Persistent BIOS malware with hypervisor and SDR found

Discussion in 'malware problems & news' started by BoerenkoolMetWorst, Oct 11, 2013.

  1. BoerenkoolMetWorst
    Offline

    BoerenkoolMetWorst Registered Member

  2. Gullible Jones
    Offline

    Gullible Jones Registered Member

    Interesting, this does in fact look real. I wonder who's behind it... Wouldn't surprise me if this were NSA issue stuff, preinstalled on most computers.
  3. Baserk
    Offline

    Baserk Registered Member

    Security.nl editor has asked researcher Dragos Ruiu (organizer of Pwn2Own) for more info oc. I'm curious about this one...
    Something so foxy as the SDR exploit/jump-the-air-gap on a Thinkpad or Sony (business?) model, I understand but on a 11" gaming machine?
    Last edited: Oct 11, 2013
  4. CloneRanger
    Offline

    CloneRanger Registered Member

    Yes, Another "You're all paranoïd & it can't happen, so forget it" item BUSTED :D

    Not good news that it Can/Has been done recently, but welcome news it's been discovered. If we find out how & who's done this, & in which companies etc it happened, so much the better. I expect there to be a BIG backlash against them from now on, & rightly so.

    This has to be THE find of the decade ! So now we need AntiMalware for the Bios :D

  5. J_L
    Offline

    J_L Registered Member

    Maybe Intel's McAfee-based CPU AV will do the job. :D
  6. ComputerSaysNo
    Offline

    ComputerSaysNo Registered Member

    LOL as if. This is sad news, but hardware hacking is all the rage now days so it doesn't surprise me.
  7. lotuseclat79
    Offline

    lotuseclat79 Registered Member

    Hi BoerenkoolMetWorst,

    Since https is not supported in the translation engines I have tried - google, bing, and that Wilders Security Forums is posted in English, would you be so kind as to provide a translation from Dutch to English for the web page URL (links) you have posted,

    Thanks,

    -- Tom
  8. stackz
    Offline

    stackz Registered Member

    @lotuseclat79
    Just copy/paste the text from the web page into the translation engine.
  9. Baserk
    Offline

    Baserk Registered Member

    ^^Tom, Google Translate makes this of the original article;

    A security researcher has discovered several laptops mysterious malware hiding in the BIOS of computers . The BIOS ( Basic Input / Output System) is a set of basic instructions for communication between the operating system and the hardware .
    It is essential for the operation of the computer , and also the first major software running at the start-up. An attack on the BIOS may have far-reaching consequences and is difficult to detect . Example by a virus on the desktop
    Researcher Dragos Ruiu , creator of the famous Pwn2Own hacker competitions , reports via Twitter that he has discovered that flashing the BIOS can survive .
    Persistent BIOS malware In addition, the malware on a BIOS hypervisor , also called a virtual machine monitor ( VMM ) in which a virtual machine is running , and Software Defined Radio ( SDR ) functionality to 'air gaps to bridge .
    SDR is a radio communication system in which components that are normally part of the hardware (for example, mixers, filters and amplifiers) are carried out by means of software on a computer . A -SDR basic system can consist of a computer with a sound card or other analog-to - digital converter preceded by a form of RF front end.
    Air gap
    An air gap is a computer that is not connected on the internet. Recently left security guru Bruce Schneier even know that he uses an air gap for the documents whistleblower Edward Snowden , he also examines , with a computer that has never been connected on the internet. By means of the SDR attackers would also be able to communicate in this way. With the machine
    The malware was discovered by the Copernicus tool that dumps the contents of the BIOS and then to examine them. Dump Ruiu states that Copernicus seen the discovery of the BIOS malware already the main tool of the recent times .
    laptops
    The researcher reports that the BIOS malware on a Dell Alienware , Thinkpads and Sony laptops is found . Would have become infected MacBooks also possible but has not been confirmed . The malware uses DHCP options for encrypted communication. Using their skill On the basis of the tweets that the investigation into the malware is still in progress . Security.NL Ruiu has asked for more information . As soon as more details are known , we will let you know .


    His Twitter account shows the latest details/progress so far; --https://twitter.com/dragosr--
  10. emmjay
    Offline

    emmjay Registered Member

    Our toys are bugged. Whoda thunk? Profiling has reached new heights (or lows), however you look at it. I assume this malware is not meant to brick the device but to call home and gather tidbits of information. I read that 'tick' and 'flea' are under test so hopefully one of them will prevent the malware from reinserting itself at every firmware upgrade. The unfortunate aspect is that so many users do not upgrade the firmware (ever). The devices most prone to this savagery will be smartphones. A PC user can flash the firmware quite painlessly however other devices can be more complicated. Tell someone to flash a smart TV or car firmware and the user looks at you like you have grown horns.

    I disabled Computrace on my laptop, however I never did subscribe to Absolute software services. If there is malware preloaded then I am screwed anyway. Hopefully there is no government involvement in all of this (not holding my breath though). Profiling is it.
  11. Gullible Jones
    Offline

    Gullible Jones Registered Member

    Last edited: Oct 24, 2013
  12. Baserk
    Offline

    Baserk Registered Member

    Either this is some serious mayhem or there is something else, like a breakdown or something.
    Like someone replied on the Facebook page; "I'm tempted to buy you a USB analyzer just so I can conclusively settle the question of whether or not you're on crack."
    After reading the Facebook post, it seems the outcome of this story will be bad news no matter what.
  13. aigle
    Offline

    aigle Registered Member

  14. lotuseclat79
    Offline

    lotuseclat79 Registered Member

  15. Baserk
    Offline

    Baserk Registered Member

    Those feeling adventurous can go at it at kernelmode.info link
    VT SHA available. Detection 0/47

    Never read before that Ruiu is already working since 3 years, and over a dozen wrecked laptops later, on this malware.
    Part of me thought/wished it was bs but no.
    From Tom's above posted article;
    Last edited: Oct 31, 2013
  16. Enigm
    Offline

    Enigm Registered Member

    'Paranoid' ?
    You mean like the 'paranoids' saying Big Brother was monitoring the internets ?

    The amount of trust OS's show any random device presented to them is just beyond belief - all those gadgets are small computers and OS's just accept anything that comes from them .
  17. taleblou
    Offline

    taleblou Registered Member

    Damn even linux is effected. Damn thats a bad one. Also if it is USB transferable, dose it able to circumvent sandboxes like sandboxie, if you open a usb in sandbox?
  18. Dogbiscuit
    Offline

    Dogbiscuit Registered Member

  19. ronjor
    Offline

    ronjor Global Moderator

  20. taleblou
    Offline

    taleblou Registered Member

    How about if you password protect the bios access. Will this malware still infect and pass the protection?
  21. nosirrah
    Offline

    nosirrah Malware Fighter

    The funniest part about this whole incident is that while 1 clearly BS report of a super cross-platform BIOS bug is enough to convince countless people that it is real, a detailed explanation on how it is pretend will be completely ignored by those same people.
  22. Gullible Jones
    Offline

    Gullible Jones Registered Member

    You are correct; it does look like bunk, and I definitely fell for it. My bad.

    OTOH I think that it's reasonable to expect of experts in a given field that they won't start trolling laypeople. Doing so is rather unprofessional.
  23. BoerenkoolMetWorst
    Offline

    BoerenkoolMetWorst Registered Member

    Reply from Dragos:
    https://twitter.com/dragosr/status/396519282718167040

    Interesting to see how this plays out.

    I was referring to some reports made here previously about GPU rootkits such as this: http://www.wilderssecurity.com/showthread.php?t=345273
    I would also like to point out that I meant paranoid in a neutral way, not as a psychiatric disorder or with the negative meaning it is used so often these days unfortunately. I suspected internet monitoring/surveillance before the leaks of Mr. Snowden. I think if everyone would have a healthy dose of paranoia we wouldn't be where we are now.
    I agree completely, things like this are just an example: http://hakshop.myshopify.com/products/usb-rubber-ducky
  24. Baserk
    Offline

    Baserk Registered Member

    Pardon my ignorance/foreign language comprehension, but what do you mean with 'On how it is pretend'?
  25. nosirrah
    Offline

    nosirrah Malware Fighter

    Read the link I quoted, its all there. The issue is that even among people that understand OS and malware on a reasonable level there are not many people that understand hardware and BIOS/UEFI all that well. Because of this the totally ridiculous claims made about this "super bug" don't seem all that unreasonable to most people.

    Had this been proposed as a BIOS/UEFI trojan that was platform specific and targeted (like an attack against 5000 identical computers within a corporation) and was paired with on disk components that did the heavy lifting maybe this would be doable and even then "maybe" is really generous.