Persistent BIOS malware with hypervisor and SDR found

Discussion in 'malware problems & news' started by BoerenkoolMetWorst, Oct 11, 2013.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Interesting, this does in fact look real. I wonder who's behind it... Wouldn't surprise me if this were NSA issue stuff, preinstalled on most computers.
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Security.nl editor has asked researcher Dragos Ruiu (organizer of Pwn2Own) for more info oc. I'm curious about this one...
    Something so foxy as the SDR exploit/jump-the-air-gap on a Thinkpad or Sony (business?) model, I understand but on a 11" gaming machine?
     
    Last edited: Oct 11, 2013
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yes, Another "You're all paranoïd & it can't happen, so forget it" item BUSTED :D

    Not good news that it Can/Has been done recently, but welcome news it's been discovered. If we find out how & who's done this, & in which companies etc it happened, so much the better. I expect there to be a BIG backlash against them from now on, & rightly so.

    This has to be THE find of the decade ! So now we need AntiMalware for the Bios :D

     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Maybe Intel's McAfee-based CPU AV will do the job. :D
     
  6. LOL as if. This is sad news, but hardware hacking is all the rage now days so it doesn't surprise me.
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi BoerenkoolMetWorst,

    Since https is not supported in the translation engines I have tried - google, bing, and that Wilders Security Forums is posted in English, would you be so kind as to provide a translation from Dutch to English for the web page URL (links) you have posted,

    Thanks,

    -- Tom
     
  8. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    @lotuseclat79
    Just copy/paste the text from the web page into the translation engine.
     
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    ^^Tom, Google Translate makes this of the original article;

    A security researcher has discovered several laptops mysterious malware hiding in the BIOS of computers . The BIOS ( Basic Input / Output System) is a set of basic instructions for communication between the operating system and the hardware .
    It is essential for the operation of the computer , and also the first major software running at the start-up. An attack on the BIOS may have far-reaching consequences and is difficult to detect . Example by a virus on the desktop
    Researcher Dragos Ruiu , creator of the famous Pwn2Own hacker competitions , reports via Twitter that he has discovered that flashing the BIOS can survive .
    Persistent BIOS malware In addition, the malware on a BIOS hypervisor , also called a virtual machine monitor ( VMM ) in which a virtual machine is running , and Software Defined Radio ( SDR ) functionality to 'air gaps to bridge .
    SDR is a radio communication system in which components that are normally part of the hardware (for example, mixers, filters and amplifiers) are carried out by means of software on a computer . A -SDR basic system can consist of a computer with a sound card or other analog-to - digital converter preceded by a form of RF front end.
    Air gap
    An air gap is a computer that is not connected on the internet. Recently left security guru Bruce Schneier even know that he uses an air gap for the documents whistleblower Edward Snowden , he also examines , with a computer that has never been connected on the internet. By means of the SDR attackers would also be able to communicate in this way. With the machine
    The malware was discovered by the Copernicus tool that dumps the contents of the BIOS and then to examine them. Dump Ruiu states that Copernicus seen the discovery of the BIOS malware already the main tool of the recent times .
    laptops
    The researcher reports that the BIOS malware on a Dell Alienware , Thinkpads and Sony laptops is found . Would have become infected MacBooks also possible but has not been confirmed . The malware uses DHCP options for encrypted communication. Using their skill On the basis of the tweets that the investigation into the malware is still in progress . Security.NL Ruiu has asked for more information . As soon as more details are known , we will let you know .


    His Twitter account shows the latest details/progress so far; --https://twitter.com/dragosr--
     
  10. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    Our toys are bugged. Whoda thunk? Profiling has reached new heights (or lows), however you look at it. I assume this malware is not meant to brick the device but to call home and gather tidbits of information. I read that 'tick' and 'flea' are under test so hopefully one of them will prevent the malware from reinserting itself at every firmware upgrade. The unfortunate aspect is that so many users do not upgrade the firmware (ever). The devices most prone to this savagery will be smartphones. A PC user can flash the firmware quite painlessly however other devices can be more complicated. Tell someone to flash a smart TV or car firmware and the user looks at you like you have grown horns.

    I disabled Computrace on my laptop, however I never did subscribe to Absolute software services. If there is malware preloaded then I am screwed anyway. Hopefully there is no government involvement in all of this (not holding my breath though). Profiling is it.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Last edited: Oct 24, 2013
  12. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Either this is some serious mayhem or there is something else, like a breakdown or something.
    Like someone replied on the Facebook page; "I'm tempted to buy you a USB analyzer just so I can conclusively settle the question of whether or not you're on crack."
    After reading the Facebook post, it seems the outcome of this story will be bad news no matter what.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  14. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Those feeling adventurous can go at it at kernelmode.info link
    VT SHA available. Detection 0/47

    Never read before that Ruiu is already working since 3 years, and over a dozen wrecked laptops later, on this malware.
    Part of me thought/wished it was bs but no.
    From Tom's above posted article;
     
    Last edited: Oct 31, 2013
  16. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    'Paranoid' ?
    You mean like the 'paranoids' saying Big Brother was monitoring the internets ?

    The amount of trust OS's show any random device presented to them is just beyond belief - all those gadgets are small computers and OS's just accept anything that comes from them .
     
  17. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Damn even linux is effected. Damn thats a bad one. Also if it is USB transferable, dose it able to circumvent sandboxes like sandboxie, if you open a usb in sandbox?
     
  18. Dogbiscuit

    Dogbiscuit Guest

    Last edited by a moderator: Nov 3, 2013
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,032
    Location:
    Texas
  20. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    How about if you password protect the bios access. Will this malware still infect and pass the protection?
     
  21. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The funniest part about this whole incident is that while 1 clearly BS report of a super cross-platform BIOS bug is enough to convince countless people that it is real, a detailed explanation on how it is pretend will be completely ignored by those same people.
     
  22. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    You are correct; it does look like bunk, and I definitely fell for it. My bad.

    OTOH I think that it's reasonable to expect of experts in a given field that they won't start trolling laypeople. Doing so is rather unprofessional.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Reply from Dragos:
    https://twitter.com/dragosr/status/396519282718167040

    Interesting to see how this plays out.

    I was referring to some reports made here previously about GPU rootkits such as this: https://www.wilderssecurity.com/showthread.php?t=345273
    I would also like to point out that I meant paranoid in a neutral way, not as a psychiatric disorder or with the negative meaning it is used so often these days unfortunately. I suspected internet monitoring/surveillance before the leaks of Mr. Snowden. I think if everyone would have a healthy dose of paranoia we wouldn't be where we are now.
    I agree completely, things like this are just an example: http://hakshop.myshopify.com/products/usb-rubber-ducky
     
  24. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Pardon my ignorance/foreign language comprehension, but what do you mean with 'On how it is pretend'?
     
  25. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Read the link I quoted, its all there. The issue is that even among people that understand OS and malware on a reasonable level there are not many people that understand hardware and BIOS/UEFI all that well. Because of this the totally ridiculous claims made about this "super bug" don't seem all that unreasonable to most people.

    Had this been proposed as a BIOS/UEFI trojan that was platform specific and targeted (like an attack against 5000 identical computers within a corporation) and was paired with on disk components that did the heavy lifting maybe this would be doable and even then "maybe" is really generous.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.