Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BadBIOS: has a researcher discovered an indestructible rootkit?

John E Dunn | Nov. 6, 2013
The malware infects all operating systems, resists even low-level attempts to remove it and can communicate with other infected PCs even when both systems are isolated from one another.

A number of elements of the story remain unexplained, starting with the fact that nobody else has reported encountering the malware or any of its symptoms. It has also been suggested that Ruiu should make available BIOS images available for peer inspection.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," he told Ars Technica.

Ruiu's research has been hampered by the malware's ability to infect and stay resident on systems, making it impossible to be certain test these machines were completely clean.

"I'm down to a precious few reference systems that are clean. I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect," he wrote on 23 October on his Google+ blog.

If bad BIOS does turn out to be new form of super-rootkit, there could be two explanations for its existence. A long shot is that it is a proof-of-concept rootkit that accidentally escaped from a researcher's clutches (see below). More probably given its age and the fact that badBIOS looks like the infector component of a larger programme, it is a fragment of a previously unknown state cyberweapon (a tell-tale sign if this is that it spreads via USB stick which means it is targeting isolated computers).

It is pure speculation but badBIOS just looks too strange and over-engineered for commercial malware. It's also not clear what the command and control might be for such a programme; at that point most criminal malware becomes far easier to detect and block.

Ruiu's discovery is not without precedent. In 2012, fellow researcher Jonathan Brossard demonstrated a BIOS-level infector that could attack the firmware of different types of controller (i.e. CD-ROM and NIC) inside a PC, making itself extremely hard to detect and remove.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.