security consultant Dragos Ruiu was in his lab when he
noticed something highly unusual: his MacBook Air, on which he had just
installed a fresh copy of OS X, spontaneously updated the firmware that
helps it boot. Stranger still, when Ruiu then tried to boot the machine
off a CD ROM, it refused. He also found that the machine could delete data
and undo configuration changes with no prompting. He didn't know it then,
but that odd firmware update would become a high-stakes malware mystery
that would consume most of his waking hours.
In the following months, Ruiu observed more odd phenomena that seemed
straight out of a science-fiction thriller. A computer running the Open
BSD operating system also began to modify its settings and delete its data
without explanation or prompting. His network transmitted data specific to
the Internet's next-generation IPv6 networking protocol, even from
computers that were supposed to have IPv6 completely disabled. Strangest
of all was the ability of infected machines to transmit small amounts of
network data with other infected machines even when their power cords and
Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were
removed. Further investigation soon showed that the list of affected
operating systems also included multiple variants of Windows and Linux.
"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to
erase all our systems and start from scratch,' which we did. It was a very
painful exercise. I've been suspicious of stuff around here ever since."
In the intervening three years, Ruiu said, the infections have persisted,
almost like a strain of bacteria that's able to survive extreme antibiotic
therapies. Within hours or weeks of wiping an infected computer clean, the
odd behavior would return. The most visible sign of contamination is a
machine's inability to boot off a CD, but other, more subtle behaviors can
be observed when using tools such as Process Monitor, which is designed
for troubleshooting and forensic investigations.
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
- Meet "badBIOS, " the mysterious Mac and PC malware that jumps airgaps InfoSec News (Nov 01)