Dragos Ruiu's 'BadBIOS' malware may just be evidence that he's having a 'bad day.' But sometimes nightmares are worth paying attention to!
Can a lifetime of researching stealthy computer attacks drive you mad? That’s what some are suggesting is the real story behind BadBIOS, a piece of allegedly super stealthy malware that has plagued computers belonging to researcher Dragos Ruiu for years. Nightmarish, to be sure.
Let’s back up a bit. According to blog posts and interviews Ruiu has given, the malware attacks began almost three years ago with apparent, unauthorized firmware updates on OSX systems on his company’s network. Further investigation turned up suspicious files and other changes to the OS.
“The more we looked at it, the weirder it got,” Ruiu said in an interview with Threatpost.
The stakes for Ruiu – a security researcher and consultant – were high: an infection on his company’s network could seriously undermine its reputation and also expose customers to compromise.
That initial red flag led to a years long “cat and mouse” game (his words, not mine) to try to find the source of the infection. So-called ‘indicators of compromise’ seemed to be everywhere: CD-ROM and USB drives rendered inoperable, strange files appearing on otherwise clean systems, seemingly random and unauthorized changes to the system’s registry, and so on.
But Ruiu and his colleague could never isolate a malicious program responsible for them. Whatever they were chasing could evade any effort to forensically analyze it – seamlessly erasing its tracks as soon as it made them.
As Ruiu described it, the attackers at one point had “remote control Trojans on most if not all of our boxes. At least the ones we bothered to check.” Pointedly, though, these weren’t Trojans he could isolate or analyze.
Despairing of finding and removing the malware, Ruiu and crew began to try to mess with it instead – disabling components, modifying parts of the hard drive that the malware seemed to use. They removed wireless and Bluetooth cards from the systems that the malware could use to communicate with. This is kind of like that analogy of being in a blackened room with an elephant: you can touch its ear or its haunches, but it might not be apparent to you that what you’ve got is an elephant.
In the end, he and his staff decided that the source must be what’s known as a “boot sector” virus. And this wasn’t just any boot sector malware like the 1999 Chernobyl (or CIH) virus. BadBIOS, as Ruiu came to call it could infect Windows, OS X, and OpenBSD endpoints. It is modular to the point of being granular – an ephemeral something that Ruiu says “goes out over the network and downloads chunks all the time” but those chunks are encrypted and can’t be analyzed, so the malware can’t be seen all at once.
Still – its quite sophisticated: it can survive a BIOS refresh even on an air-gapped system and use the IPV6 protocol to communicate, even when IPV6 support was disabled on the system in question. Further, BadBIOS can communicate with other BadBIOS infected hosts using high-frequency sound waves transmitted over the infected system’s speakers and microphones. The malware would also turn on mics periodically and do audio capture “just to be creepy. To see what we were talking about,” Ruiu told Threatpost editor Dennis Fisher.
At this point, it is a good idea to mention that Dragos Ruiu is no ordinary security geek. He’s among the most respected security researchers in the world, and the man behind a number of high-profile industry events, including CanSecWest, PacSec and the Pwn2Own hacking contest. In an industry rife with security Storm Troopers, Ruiu is a Jedi Master - and that buys you a lot of credibility.
But even with that, saying that you’re the victim of malware that’s invisible – or that changes every time you try to capture it strains credibility. (One Twitter follower of Ruiu’s joked that BadBIOS should be called “heisenbug… a software bug that seems to disappear or alter its behavior when one attempts to study it.")
Further, trying to understand malware by “messing with it” isn’t exactly standard operating procedure. Sure –if you’ve got a malicious binary, drop it in a sandbox and watch it run. Alternatively, use a tool like PCAP to capture the network traffic from the infected system. As one CSO quipped privately “PCAP or it didn’t happen.”
To date, however, the information that Ruiu has released for independent review, including a BIOS dump from an infected system, haven’t turned up anything suspicious, let alone a smoking gun. There were some random bytes that may have been produced by the dump itself, but no evidence of a rootkit.
Experts agree: all of the behavior Ruiu has described is possible – even if it’s not plausible. But, given Ruiu’s deep knowledge of the field, it shouldn’t be surprising that – if he is chasing shadows, they’re shadows that are quite well fleshed out.
And that may be the lesson of BadBIOS. It may not be real. Dragos may need to take a vacation. But the workings of a brilliant mind – even if it’s a fevered mind – are often worth noting. Many of the attack vectors Ruiu describes are technically possible and, under the right circumstances, could produce the kinds of infections he believes are plaguing his network, while being difficult to detect. And, as computing systems and the sensors they contain become more powerful and smaller, you can count on malicious actors to figure out new ways to leverage them. Lots of people seem to think that Ruiu is touched in the head. But my guess is that more than a few folks are taking what he’s saying very seriously.