pastebin - collaborative debugging tool
kpaste.net RSS


#BADBIOS - You Were Warned About This For Years! fixed
Posted by Anonymous on Fri 1st Nov 2013 07:36
raw | new post

  1. #BADBIOS - You Were Warned About This For Years!
  2.  
  3. ===============================================
  4.  
  5. RE: Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate
  6. - http://it.slashdot.org/story/13/11/01/0120220/airgap-jumping-malware-may-use-ultrasonic-networking-to-communicate
  7.  
  8. You were all warned about this malware for years, but people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.
  9.  
  10. I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.
  11.  
  12. What you overlooked and should have read:
  13.  
  14. 1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
  15. http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/
  16.  
  17. 2. Spy agency ASIO are hacking into personal computers
  18. http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/
  19.  
  20. 3. Will security firms detect police spyware?
  21. http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/
  22.  
  23. And several PDF files on blackhat pages, forums, and conferences.
  24.  
  25. These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.
  26.  
  27. When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.
  28.  
  29. People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?
  30.  
  31. Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.
  32.  
  33. ####
  34.  
  35. #BadBIOS links:
  36.  
  37. http://boingboing.net/2013/10/31/badbios-airgap-jumping-malwar.html
  38. https://twitter.com/dragosr
  39. http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
  40. http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en
  41. https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
  42. https://plus.google.com/103470457057356043365/posts
  43. https://plus.google.com/s/%23badBIOS
  44. http://www.wilderssecurity.com/showthread.php?t=354463
  45.  
  46. "Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: "No joke it's really serious." Plenty of others agree.
  47. ...
  48. At next month's PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.
  49. He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems"
  50.  
  51. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195
  52. https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
  53. https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
  54. http://blog.erratasec.com/2013/10/badbios-features-explained.html
  55. http://it.slashdot.org/comments.pl?sid=4401155&cid=45297755
  56.  
  57. The following may repeat certain links from above but includes additional sources for info:
  58.  
  59. http://slexy.org/view/s283Y0acPO
  60.  
  61. #BadBIOS - BIOS Malware
  62.  
  63. #####
  64.  
  65. - Copernicus: Question Your Assumptions about BIOS Security
  66.  
  67. http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
  68.  
  69. - "Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed."
  70.  
  71. https://twitter.com/dragosr/status/388512915742937089
  72.  
  73. ===
  74.  
  75. - #BadBIOS
  76.  
  77. https://twitter.com/search?q=%23BadBIOS
  78.  
  79. ===
  80.  
  81. - "More on my ongoing chase of #badBIOS malware."
  82.  
  83. https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
  84. https://plus.google.com/103470457057356043365
  85.  
  86. ===
  87.  
  88. - Nobody Seems To Notice and Nobody Seems To Care: Government & Stealth Malware
  89.  
  90. http://slexy.org/view/s2otvoDuKW
  91.  
  92. ===
  93.  
  94. - Gpu based paravirtualization rootkit, all os vulne
  95.  
  96. http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html
  97.  
  98. ===
  99.  
  100. - #badBIOS (and lotsa paranoia, plus fireworks)
  101.  
  102. https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
  103.  
  104. ===
  105.  
  106. - Air-Gap-Breaching BIOS Rootkits with SDRs Inside (and smartphones, Snowden, NSA, Wikileaks)
  107.  
  108. "A little while back I covered a paper on FPGAs that could turn themselves into SDRs. I suspected this would be one way to breach an air gap.
  109.  
  110. It seems I was right on the money. If a little behind the times.
  111.  
  112. Researchers have found an incredibly persistent BIOS rootkit in the wild that includes SDR functionality… literally turning your computer into a radio transmitter to exfiltrate data even if you’re not connected to the Internet." [..]
  113.  
  114. "The researchers were using a new tool, Copernicus, which sadly seems to be Windows-only. Nevertheless a number of you might be interested in checking it out.
  115.  
  116. There is one enduring mystery of this rootkit… how does it survive BIOS reflashes?" [..]
  117.  
  118. https://kabelmast.wordpress.com/2013/10/11/air-gap-breaching-bios-rootkits-with-sdrs-inside-and-smartphones-snowden-nsa-wikileaks/
  119.  
  120. https://twitter.com/dragosr/status/388511686744764416
  121.  
  122. - IMHO Copernicus is the most important security tool in recent history. Already found persistent BIOS malware (survives reflashing) here.
  123.  
  124. https://twitter.com/dragosr/status/388512915742937089
  125.  
  126. - and that’s not even interesting part. Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed.
  127.  
  128. https://twitter.com/dragosr/status/388521551693217792
  129.  
  130. - Copernicus BIOS verification. Also if tool is mysteriously failing or weird output full of FFs you may have problem. http://goo.gl/AHLwbD
  131.  
  132. https://twitter.com/dragosr/status/388534580493287424
  133.  
  134. - This particular BIOS persistent malware sample seems use TLS encrypted DHCP HostOptions as a command and control.
  135.  
  136. https://twitter.com/dragosr/status/388535672828485632
  137.  
  138. - this sample was on a Dell Alienware, but we have verified infected Thinkpads and Sonys too. Potentially MacBooks, unverified.
  139.  
  140. https://twitter.com/dragosr/status/388632113496350721
  141.  
  142. - Infected BIOS really dislikes to boot from external devices, almost always goes to internal disk, regardless of settings.
  143.  
  144. https://twitter.com/dragosr/status/388702180590354433
  145.  
  146. - Infected BIOS: back channel is via odd fixed length NetBIOS DNS lookups & blocks of IPv6 DNS lookups, even on machines with V6 sw disabled.
  147.  
  148. https://twitter.com/dragosr/status/388695497134731265
  149.  
  150. - Infected BIOS: can rule out disk drive firmware, using new drives fresh from foilpack, @ioerror – expensive tests to run, ouch.
  151.  
  152. http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
  153.  
  154. "Copernicus dumps the BIOS so inspection (such as comparing against a clean copy) is possible, and also checks the status of the configuration to determine if the BIOS can be modified.
  155.  
  156. How does it work? The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer’s System Management RAM (where some code loaded by BIOS continues running after boot)."
  157.  
  158. ===
  159.  
  160. - Persistent BIOS malware with hypervisor and SDR found
  161.  
  162. http://www.wilderssecurity.com/showthread.php?t=354463
  163.  
  164. ===
  165.  
  166. - [Cryptography] programable computers inside our computers
  167.  
  168. Quoting Viktor Dukhovni (2013-10-22 06:50:38)
  169. > I am much more concerned about the proliferation of miniature programmable
  170. > computers inside our computers (CPUs and programmable firmware in disk
  171. > controllers, battery controllers, BMC controllers, with opaque binary firmware
  172. > update blobs, and complex supply chains) that about secp256r1 vs secp521r1.
  173. >
  174. > We thought embedded devices were for physical infrastructure
  175. > engineers to worry about, but now they are proliferating inside
  176. > our general purpose computers.  The next Stuxnet will run on one
  177. > of the invisible computers inside your computer.
  178.  
  179. http://www.metzdowd.com/pipermail/cryptography/2013-October/018380.html
  180.  
  181. ===
  182.  
  183. Researcher discovers mysterious BIOS malware [Translated]
  184.  
  185. Friday, October 11th, 2013, 14:53 by Editorial
  186.  
  187. "A security researcher has discovered several laptops mysterious malware hiding in the BIOS of computers. The BIOS (Basic Input / Output System) is a set of basic instructions for communication between the operating system and the hardware.
  188.  
  189. It is essential for the operation of the computer, and also the first major software running at the start-up. An attack on the BIOS may have far-reaching consequences and is difficult to detect. Example by a virus on the desktop
  190.  
  191. Researcher Dragos Ruiu, creator of the famous Pwn2Own hacker competitions, reports via Twitter that he has discovered that flashing the BIOS can survive. Persistent BIOS malware In addition, the malware on a BIOS hypervisor, also called a virtual machine monitor (VMM) in which a virtual machine is running, and Software Defined Radio (SDR) functionality to 'air gaps to bridge.
  192.  
  193. SDR is a radio communication system in which components that are normally part of the hardware (for example, mixers, filters and amplifiers) are carried out by means of software on a computer. A-SDR basic system can consist of a computer with a sound card or other analog-to-digital converter preceded by a form of RF front end.
  194.  
  195. Air gap
  196.  
  197. An air gap is a computer that is not connected on the internet. Recently left security guru Bruce Schneier even know that he uses an air gap for the documents whistleblower Edward Snowden, he also examines, with a computer that has never been connected on the internet. By means of the SDR attackers would also be able to communicate in this way. With the machine
  198.  
  199. The malware was discovered by the Copernicus tool that dumps the contents of the BIOS and then to examine them. Dump Ruiu states that Copernicus seen the discovery of the BIOS malware already the main tool of the recent times.
  200. Laptops
  201.  
  202. The researcher reports that the BIOS malware on a Dell Alienware, Thinkpads and Sony laptops is found. Would have become infected MacBooks also possible but has not been confirmed. The malware uses DHCP options for encrypted communication. Using their skill On the basis of the tweets that the investigation into the malware is still in progress. Security.NL Ruiu has asked for more information. As soon as more details are known, we will let you know."
  203.  
  204. https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
  205.  
  206. ===
  207.  
  208. - New Bios Malware
  209.  
  210. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998
  211.  
  212. ===
  213.  
  214. EOF (but not the end in further developments!)
  215.  
  216. **********************************
  217. PLEASE COPY AND SHARE THIS ARTICLE

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}




All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at