The "BadBIOS" virus that jumps airgaps and takes over your firmware - what's the story?

Filed Under: Featured, Malware

A number of readers have asked us, "What do you guys have to say about the BadBIOS story that's unfolding at the moment?"

In a nutshell, it's a story about a virus that is claimed to have some remarkable characteristics.

Sufficiently remarkable, in fact, to inspire Ars Technica's Dan Goodin to describe it as not just "mysterious" but "omnipotent."

What it does

Here are some of the claims that have been made about the BadBIOS virus:

  • It is said to infect the low-level system firmware of your computer, so it can't be removed or disabled simply by rebooting.
  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.
  • It is said to prevent infected systems being booted from CD drives.
  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.
  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.
  • It is said to infect simply by plugging in a USB key, with no other action required.
  • It is said to infect the firmware on USB sticks.
  • It is said to render USB sticks unusable if they aren't ejected cleanly; these sticks work properly again if inserted into an infected computer.
  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.
  • It is said to block access to Russian websites that deal with reflashing software.
  • It is said to render any hardware used in researching the threat useless for further testing.
  • It is said to have first been seen more than three years ago on a Macbook.

By now, you may be thinking that this sounds more like a science fiction movie than real life.

In fact, if you're a certain age, you may well be waiting for Jeff Goldblum to burst forth with a Mac, some mysterious and onmipotent file transfer software, and a countervirus that will save the planet.

You're probably also thinking that with as many symptoms, twists, turns and apparent tell-tales as are listed above, we ought to know a lot about it after three years.

The thing is, all the facts above come from one observer on Twitter, @dragosr, the guy who runs the CanSecWest, Eusec and PacSec security conferences.

The abovementioned details have only come out in the past short while, so we can collectively be excused for not knowing an awful lot just yet.

What we know

One BIOS sample file has been made available; SophosLabs took a brief look and largely concurred with an already-public analysis published on Reddit. (For the record, our analysts didn't see the Reddit story until after they'd looked at the file.)

The BIOS we saw seems all but identical to an official Dell Alienware BIOS, so it would be no use on a Mac, for example.

And even if a byte-by-byte analysis of the whole BIOS were to reveal a pre-planted backdoor, that would nevertheless only be one small part of the whole story.

Furthermore, the software defined radio and speaker-to-microphone infection vectors mentioned above, as a vehicle for jumping airgaps, sound highly speculative.

Not impossible, of course - never say impossible where malware is concerned, not least since Stuxnet appeared - but certainly very unlikely.

Spreading via USB sticks, like Stuxnet did, would surely be a satisfactory explanation on its own (though the part assuming automatic code execution via USB on multiple operating systems sounds highly speculative, too).

Imagine that you could reliably get an infected system to beam out radio waves in the absence of any radio hardware, for example by relying on some serendipitously-located internal circuit parts to serve as your transmitter and antenna.

Imagine that you could somehow turn on the speaker and produce reliably-decodable but inaudible sounds.

How would you persuade the uninfected computer to receive them at all, let alone to treat them as shellcode that would ultimately let you reflash the BIOS?

Update. As several readers pointed out, @dragosr has tweeted, "To be explicit, no audio infection, just c&c, only 2 unusual infection vectors IDed, USB and one other, waiting on patches before discussion." C&C means Command and Control, the name given to the data transfer mechanism by which a botnet is operated. [2013-11-01T20:00Z]

What we can predict

So the short answer to the question of what we have to say about BadBIOS is, "We can't yet say."

Based on @dragosr's tweets, it looks as though additional information, including access to affected USB sticks, will become available at the PacSec conference in Tokyo in just under two weeks' time; until then, says Dragos, he's got to knuckle down to prepare for the event.

And, talking of the event, there are various papers about firmware and BIOS level attacks at PacSec 2013, so let's hope that one or more of them will shed some light on what's true and false about BadBIOS.

Until then, it's a bit like the dilemma we faced nearly five years ago when the Conficker virus came out and stood poised to do something new on 01 April 2009.

Everyone wanted to know what it would do, but all anyone could say with honesty was, "We shan't know until 01 April."

What to do about BadBIOS

I don't think there is any need for alarm over the BadBIOS story.

There isn't an obvious threat to everyone (like there was with Stuxnet, even before we knew its inner purpose); it doesn't seem to be spreading in the wild (like Stuxnet was, despite having a specific target); and there are plenty of clear and present threats we can usefully concern ourselves with in the interim.

So that's about that for now, I'm afraid - it's a question of watching and waiting.

NB. It's possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec. If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!

Image of funky looking chip courtesy of Shutterstock.

, , , , , , , ,

You might like

61 Responses to The "BadBIOS" virus that jumps airgaps and takes over your firmware - what's the story?

  1. you missed the part where this is outed as a Halloween prank, right?

    • ScottK · 666 days ago

      By Reddit? Yes, because Reddit has an awesome history of being internet sleuths and unbiased fact finders.

      If this is a prank, dragosr's putting his security reputation on the line, which is paramount in our field. If this is real, there are still some questions to answer.

      • nips · 666 days ago

        His reputation will easily survive this as clearly it's a prank. He's known to make statements that make people think. This one just happens to have a devious component.

    • Bob Smith · 666 days ago

      You missed the part about linking to anything concrete that proves that it was outed as a Halloween prank

    • noname · 662 days ago

      I wouldn't have believed it either but I am having the same issue. I'm at a high level in IT and I really didn't want to tell anyone for fear of ridicule. My wife thought I was breaking m y own systems. I will not post my name now until I see what takes place with his findings. I think it is more prevalent than people notice, my wife and kids had no idea, just that the system was slow. If you know what you are doing you can see the changes taking place and when you try to correct them - the problem starts. I think more IT folks out there have the same problem and not coming out to tell for fear of looking foolish. I figured out away to get around it but its only a temporary fix without all the functionality of the system.. When I stop using the fix it reverts back.

    • This is Physicly imposible to do... At the point of that level your working next to the wiring... take a look at this for some basic hardware knowledge to debunk this whole thing

  2. Jim · 666 days ago

    "already-public analysis" link does not work :P

  3. Antony · 666 days ago

    This has to be a halloween story!

  4. Anonymous · 666 days ago

    The claim is that the infected computers were communicating via ultrasonic sound, not that the infection occurred through that vector.

    • GrahamS · 666 days ago

      Correct. There's been a LOT of misreporting on this.
      @dragos said:
      "no evidence of "spreading" via audio. Just comms between infected machines."

    • Paul Ducklin · 666 days ago

      Thanks. Added an update above.

      (His original tweets from a couple of weeks ago were not so explicit. I formed the opinion from those that there was "airgap jumping" between two computers that had shared no connection or hardware, e.g. no network, no USB sticks.)

  5. Jack Wilborn · 666 days ago

    What time better and who more likely to spoof us? However most of the claims do sound like SciFi. Remember the Radios Shack software that played a tune on the radio (AM)? Don't think that's going to fly. Too many "could be's" and lack of facts. Most of this is a SciFi or Hollows eve gag...


  6. Guest · 666 days ago

    I have been diagnosed with the 1st ever known case of Human BadBIOS.
    Apparently I contracted it by walking by a book store that had some books on computers.

    The prognosis is not good.

  7. My suspicion is that the infection vector is actually one of a very thin hypervisor, emulating the various BIOS screens, but preventing various settings (such as CD-ROM boot) from actively taking effect. A thin hypervisor would be able to do many of the things that the supposed BIOS virus is capable of doing, including affecting multiple operating systems.

    I suspect the keypress for getting into the actual BIOS is either disabled or set to an extremely low fraction of a second, so when you attempt to get into the BIOS, you're actually seeing the BIOS run under the hypervisor, which would allow it to intercept and disable various settings (such as booting form the CD-ROM).

    This theory is testable: a computer lacking the VT featureset in the processor should be immune. Also, clearing the infection should be as simple as replacing the boot drive and resetting BIOS settings with the jumper.

    • Psst. Your computer is watching you. · 318 days ago

      One might try pressing Ctl. Alt. Esc. Tab & F5 at the same time, at boot. One has heard that this might work on some machines. Resetting the BIOS via jumper and replacing the boot drive (and flashing the BIOS) does not work.

  8. JRD · 666 days ago

    The way I see it, these are the options:
    1) completely true - there is a powerful new class of malware doing things that were always possible,just technically difficult
    2) this is a hoax
    3) @dragosr has schizophrenia and thinks it's real, but it isn't

    Occam's Razor points to number 2, but I'm hopeful that it's number 1 because that's just so darn cool.

  9. Stephen · 666 days ago

    It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

    This is an inaccurate quote. What he said is:

    no evidence of "spreading" via audio. Just comms between infected machines.

  10. I doubt it's a "social engineering experiment".

    Since everyone jumped to conclusions, okay, let's pretend it's a hoax.


    Malware that attacks and rewrites firmware exists.

    Infecting a flash drive without mounting it, via electrical impulses, is basically hardware programming.

    Sending informations via ultra sounds, using the mic/sound speakers and cards, also possible and tested, in a lab enviroment yes but still.

    We're not talking about spreading, the guy said on his twitter, communicating, not spreading.

    There's nothing SF about what it does, maybe a bit 'ahead of time' but not much.

  11. Michael · 666 days ago

    A good look at the physics principles of electronics and ultrasound is warranted here. I have serious doubts as to whether it is possible to do many of the hinted at actions. So I reckon it is another scam.

  12. Andy · 666 days ago

    After reading this article I have to laugh and say someone is pulling your leg. this is not possible

  13. Brad Levy · 666 days ago

    The Software Defined Radio claim is particularly suspect.

    Software defined radio (SDR) uses software to define the frequency and modulation characteristics of a radio, but still requires transmitter/receiver hardware. Even then, the range of frequencies is not unlimited. And an antenna is still needed.

    While the digital circuitry in computers does generate some radio frequency signals, and the traces on the circuit board can act as antennas, modern computers are better shielded against such emissions than early computers on which creative programmers generated music that could be picked up on an am radio using unintentional emissions.

    Even if one could carefully craft a program to generate just the right unintended processor emissions to mimic a bluetooth or wi-fi signal (rather doubtful considering the modulations and frequencies involved), it would still require a receiver for infection to occur. If one only has a transmitter, one might be able to jam a wi-fi or bluetooth connection. But to actively set up a link to convey the virus to the new target, two way communication will be needed, which requires receive capability in the computer being used to cause the infection. While it is not impossible for some portion of the computer's circuitry to unintentionally receive radio signals (as interference on an audio input, for example), the extent to which it is possible is nowhere near enough to establish a link at the frequencies, modulation methods, data rates involved in bluetooth and wi-fi. (If it was, your computer would be so susceptible to interference as to be unusable.)

    • We all need to read follow the source and document way better.

      The guy never ever said or claimed the ultra sounds are a way of infecting the other computers.

      He said the already infected computers communicate this way with each other.

      Which, I'll say it again, it has been tested in lab conditions, it's a possible and doable technology, no one saw it 'in the wild' yet.

    • Paul Ducklin · 666 days ago

      Now I look back at the tweets over the past few weeks, it looks as though this SDR thing was what you might call hypothesis #1...until someone suggested it might be happening sonically, whereupon the SDR theories were rejected in favour of sound-based comms.

      It would be nice to see some evidence that any sound-based data transfer actually happened, but it all still seems to be hypothetical.

      (Not hypothetical that data can be transmitted by sound - ask any fax machine :-) - but hyopthetical that it's happened here.)

  14. tasdf · 666 days ago

    what are the current detection method ?

    Real or fake what is the current detection method ?

    • Paul Ducklin · 666 days ago

      I reckon there's going to be a paper at PacSec that tells us :-)

  15. Osama S. · 666 days ago

    Let's say the science is sound on transmission via speakers and microphones, so the receiving computer must be actively listening. So this virus shouldn't be able to jump to another computer unless the receiving computer is already infected and is listening to instructions. Is that right? Or how is it supposed to jump to a clean machine that has no capability to listen to incoming "ultrasound" instructions over the mic?

    • Paul Ducklin · 666 days ago

      Apparently the sound-based part isn't for spreading. It now seems it's only for C&C (command and control) between already-infected computers.

      No-one seems to have captured any actual audio data in transit, but it seems to be the latest hypothesis that audio transfer is going on, and it's to do with command and control. (So it seems this thing is a botnet, too.)

  16. Guest · 666 days ago

    "It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one."

    A: the microphone on the uninfected device needs to be 'listening';
    B: speakers need to be turned on/up on the transmitting device;
    C: user would hear the data stream, it would sound like the old modems;
    D: ultrasound can't be used as even good computer speakers will only go up to about 14 or 16kHz, whereas humans can easily hear up to 18 or 20kHz.

    • Paul Ducklin · 666 days ago

      The hypothesis seems to be that it's using ultrasonic frequencies, so you can't hear it.

    • A Girl Out There Somewhere · 318 days ago

      A. They are. Somehow, they are. Smart phones' mics are always on, for example. Anything that can take in the sound seems to.
      B. I would have agreed with you, until ours seemed to find speakers and mics where we thought there weren't any. And, until ours were communicating with devices that hadn't been turned on or charged in a very long time and should have been dead.
      C. You can. It is quiet (except for the ping--which sounds like a PoP), but it is there, and that's exactly what it sounds like. When it isn't making disc-eject sounds, activity-white-noise sounds, buzzing frenetically, or even sometimes playing 8-bit music, that is. Yes. Really. Ours didn't have that connecting sound, but we did get dialing and a busy signal
      D. I can't comment about ultrasound. It wouldn't surprise me. However, Blue Tooth. And you can hear it. If you don't have speakers attached, you have to listen close, but it's there.

  17. Rob · 666 days ago

    It doesn't say that it SPREADS via speakers, it says that it can COMMUNICATE with other already infected systems via speakers. This has been pointed out several times already.

    • Paul Ducklin · 665 days ago

      Well, it still seems to be the case that it's *speculated* to communicate via speakers. (

      I think we all know audio-based data transfer is both possible and commonplace (if you have ever used a fax machine, this is unlikely to come as a suprise).

      The story about how it spreads or communicates has changed several times - the software radio claim seems to have been abandoned now, for example - so we are all really in a Rumsfeldian situation: there are known knowns, known unknowns, unknown knowns and unknown unknowns. The only thing we're lacking here are the known knowns.

      As I've implied in a few other could all be true, it could all be false. We don't know (and nor, it seems, does Dragos, but he has to take the lead here as it's his story.)

      So the best we can do is pull our heads in until PacSec.

  18. LRW · 666 days ago

    And if you forward the warning to everyone in your contact list, Bill Gates will send you $100 for each email! It's true! I've already made $60,000!! (I'm sure the check will arrive in the next week or so)

  19. Guest · 666 days ago

    Not that I believe it's true, but no one is claiming that it "spreads itself" over SDR or audio, only that two already infected computers can communicate by audio or SDR. It is said to enter by USB and "at least one other vector".

    • Paul Ducklin · 665 days ago

      To be more accurate, Dragos has declared that it spreads via USB on insertion, but doesn't seem to be able to work out why or to extract data from infected USB keys, only to speculate that it's some hitherto unknown multi-platform BIOS device ID buffer overflow.

      Recently he's added that there is another infection vector, but he won't say what it is. He's "awaiting a patch," whatever that means.

      (Read back over the last two weeks of Dragos's stream of tweets. I think you will have to agree that the story behind the SDR component - which was proclaimed and then suddenly replaced with ultrasound as an explanation - is quite unclear until lately, when Dragos has decided it's actually some kind of botnet control channel. Remember that this whole thing has has "jumping airgaps" as a compelling part of its nature. Seems this airgap jumping is now just "spreads on USB sticks." )

  20. Larry Marks · 666 days ago

    Uhhh, why are you wasting our time with this rubbish? It's clearly bogus (unless you misrepresented it.).

    It's not just Dragosr's reputation that's getting smudged. Yours and Sophos's just did too.

    Slow news day?

    • Paul Ducklin · 665 days ago

      I hear you, but people are confused by this saga, which has been extensively covered as if it were already proven. And whether you like it or not, this stuff *isn't* "clearly bogus" to everyone. (Just look at the some of the comments above.)

      So we could have told our readers, "No, we refuse to comment on this. Go away and make your own mind up." But, as one commenter said, it sure sounds like a hoax, but, hey, wouldn't it be cool if if were all true?

      So we decided to present Dragos's claims (and please notice that we do not present any of the claims as facts unless they are backed up by solid evidence) and to help people to weigh this story up for themselves.

      None of this stuff is impossible. You just have to decide if it's likely that all these components collected into a single story that still lacks evidence is likely.

      (And to be fair to me, I do remind people that this could well be a giant hoax as part of a publicity drive in the leadup to PacSec. For my part, I'm happy to sit on my hands until two weeks' time.)

  21. BFCerdo · 665 days ago

    Dragos ruled out SDR usage back on October 15th. From a twitter post: "The OOB channel was HF Audio, not SDR."

    It is entirely feasible to network two computers via barely-audible audio. Most sound cards and microphones are designed to work up to (and often beyond) 20 kHz. A real life example of 1,000 bps networking over audio in the 18 kHz - 20 kHz range has already been performed. 1 kbps is entirely fast enough to perform command and control operations.

    • Paul Ducklin · 665 days ago

      I think saying "he ruled out SDR" is putting a lot of icing on the cake - it implies that there was some sort of scientific reason for changing hypothesis.

      It might be fairer to say that he guessed it was SDR until someone else said, "Ultrasound would be a better hypothesis," and then he changed his mind, and decided it probably wasn't SDR after all, but sonic.

      And that's the problem here: lots of inspired guesses, making a giant and excitingly complex whole - but no actual evidence other than that most of the guesses are technically feasible.

      So is sending a man to Mars...but that doesn't mean anyone's been there yet.

      (Doesn't mean they haven't, either :-)

  22. Sootie · 664 days ago

    I saw m11x r2 in the article and got worried but I think it will be ok...

  23. Tamas Feher · 663 days ago


    My cynical theory: the badbios scare is a literally "viral" advertising campaign for the MEGA site.

    (You know there was that fat guy who had thought he can show the middle finger to US copyright, if operating from New Zeland. Yet, one day, the black helicopters came for him and his site, so he is now experimenting with providing other net-based services.)

    I guess there is such money or ladyfolk that will make a hungry IT-security researcher sell his prestigious soul to make up a faux malware scare, so that thousands of people download the 907MB sized suspect ISO sample hosted on the site (thus making a "free" demonstration of its high bandwidth-serving capabilities).

    Apparently the promise of some mega-stuxnet malware is an even better advertisement in the post-Snowden world, compared to old-fashioned triple-x romping DivX CD or cracked warez software ISO...

  24. Peter · 663 days ago

    My system is infected with the same thing. Its real - believe me I have all the same problems. You can remove all your cards (network, modem,, update bios, etc, still there.) I have 3 systems infected also my cell phone. I have other systems that are ok - on a different network - away from the infected. definitely Bios driven. Computer overheats fan spins loud - thats when you know its there. Well on my old system that my kids use.

    • noname · 662 days ago

      Yes noname is peter above. I didn't want to give my name yet or maybe never. I am in government (those who know - (u know what I mean). Like I said, YES it is true happening to me, not sure how it spreads, but its there. I don't know if its the bad guys, good guys, etc., all I know is that it is on my systems. I'll check in from time to time to see if we have an update. I just want to remove this thing.

  25. noname · 662 days ago

    I have the same issue, all the same symptoms. I work in IT – I tried different things to remove it but it always comes back. Yes, I removed the bios battery, power, memory and it still comes back. I pulled the wireless card, bluetooth, etc., doesn’t matter, it still manages to reappear. It seems like someone has control of the system because it can’t be that smart!!! Example – changing registry and it disables the editor or it changes permissions and then you are unable to do anything. I managed to boot to a cd that cant be written to and can start to make changes but when I start to own the system it reboots. I’m actually on the cd OS now, this is really happening, but it just seems unbelievable; it must go out and contact a site or some person(s) that can watch what you are doing and start the process. I know crazy, but it’s happening, I’m not a beginner – been doing this for 20+ years. I’m not sure if the average person would even know. (I think my issue started via my android phone) Ok, I’ll check back later. Not putting my name on here yet.

    • Psst. Your computer is watching you. · 318 days ago

      You're so right! It seems like there is a person on "the other side" watching what you are doing and reacting, or taking action to see how you will react. Almost as though it is conscious or something. It doesn't just learn, it learns and adapts. It's problem-solving and decision-making. It follows you around on your computer and takes away permissions where it thinks you will go next. It opens windows en mass to cover its tracks, but not like some incredibly fast batch command. Then it sings to you. And audibly pings out for reception. It hums, it dials, you would swear it speaks to you!

      A folder appeared on my cell phone called ICU inside of which was a text file with only one "word" It was the unique password my husband had just entered as his BIOS password on one of the desktop PCs...

      It is comforting to know we are not the only ones. Sort of.

  26. roy jones jr · 658 days ago

    So a virus comes out 3yrs ago that can infiltrate/bypass every aspect of security on any computer and use every means or spreading or using backdoors without removal or detection? The virus can block ANY Russian (why only Russian?) site that deals with USB reformatting? So this "pinnacle" virus is the end of technology as we know it? I mean thats basically what I'm reading. We all just better pack it in. Paul Ducklin's hard work all these years were for nothing.

    Im joking of course.

    • Paul Ducklin · 658 days ago

      Thanks goodness your final sentence. I was about to get my coat...

  27. spammy geek · 652 days ago

    yea i guess we need to scan the physical bios for this. the malware write itself to bios mem.

    I believe this REAL, cause I know you can take bios time battery to send signal through an ic pin and if this bios is used to latch the transistor then its possible to send a signal via transistor.

    do you all forget we used to play radio fm by send control signal to transistor to gate power. ok ok its radio fm with 50m capable. but if this use ic pin to control some transistor or maybe bios battery transistor itself let say 1mw each pin then this good enough send signal to 6-10ft.

    what still misery is how they stick to usb diskdrive. If stuxnet can, then this is possible.

    I just say: this is so creative!!

    and it will change all motherboard design. no bios again..os took over all from init. all the time clock will be using "global broadcast NTS (global time frequency wave) or detect position from a gps and a country and calculate what time it will be". no one can hide their position or lie about their local time. no lie to proxy. no lie to tor.

    no more privacy......:(

  28. Norman Gould · 642 days ago

    I have the very symptoms... someone I mistakenly trust put unknown firmware on my Canon EOE cameras..and they won't focus till I clear all camera settings. I have set up a computer laptop in the woods 1/2 mile from my house and it is infected. The first thing is a DHCP system analysis. Then a network, is set up that I am blocked from by a "not shared" administrator...And I get high frequency ringing in the ears. which records like white noise...this "impossible' has been going on for 2 years. though 16 computers.

  29. Just A Guy · 634 days ago

    These reports are wildly exaggerated. If you read what Dragos actually said about badBIOS you would see that most of the "fantasy" is misinterpretation by reporters.

    1) badBIOS communicates through the airgap via sound, it doesn't "infect" that way. Obviously, an initial infection already has to be in place.

    2) Dragos' mention of TTF font files as a hiding place was just a guess, due to their change in visibility between computer builds. Another researcher brings this up in a comment on Dragos' initial post, suggesting that it's normal behavior for the system to hide font files that aren't in use.

    3) This may have been a very targeted infection. Dragos is active in the hacker community, making him a prime target for governments that might want cutting-edge software or information about vulnerability and cybersecurity.

    If anything, this is probably a good example of why you shouldn't publicly post your thought process and investigative questions as you're deciphering a new piece of malware. But, in his defense, the guy needed some support from the community.

  30. wac · 630 days ago

    This could be a governement worm again. Like stuxnet. The ultrasonic thing could be used to access isolated computers.

    • Paul Ducklin · 630 days ago

      The question isn't really whether it *could* be true. It's whether any of these claims are true *in this case*, and, if so, why it has turned out to be so difficult to verify any of the facts.

  31. John · 610 days ago

    Still no sign of peer review...

    • Paul Ducklin · 610 days ago

      Well, there has been some peer review, but it hasn't been what Dragos wanted to hear, so he has refused to listen to it.

      For example, Tavis Ormandy a well-known reverser and exploit finder, put in a fair bit of effort in his own time to look at Dragos's giant logfiles, and offered the opinion that Dragos was, simply put, mistaken.

      Tavis argued his case fairly clearly, but his conclusions didn't support Dragos's theories, so Dragos simply announced that Tavis was mistaken.

      (We were mistaken, too: it wasn't a publicity stunt for PacSec after all.)

  32. Alan · 600 days ago

    Hmmm, Intriguing. One high level program that is cross platform compatible that could be used for audio transmission and receiving is Adobe Flash. It has access to microphones and speakers.

    It also has commands to get a list of fonts from PC's which could be containing more than just the font. A method of transference perhaps?

    It could also be made to download additional software as it has access to your hard drive for local storage and because most antivirus vendors set the trust level high with this it could go undetected.

    Perhaps the USB flash drives exploit Adobe's flash and corrupt it? Maybe changing the updater to a bad website? From the flash players point of view it would be installing an update and the AV software would leave it alone. Even if it tried to do something iffy and a warning came up most people would allow it as it appears to be legitimate.

    I would be curious as to whether a machine with TOR installed could be infected as it doesn't come with Adobe's Flash.

    Most modern speakers come with an auto power off even when left on (Creative do this). When you start using them the audio returns after a slight delay and the power lights up - it could be used as a test as you could visually see when they were being used (even with no / high pitched sound).

    Flash Player could also monitor the websites being visited and block undesirable re-flashing ones. Perhaps blocked in the host file?

    Not so sure how the BIOS would be modified. I would hazard a guess that the BIOS is fine and the drives firmware has been altered instead so that they won't boot. Another driver in the OS could be modified to make the drives operational (possible simple byte swapping).

    What happens if you install a new DVD drive on an infected system - can it boot? That would eliminate the BIOS.

    The same technique could be used on the USB flash drives which is why they are unreadable if you pull them out without safely removing them - the infected system alters the error so that they can be read.

    • Paul Ducklin · 600 days ago

      Don't forget that to match up with Dragos's experience, all of the stuff you mention above has to prevent you acquiring a sample of any part of it for three years, too...

      • Paul Ducklin · 600 days ago

        I'm hoping we'll be able to offer some of our puzzle shirts via a merch site some time this year :-)

  33. Conundrum · 327 days ago

    Also relevant, some early Acer machines notably the AOA100,AOA150 and other more recent ones seem to have a nasty BIOS bug where they fail on boot with the black screen.
    I confirmed by replacement that the original chips were faulty, however my 5230E is now doing the same thing every now and then requiring in some cases a hard power cycle where battery taken out and power switch pressed to reset.
    Yup, same 8 pin 1MB chip possibly containing malware.. Time for a new machine methinks.

    Other symptoms on all three machines, sometimes the backlight goes off for a split second, confirmed cable and inverter is OK and swapped screen with no effect.
    Whatever this is the problem has to be in the BIOS because replacing the chip stops it in its tracks.
    Possibly it is responding to a key RF waveform or audio frequency as the chip is large enough to contain the extra circuitry and such a compromise could be remote activated on a target's system by simple TEMPEST or via audio vector such as satellite TV.. !

    It is worth noting that one key sign you have been 0wn3d is that the AVG Boot disk will fail 100% of the time on boot, and the failure type varies depending on the time of day and system temperature.
    This also happens on some Dell systems notably the 2200 and certain older laptops.

  34. Giack · 301 days ago

    One year has gone. Nobody speaks anymore about badBIOS. What was it about? An HOAX or an experiment in the cyber-arms race?!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog