Security researcher says new malware can affect your BIOS

[Borg 386]

Security researcher says new malware can affect your BIOS; communicate over the air

A noted security researcher says he has found a new type of malware that can affect some of the lowest levels of your machine.

No, I’m not talking about Wi-Fi downloads, but input signals converted into code by your laptop’s microphone. The new malware is dubbed badBIOS by Dragos Ruiu, the security researcher who says he uncovered it.

Ruiu recently told Ars Technica that he’s been tracking down badBIOS for the past three years. Since badBIOS is reportedly a crafty piece of code, all he has right now is a working theory about how the malware works.

Malware that starts by attacking the BIOSisn’t unheard of, but most bits of bad code typically attack weaknesses in standard targets that live inside the operating system, such as Adobe Reader or a Java browser plugin.

BIOS malware could be more effective since it’s harder to track down, and fixing it is beyond the capabilities of the majority of PC users.

But what really sets badBIOS apart is that it is supposedly capable of resisting erasure if someone reinstalls (known as flashing) the BIOS firmware. BadBIOS is also platform-independent, which means it can infect and work across a wide array of PC operating systems that include Windows, OS X, Linux, and BSD, according to Ruiu.

Updated 11/1/2013 at 5:15 p.m. PDT—This story was updated to reflect that the current theory says badBIOS malware communicates over high-frequency signals, but infections happen only via USB sticks.

Security researcher says new malware can affect your BIOS; communicate over the air | PCWorld

 

[Knight1Creeper]

Very interesting method of infection. Thanks for the post.

 

[mjf]

I would think infection of the MBR boot code could be more risky. I'm not sure which anti malware software (if any) checks this.

 

[yowanvista]

This is complete bogus crap. Sound hardware has nothing to do with BIOS nor the CPU, every motherboard uses a completely different sound system and chip.

Thirdly you would notice right away if something tried to modify the BIOS, in windows you need special privileges and UAC approval not to mention the manufacturer's own tools to modify those parts of the lower hardware level and on linux/BSD you need to be root and have the supporting software installed, not to mention that every BIOS is different. If you flashed a random BIOS to a random motherboard, it would not boot.

Here's why this is nonsense:
http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

 

[mjf]

BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?

 

[x BlueRobot]

Isn't the jmp Assembly instruction like the continue keyword in C/C++? A attacker could easily use the jmp instruction to bypass straight to their malicious code.

 

[lehnerus2000]

Anti-Rootkit Scan?

BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?

Shouldn't the anti-Rootkit scan check that?

 

[Cr00zng]

This is complete bogus crap. Sound hardware has nothing to do with BIOS nor the CPU, every motherboard uses a completely different sound system and chip.

Thirdly you would notice right away if something tried to modify the BIOS, in windows you need special privileges and UAC approval not to mention the manufacturer's own tools to modify those parts of the lower hardware level and on linux/BSD you need to be root and have the supporting software installed, not to mention that every BIOS is different. If you flashed a random BIOS to a random motherboard, it would not boot.

Here's why this is nonsense:
The badBIOS Analysis Is Wrong. at RootWyrm's Corner

Thanks for the link that debunks the badBIOS, quote from your link:

So what do I think? I think that A) a number of security experts flapping their gums are good at security and know nothing about how hardware works and B) it’s absolutely not a BIOS/Firmware level piece of malware. There are far, far too many blatant and obvious detection points. There is no way it could hop from Apple to PC, or even PC to PC or Macbook 2013 to Macbook 2011. (Forget Macbook to Mac Pro.)

 

[lehnerus2000]

Skip UAC

As far as I'm concerned, it is a bad idea to be able to update the BIOS from inside the OS.

It is possible to bypass/disable the UAC warning on operations.
CCleaner does it.

​

 

[A Guy]

BIOS modification would probably need to be done at the source of your PC. However, the BIOS in an MBR boot hands over to MBR boot code before the OS kicks in and this lives on your HDD/SSD. One inserted (assembly) jump command could spell disaster IMO. Hence my question does the likes of Malwarebytes check your MBR boot code?

The regular Malwarebytes does not, but the Malwarebytes Anti Rootkit (MBAR) does

Meet Malwarebytes Anti-Rootkit | Malwarebytes Unpacked

The Avast aswMBR might be something to look at

aswMBR

Or the GMER MBR rootkit detector

mbr.exe

To be sure, I believe you'd have to scan with a bootable CD, outside of windows.

A Guy

 

[mjf]

Thanks Bill I've rum MBAR and MBRCheck. A little odd that MBAR still seems to be Beta with warnings of using at your own risk.

 

[A Guy]

Some programs seem to be in perpetual beta. Maybe just an easy way to say we can't guarantee it won't screw up

A Guy

 

[andrew129260]

Windows 8 with secure boot blocks any such attacks to the mbr, only allowing digitally signed code from windows 8 to run.

Of course, that can be bypassed as well.