Security researcher says new malware can affect your BIOS

Borg 386

ADHD Senior Member
Guru
Gold Member
VIP
Local time
3:16 PM
Messages
5,489
Location
In a house with a cat trying to kill me
Security researcher says new malware can affect your BIOS; communicate over the air

A noted security researcher says he has found a new type of malware that can affect some of the lowest levels of your machine.

No, I’m not talking about Wi-Fi downloads, but input signals converted into code by your laptop’s microphone. The new malware is dubbed badBIOS by Dragos Ruiu, the security researcher who says he uncovered it.

Ruiu recently told Ars Technica that he’s been tracking down badBIOS for the past three years. Since badBIOS is reportedly a crafty piece of code, all he has right now is a working theory about how the malware works.

Malware that starts by attacking the BIOSisn’t unheard of, but most bits of bad code typically attack weaknesses in standard targets that live inside the operating system, such as Adobe Reader or a Java browser plugin.

BIOS malware could be more effective since it’s harder to track down, and fixing it is beyond the capabilities of the majority of PC users.

But what really sets badBIOS apart is that it is supposedly capable of resisting erasure if someone reinstalls (known as flashing) the BIOS firmware. BadBIOS is also platform-independent, which means it can infect and work across a wide array of PC operating systems that include Windows, OS X, Linux, and BSD, according to Ruiu.

Updated 11/1/2013 at 5:15 p.m. PDT—This story was updated to reflect that the current theory says badBIOS malware communicates over high-frequency signals, but infections happen only via USB sticks.
Security researcher says new malware can affect your BIOS; communicate over the air | PCWorld
 

My Computer My Computer

At a glance

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1,...Intel Core 2 Duo 2.93GHzNot much with my ADHDATI Radeon HD 4350
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
Very interesting method of infection. Thanks for the post.
 

My Computer My Computer

At a glance

Windows 7 Enterprise x64Intel Core i5
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Windows 7 Enterprise x64
CPU
Intel Core i5
Hard Drives
SanDisk 256GB SSD
Antivirus
Microsoft Forefront
Browser
Chrome
I would think infection of the MBR boot code could be more risky. I'm not sure which anti malware software (if any) checks this.
 

My Computer My Computer

At a glance

Windows 7x64 Home Premium SP1Intel i7 2600kG.Skill Ripjaws (DDR3-1600) 2x4GBNvidia GeForce GTS 450; Intel HD Graphics 300...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build
OS
Windows 7x64 Home Premium SP1
CPU
Intel i7 2600k
Motherboard
ASUS P8Z68 Deluxe
Memory
G.Skill Ripjaws (DDR3-1600) 2x4GB
Graphics Card(s)
Nvidia GeForce GTS 450; Intel HD Graphics 3000(GT2+)
Monitor(s) Displays
Dell Ultrasharp IPS panel U2311H, Samsung SyncMaster P2350
Screen Resolution
1920x1080
Hard Drives
Samsung 850 Pro SSD 256GB, Samsung SSD 840 120GB, Seagates 1TB Barracuda ST31000528AS x2
PSU
Seasonic M12II 520W
Case
Lian Li Lancool PC-K60
Cooling
Case: 1x120mm, 3x140mm CPU: Hyper 212+
Keyboard
Logitech MK520 (wireless)
Mouse
Logitech MK520
Internet Speed
6-7 Mbps
Antivirus
Norton Security Premium, Malwarebytes on 2 (MSE on 3rd PC)
Browser
FireFox
Other Info
Audio: Logitech Z523 2.1
This is complete bogus crap. Sound hardware has nothing to do with BIOS nor the CPU, every motherboard uses a completely different sound system and chip.

Thirdly you would notice right away if something tried to modify the BIOS, in windows you need special privileges and UAC approval not to mention the manufacturer's own tools to modify those parts of the lower hardware level and on linux/BSD you need to be root and have the supporting software installed, not to mention that every BIOS is different. If you flashed a random BIOS to a random motherboard, it would not boot.

Here's why this is nonsense:
http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
 

My Computer My Computer

At a glance

Windows 10 Pro x64, Arch LinuxIntel Core 2 Quad Q8200 OC'd 3.08GHz8GB DDR2 900MhzMSI GT730 2GB GDDR5 (Kepler)
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 10 Pro x64, Arch Linux
CPU
Intel Core 2 Quad Q8200 OC'd 3.08GHz
Motherboard
Asus Rampage formula LGA775
Memory
8GB DDR2 900Mhz
Graphics Card(s)
MSI GT730 2GB GDDR5 (Kepler)
Sound Card
Supreme FX2
Monitor(s) Displays
Samsung LS22F350 LED
Screen Resolution
1080P
Hard Drives
Kingston SSDNow UV400 120GB, 500GB Hitachi, 2TB Samsung, 500GB Seagate FreeAgent, 640GB Samsung, 160GB Toshiba (Arch)
PSU
AeroCool 500W Bronze
Cooling
Cooler Master V6 + 3X fans
Keyboard
Prolink keyboard
Mouse
Logitech M705
Internet Speed
1MiB/s
Browser
Chrome Beta
BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?
 

My Computer My Computer

At a glance

Windows 7x64 Home Premium SP1Intel i7 2600kG.Skill Ripjaws (DDR3-1600) 2x4GBNvidia GeForce GTS 450; Intel HD Graphics 300...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build
OS
Windows 7x64 Home Premium SP1
CPU
Intel i7 2600k
Motherboard
ASUS P8Z68 Deluxe
Memory
G.Skill Ripjaws (DDR3-1600) 2x4GB
Graphics Card(s)
Nvidia GeForce GTS 450; Intel HD Graphics 3000(GT2+)
Monitor(s) Displays
Dell Ultrasharp IPS panel U2311H, Samsung SyncMaster P2350
Screen Resolution
1920x1080
Hard Drives
Samsung 850 Pro SSD 256GB, Samsung SSD 840 120GB, Seagates 1TB Barracuda ST31000528AS x2
PSU
Seasonic M12II 520W
Case
Lian Li Lancool PC-K60
Cooling
Case: 1x120mm, 3x140mm CPU: Hyper 212+
Keyboard
Logitech MK520 (wireless)
Mouse
Logitech MK520
Internet Speed
6-7 Mbps
Antivirus
Norton Security Premium, Malwarebytes on 2 (MSE on 3rd PC)
Browser
FireFox
Other Info
Audio: Logitech Z523 2.1
Isn't the jmp Assembly instruction like the continue keyword in C/C++? A attacker could easily use the jmp instruction to bypass straight to their malicious code.
 

My Computer My Computer

Computer type
Laptop
Anti-Rootkit Scan?

BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?

Shouldn't the anti-Rootkit scan check that?
 

My Computer My Computer

At a glance

W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, ...AMD Phenom II x6 1100T, 3.3 GHz12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2G...NVIDIA GeForce GTX 660
Computer type
PC/Desktop
Computer Manufacturer/Model Number
n/a
OS
W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
CPU
AMD Phenom II x6 1100T, 3.3 GHz
Motherboard
ASUS M4A88T-M/USB3 (AM3)
Memory
12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2GB x 2)
Graphics Card(s)
NVIDIA GeForce GTX 660
Sound Card
Realtek?
Monitor(s) Displays
Samsung S23B350
Screen Resolution
1920x1080
Hard Drives
WD Green 2TB (SATA), WD Green 3TB (SATA), WD Blue 4TB (SATA), WD Blue 6TB (SATA)
PSU
Cooler Master
Case
Antec GX300 Tower
Cooling
3x Antec TRICOOL 120mm Fans
Mouse
Wired Optical
Internet Speed
DSL
Antivirus
Avast
Browser
Pale Moon (64 bit)
Other Info
2018-12-27 Upgraded HDDs
2015-12-10 Upgraded case, graphics card, storage
2015-08-15 Upgraded motherboard & RAM
2015-07-15 Upgraded LM17.1 to LM17.2
This is complete bogus crap. Sound hardware has nothing to do with BIOS nor the CPU, every motherboard uses a completely different sound system and chip.

Thirdly you would notice right away if something tried to modify the BIOS, in windows you need special privileges and UAC approval not to mention the manufacturer's own tools to modify those parts of the lower hardware level and on linux/BSD you need to be root and have the supporting software installed, not to mention that every BIOS is different. If you flashed a random BIOS to a random motherboard, it would not boot.

Here's why this is nonsense:
The badBIOS Analysis Is Wrong. at RootWyrm's Corner

Thanks for the link that debunks the badBIOS, quote from your link:
So what do I think? I think that A) a number of security experts flapping their gums are good at security and know nothing about how hardware works and B) it’s absolutely not a BIOS/Firmware level piece of malware. There are far, far too many blatant and obvious detection points. There is no way it could hop from Apple to PC, or even PC to PC or Macbook 2013 to Macbook 2011. (Forget Macbook to Mac Pro.)
 

My Computer My Computer

At a glance

Windows 7 64-bit, Windows 8.1 64-bit, OSX El ...Intel i5-3350P 3.1 GHz16 GBs GSkill SniperRadeon HD 7850
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built at Home
OS
Windows 7 64-bit, Windows 8.1 64-bit, OSX El Capitan, Windows 10 (VMware)
CPU
Intel i5-3350P 3.1 GHz
Motherboard
Gigabyte GA-Z77X-UP5 TH
Memory
16 GBs GSkill Sniper
Graphics Card(s)
Radeon HD 7850
Sound Card
VIA HD Audio
Monitor(s) Displays
Dell U2410 24"
Screen Resolution
1920x1200
Hard Drives
1 x Intel 520 240 GBs
1 x Seagate 1TBs SATA 2.0,
1 x Seagate 1TBs eSATA 2.0
PSU
Thermaltake 850W
Case
Antec P183
Cooling
Noctua NH-D14 Heatsink 2 x 120mm fans, 4 x 120mm case fans
Keyboard
Dell Multimedia keyboard
Mouse
Logitech Trackball
Internet Speed
28.5 Mb/s
Skip UAC

As far as I'm concerned, it is a bad idea to be able to update the BIOS from inside the OS.

It is possible to bypass/disable the UAC warning on operations.
CCleaner does it.
UAC - CCleaner Skip.png
 

My Computer My Computer

At a glance

W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, ...AMD Phenom II x6 1100T, 3.3 GHz12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2G...NVIDIA GeForce GTX 660
Computer type
PC/Desktop
Computer Manufacturer/Model Number
n/a
OS
W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
CPU
AMD Phenom II x6 1100T, 3.3 GHz
Motherboard
ASUS M4A88T-M/USB3 (AM3)
Memory
12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2GB x 2)
Graphics Card(s)
NVIDIA GeForce GTX 660
Sound Card
Realtek?
Monitor(s) Displays
Samsung S23B350
Screen Resolution
1920x1080
Hard Drives
WD Green 2TB (SATA), WD Green 3TB (SATA), WD Blue 4TB (SATA), WD Blue 6TB (SATA)
PSU
Cooler Master
Case
Antec GX300 Tower
Cooling
3x Antec TRICOOL 120mm Fans
Mouse
Wired Optical
Internet Speed
DSL
Antivirus
Avast
Browser
Pale Moon (64 bit)
Other Info
2018-12-27 Upgraded HDDs
2015-12-10 Upgraded case, graphics card, storage
2015-08-15 Upgraded motherboard & RAM
2015-07-15 Upgraded LM17.1 to LM17.2
BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?

The regular Malwarebytes does not, but the Malwarebytes Anti Rootkit (MBAR) does

Meet Malwarebytes Anti-Rootkit | Malwarebytes Unpacked

The Avast aswMBR might be something to look at

aswMBR

Or the GMER MBR rootkit detector

mbr.exe

To be sure, I believe you'd have to scan with a bootable CD, outside of windows.

A Guy
 

My Computer My Computer

At a glance

Windows 10 Home x64INTEL Core i5-750 Quad-Core 3.37GHzHyperX Fury Black Series 8GB (2 x 4GB) 1866MhzEVGA GeForce GTX 750 Superclocked 1GB 128-Bit...
Computer type
PC/Desktop
OS
Windows 10 Home x64
CPU
INTEL Core i5-750 Quad-Core 3.37GHz
Motherboard
ASUS P7P55D
Memory
HyperX Fury Black Series 8GB (2 x 4GB) 1866Mhz
Graphics Card(s)
EVGA GeForce GTX 750 Superclocked 1GB 128-Bit GDDR5
Monitor(s) Displays
LG 32MA68HY 32" IPS
Screen Resolution
1920 x 1080
Hard Drives
Samsung 840 Evo 120GB, SEAGATE 500GB Barracuda® 7200.12, SATA 3 Gb/s, 7200 RPM, 16MB cache
PSU
ANTEC TruePower New TP-550, 80 PLUS, 550W
Case
ANTEC Three Hundred Illusion
Cooling
COOLER MASTER Hyper 212 Plus, 4 x 120mm 1 x 140mm Noctua's
Internet Speed
85 + Mbps
Antivirus
Avast
Browser
Vivaldi
Thanks Bill I've rum MBAR and MBRCheck. A little odd that MBAR still seems to be Beta with warnings of using at your own risk.
 

My Computer My Computer

At a glance

Windows 7x64 Home Premium SP1Intel i7 2600kG.Skill Ripjaws (DDR3-1600) 2x4GBNvidia GeForce GTS 450; Intel HD Graphics 300...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build
OS
Windows 7x64 Home Premium SP1
CPU
Intel i7 2600k
Motherboard
ASUS P8Z68 Deluxe
Memory
G.Skill Ripjaws (DDR3-1600) 2x4GB
Graphics Card(s)
Nvidia GeForce GTS 450; Intel HD Graphics 3000(GT2+)
Monitor(s) Displays
Dell Ultrasharp IPS panel U2311H, Samsung SyncMaster P2350
Screen Resolution
1920x1080
Hard Drives
Samsung 850 Pro SSD 256GB, Samsung SSD 840 120GB, Seagates 1TB Barracuda ST31000528AS x2
PSU
Seasonic M12II 520W
Case
Lian Li Lancool PC-K60
Cooling
Case: 1x120mm, 3x140mm CPU: Hyper 212+
Keyboard
Logitech MK520 (wireless)
Mouse
Logitech MK520
Internet Speed
6-7 Mbps
Antivirus
Norton Security Premium, Malwarebytes on 2 (MSE on 3rd PC)
Browser
FireFox
Other Info
Audio: Logitech Z523 2.1
Some programs seem to be in perpetual beta. Maybe just an easy way to say we can't guarantee it won't screw up :)

A Guy
 

My Computer My Computer

At a glance

Windows 10 Home x64INTEL Core i5-750 Quad-Core 3.37GHzHyperX Fury Black Series 8GB (2 x 4GB) 1866MhzEVGA GeForce GTX 750 Superclocked 1GB 128-Bit...
Computer type
PC/Desktop
OS
Windows 10 Home x64
CPU
INTEL Core i5-750 Quad-Core 3.37GHz
Motherboard
ASUS P7P55D
Memory
HyperX Fury Black Series 8GB (2 x 4GB) 1866Mhz
Graphics Card(s)
EVGA GeForce GTX 750 Superclocked 1GB 128-Bit GDDR5
Monitor(s) Displays
LG 32MA68HY 32" IPS
Screen Resolution
1920 x 1080
Hard Drives
Samsung 840 Evo 120GB, SEAGATE 500GB Barracuda® 7200.12, SATA 3 Gb/s, 7200 RPM, 16MB cache
PSU
ANTEC TruePower New TP-550, 80 PLUS, 550W
Case
ANTEC Three Hundred Illusion
Cooling
COOLER MASTER Hyper 212 Plus, 4 x 120mm 1 x 140mm Noctua's
Internet Speed
85 + Mbps
Antivirus
Avast
Browser
Vivaldi
Windows 8 with secure boot blocks any such attacks to the mbr, only allowing digitally signed code from windows 8 to run.

Of course, that can be bypassed as well.
 

My Computer My Computer

At a glance

Windows 10 ProAMD Ryzen 5 2400G Processor with Radeon RX Ve...G.SKILL Ripjaws V Series 16GB (2 x 8GB) 288-P...2047MB NVIDIA GeForce GTX 1060 6GB (EVGA)
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Built
OS
Windows 10 Pro
CPU
AMD Ryzen 5 2400G Processor with Radeon RX Vega 11 Graphics
Motherboard
ASRock X470 Master SLI/AC AM4 AMD Promontory X470 SATA 6Gb/s
Memory
G.SKILL Ripjaws V Series 16GB (2 x 8GB) 288-Pin DDR4 SDRAM D
Graphics Card(s)
2047MB NVIDIA GeForce GTX 1060 6GB (EVGA)
Sound Card
Motherboard Built in
Monitor(s) Displays
Acer R240HY bidx 23.8-Inch IPS HDMI DVI VGA (1920 x 1080) Wi
Screen Resolution
1920 x 1080
Hard Drives
1TB Sandisk SSD PLUS (Main drive)
500 GB Seagate 7200 RPM (Games)
500 GB Western Digital 7200 RPM (Virtual Machines)
PSU
CORSAIR TX Series TX650M 650W 80+ Gold Modular Power Supply
Case
CORSAIR CARBIDE SPEC-02 Mid-Tower Gaming Case, Red LED Fan
Cooling
220mm, two 120mm, and four 60mm fans
Keyboard
Wired Dell keyboard
Mouse
Wireless Logitech mouse
Internet Speed
250mb down, 30mb up
Antivirus
Panda Cloud Antivirus
Browser
Chrome-ish x64
Other Info
Your awesome for reading this.
Back
Top