[alert type=”notice, success, error, info” close=”true”]High Alert!![/alert]
[headlines headline=”h1, h2, h3, h4, h5, h6″ ]There has been a wide spread of a new “computer virus” that is spreading amongst newtworks and even over wireless “high-frequency audio” to remote computers destroying not just the software, but this time the hardware, infact the core of the hardware which is BIOS, plus disabling CD/DVD Roms and flush drives. [/headlines]
By Toneo Tonderai Rutsito
This has been reported to actually leave your computer good as useless, as it actually locks any peripheral devices, renders any flush drive useless as soon as it is installed on the affected computer.
Some reports have said this is more advanced than Stuxnet or Flame, two previous examples of “state-sponsored advanced viruses”.
If you are a hardware engineer, just like I thought, this definitely leaves you clueless as the first rule to resuscitation has already been violated here. Thinking of formatting your hard drive, hold on , its not in the hard drive its in the motherboard`s ROM.
Reports in some Tech media houses (though we have not yet received any outcry locally from Zimbabwe) have confirmed that this is probably the worst virus ever to hit the computing industry.
This is a sophisticated attack targeting not the software but the component responsible with the hardware`s software, the actual ROM commands, plus booting up instructions which are all contained inside the Basic Input/Output System BIOS.
This is the system that actually stores and runs all the critical services before your computer goes in to the windows operating system or Mac OS, so yes , there can never be an antivirus (software application) created to work in the OS Shell to solve this kind of problem.
Another report said this
Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.
Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.
“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”
Obviously some experts have already rubbished these claims but this is Dragos Ruiu, a well-respected researcher for 15 years. “If he says he’s got an infected BIOS, I’m going to believe him. Sure, he’s probably gotten some things wrong: just because “they” really are ought to get you doesn’t mean that “they” are responsible for every phenomenon you can’t explain,” said another InfoSec watchdog.
Ofcourse because this is a techie website, before im attacked here let me conqurr with this sentiment “We call this the “BIOS ROM”, but the term as been outdated since the 1980s. The word BIOS (Basic Input/Ouput System) meant that it contained the drivers the operating system could use to interact with the hardware, but today’s operating systems contain their own drivers, ignoring the BIOS drivers.
The word “ROM” (Read Only Memory) meant that it was burned into chips and couldn’t be changed — except by replacing the chips. Today, it’s flash memory that is writeable. So a BIOS ROM isn’t a BIOS ROM anymore, but we still call it that.”
Back to the story, some tech pundit has come out guns blazing, and rubbished the #BadBIOS
Phillip Jaenke of rootwyrm.com says
“First and foremost, the very idea that there is some malicious BIOS load that can escape airgapping and is portable is beyond laughable. I don’t care what you think you know – BIOS code is not portable, period. Oh, sure, you can have a common source for multiple motherboards. But every single model, revision and minor version requires you to recompile UEFI elements best case. That’s before you get into changes to UEFI libraries and shells.
Secondly, the concept that BIOS malware could somehow escape detection is beyond laughable. Look. I’ve been doing BIOS work for ages and then some. I can and would spot any malicious load pretty much instantly even before flashing a board. Certainly I would have no trouble finding it from a ROM dump. Period.
Well according to me this however is much more an argument of the technicality of how the #BadBIOS operates not its existence.
But this insight throws everything back:
And the idea that someone could just release into the wild a multi-platform multi-motherboard highly resistant BIOS because of UEFI only exposes epic ignorance of what UEFI is. UEFI is NOT A DAMN PORTABLE EXECUTABLE SYSTEM.
It is about PORTABLE CODE, and even that is fundamentally broken – Intel Tiano code will not run on Phoenix SecureCore will not run on Aptio V will not run on InsydeH2O without modifications. The end. Period. Actually running the code means building it against your target platform – the same as portable C. (Hey, funny how UEFI which uses C behaves just like portable C code, isn’t it? Siiiiiiigh.)
And the idea of it using the sound card to defeat airgapping is beyond hilariously wrong. PC Speaker != Realtek AC889. You have no audio input at the BIOS level because the MIC line even if present isn’t hooked or initalized.
People quit wasting precious shadow RAM region on BIOS-level sound card initialization to play sounds around ’05 because it’s pointless and sucks. Oh, you think it does because it makes a “bong” over speakers? NOPE. That’s a soft hook to a GPIO-like soft-trigger in the audio codec’s firmware. Been done in laptops since the late 90′s. So the BIOS is NEVER listening to the microphone, and you don’t have a speaker capable of HFT anyway.
Well it becomes food for thought whenanother expert reveals:
On evading detection: you seem to consider a malware would HAVE to reflash the BIOS upon successful exploitation which is NOT a requirement. An infection vector seeks code execution *only*. Persistance is another thing, and can be done in multiple ways.
If you get code execution at the BIOS level, you pretty much own the machine and can easily attack the OS to set up persistance there. And you would not see that with all the ROM dumps you want
The #BadBios could be real, how it transfers itself over high frequency audio is another issue but vulnerability exploitation is an art which is learnt only against our known “secure” shell, if Stuxnet could cripple the security systems then what it really takes is serious patch ups not arguing against unknown vulnerabilities.
With the way our public sector networks are “loosely” connected especially with some government offices, parastatals, public and private sectors, a single injection can take down the nation.
There is not a fix released yet, neither is there any reported outbreak. This is just a heads ups to all, we will keep you posted!