In recent days there has been much interest in the "BadBIOS" infection being
reported by Dragos Ruiu. (The best overview I've seen has been from Naked
Security http://nakedsecurity.sophos.com/2013/11/01/the-badbios-virus-that-
jumps-airgaps-and-takes-over-your-firmware-whats-the-story/ ) But to someone
who has lived through several viral myths and legends, parts of it sound
strange.
It is said to infect the low-level system firmware of your computer, so it
can't
be removed or disabled simply by rebooting.
These things, of course, have been around for a while, so that isn't
necessarily
wrong. However, BIOS infectors never became a major vector.
It is said to include components that work at the operating system level,
so it
affects the high-level operation of your computer, too.
It is said to be multi-platform, affecting at least Windows, OS X, and
OpenBSD
systems.
This sounds bit odd, but we've had cross-platform stuff before. But they never
became major problems either.
It is said to prevent infected systems being booted from CD drives.
Possible: we've seen similar effects over the years, both intentionally and un.
It is said to spread itself to new victim computers using Software Defined
Radio
(SDR) program code, even with all wireless hardware removed.
OK, it's dangerous to go out on a limb when you haven't seen details and say
something can't happen, but I'm calling bullshit on this one. Not that I don't
think someone couldn't create a communications channel without the hardware:
anything the hardware guys can do the software guys can emulate, and vice
versa.
However, I can't see getting an infection channel this way, at least without
some
kind of minimal infection first. (It is, of course, possible that the person
doing
the analysis may have made a mistake in what they observed, or in the reporting
of it.)
It is said to spread itself to new victim computers using the speakers on
an
infected device to talk to the microphone on an uninfected one.
As above.
It is said to infect simply by plugging in a USB key, with no other action
required.
We've seen that before.
It is said to infect the firmware on USB sticks.
Well, a friend has built a device to blow off dangerous firmware on USB sticks,
so I
don't see that this would present any problem.
It is said to render USB sticks unusable if they aren't ejected cleanly;
these sticks
work properly again if inserted into an infected computer.
Reminds me somewhat of the old "fast infectors" of the early 90s. They had
unintended effects that actually made the infections easy to remove.
It is said to use TTF (font) files, apparently in large numbers, as a
vector when
spreading.
Don't know details of the internals of TTF files, but they should certainly
have
enough space.
It is said to block access to Russian websites that deal with reflashing
software.
Possible, and irrelevant unless we find out what is actually true.
It is said to render any hardware used in researching the threat useless
for
further testing.
Well, anything that gets reflashed is likely to become unreliable and
untrustworthy
...
It is said to have first been seen more than three years ago on a Macbook.
And it's taken three years to get these details? Or get a sample to competent
researchers? Or ask for help? This I find most unbelievable.
In sum, then, I think this might be possible, but I strongly suspect that it is
either
a promotion for PacSec, or a promo for some presentation on social engineering.
====================== (quote inserted randomly by Pegasus Mailer)
[email protected] [email protected] [email protected]
Hardware has grown following Moore's Law, software seems to be
stuck with Gresham's Law. - Jim Horning
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
