funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BadBIOS

From: "Blanchard, Michael (InfoSec)" <michael.blanchard () emc com>
Date: Fri, 1 Nov 2013 18:18:34 +0000
I agree... I call bullshit too....


  But would be SOOO friggin cool to spread via speakers and mike like that though!  ;-)

Michael P. Blanchard
Principal Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Cyber Security Services
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, 
Devon & Hannah
Sent: Friday, November 01, 2013 2:06 PM
To: funsec () linuxbox org
Cc: infosecbc () yahoogroups com
Subject: [funsec] BadBIOS

In recent days there has been much interest in the "BadBIOS" infection being 
reported by Dragos Ruiu.  (The best overview I've seen has been from Naked 
Security http://nakedsecurity.sophos.com/2013/11/01/the-badbios-virus-that-
jumps-airgaps-and-takes-over-your-firmware-whats-the-story/ )  But to someone 
who has lived through several viral myths and legends, parts of it sound strange.

    It is said to infect the low-level system firmware of your computer, so it can't 
be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn't necessarily 
wrong.  However, BIOS infectors never became a major vector.

    It is said to include components that work at the operating system level, so it 
affects the high-level operation of your computer, too.
    It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD 
systems.

This sounds bit odd, but we've had cross-platform stuff before.  But they never 
became major problems either.

    It is said to prevent infected systems being booted from CD drives.

Possible: we've seen similar effects over the years, both intentionally and un.

    It is said to spread itself to new victim computers using Software Defined Radio 
(SDR) program code, even with all wireless hardware removed.

OK, it's dangerous to go out on a limb when you haven't seen details and say 
something can't happen, but I'm calling bullshit on this one.  Not that I don't 
think someone couldn't create a communications channel without the hardware: 
anything the hardware guys can do the software guys can emulate, and vice versa.  
However, I can't see getting an infection channel this way, at least without some 
kind of minimal infection first.  (It is, of course, possible that the person doing 
the analysis may have made a mistake in what they observed, or in the reporting 
of it.)

    It is said to spread itself to new victim computers using the speakers on an 
infected device to talk to the microphone on an uninfected one.

As above.

    It is said to infect simply by plugging in a USB key, with no other action 
required.

We've seen that before.

    It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I 
don't see that this would present any problem.

    It is said to render USB sticks unusable if they aren't ejected cleanly; these sticks 
work properly again if inserted into an infected computer.

Reminds me somewhat of the old "fast infectors" of the early 90s.  They had 
unintended effects that actually made the infections easy to remove.

    It is said to use TTF (font) files, apparently in large numbers, as a vector when 
spreading.

Don't know details of the internals of TTF files, but they should certainly have 
enough space.

    It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

    It is said to render any hardware used in researching the threat useless for 
further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy 
...

    It is said to have first been seen more than three years ago on a Macbook.

And it's taken three years to get these details?  Or get a sample to competent 
researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either 
a promotion for PacSec, or a promo for some presentation on social engineering.


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Hardware has grown following Moore's Law, software seems to be
stuck with Gresham's Law.                              - Jim Horning
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: