Author: morphine drip Language: text
Description: #BADBIOS - You Were Warned About This For Years! Timestamp: 2013-11-01 03:33:08 -0400
View raw paste Child paste by: Clive Robinson Reply
#BADBIOS - You Were Warned About This For Years!

===============================================

RE: Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate
- http://it.slashdot.org/story/13/11/01/0120220/airgap-jumping-malware-may-use-ultrasonic-networking-to-communicate

You were all warned about this malware for years, but people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.

I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.

What you overlooked and should have read:

1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/

2. Spy agency ASIO are hacking into personal computers
http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/

3. Will security firms detect police spyware?
http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/

And several PDF files on blackhat pages, forums, and conferences.

These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.

When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.

People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?

Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.

####

#BadBIOS links:

http://boingboing.net/2013/10/31/badbios-airgap-jumping-malwar.html
https://twitter.com/dragosr
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en
https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
https://plus.google.com/103470457057356043365/posts
https://plus.google.com/s/%23badBIOS
http://www.wilderssecurity.com/showthread.php?t=354463

"Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: "No joke it's really serious." Plenty of others agree.
...
At next month's PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.
He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems"

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195
https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
http://blog.erratasec.com/2013/10/badbios-features-explained.html
http://it.slashdot.org/comments.pl?sid=4401155&cid=45297755

The following may repeat certain links from above but includes additional sources for info:

http://slexy.org/view/s283Y0acPO

#BadBIOS - BIOS Malware

#####

- Copernicus: Question Your Assumptions about BIOS Security

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

- "Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed."

https://twitter.com/dragosr/status/388512915742937089

===

- #BadBIOS

https://twitter.com/search?q=%23BadBIOS

===

- "More on my ongoing chase of #badBIOS malware."

https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
https://plus.google.com/103470457057356043365

===

- Nobody Seems To Notice and Nobody Seems To Care: Government & Stealth Malware

http://slexy.org/view/s2otvoDuKW

===

- Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

===

- #badBIOS (and lotsa paranoia, plus fireworks)

https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/

===

- Air-Gap-Breaching BIOS Rootkits with SDRs Inside (and smartphones, Snowden, NSA, Wikileaks)

"A little while back I covered a paper on FPGAs that could turn themselves into SDRs. I suspected this would be one way to breach an air gap.

It seems I was right on the money. If a little behind the times.

Researchers have found an incredibly persistent BIOS rootkit in the wild that includes SDR functionality… literally turning your computer into a radio transmitter to exfiltrate data even if you’re not connected to the Internet." [..]

"The researchers were using a new tool, Copernicus, which sadly seems to be Windows-only. Nevertheless a number of you might be interested in checking it out.

There is one enduring mystery of this rootkit… how does it survive BIOS reflashes?" [..]

https://kabelmast.wordpress.com/2013/10/11/air-gap-breaching-bios-rootkits-with-sdrs-inside-and-smartphones-snowden-nsa-wikileaks/

https://twitter.com/dragosr/status/388511686744764416

- IMHO Copernicus is the most important security tool in recent history. Already found persistent BIOS malware (survives reflashing) here.

https://twitter.com/dragosr/status/388512915742937089

- and that’s not even interesting part. Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed.

https://twitter.com/dragosr/status/388521551693217792

- Copernicus BIOS verification. Also if tool is mysteriously failing or weird output full of FFs you may have problem. http://goo.gl/AHLwbD

https://twitter.com/dragosr/status/388534580493287424

- This particular BIOS persistent malware sample seems use TLS encrypted DHCP HostOptions as a command and control.

https://twitter.com/dragosr/status/388535672828485632

- this sample was on a Dell Alienware, but we have verified infected Thinkpads and Sonys too. Potentially MacBooks, unverified.

https://twitter.com/dragosr/status/388632113496350721

- Infected BIOS really dislikes to boot from external devices, almost always goes to internal disk, regardless of settings.

https://twitter.com/dragosr/status/388702180590354433

- Infected BIOS: back channel is via odd fixed length NetBIOS DNS lookups & blocks of IPv6 DNS lookups, even on machines with V6 sw disabled.

https://twitter.com/dragosr/status/388695497134731265

- Infected BIOS: can rule out disk drive firmware, using new drives fresh from foilpack, @ioerror – expensive tests to run, ouch.

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

"Copernicus dumps the BIOS so inspection (such as comparing against a clean copy) is possible, and also checks the status of the configuration to determine if the BIOS can be modified.

How does it work? The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer’s System Management RAM (where some code loaded by BIOS continues running after boot)."

===

- Persistent BIOS malware with hypervisor and SDR found

http://www.wilderssecurity.com/showthread.php?t=354463

===

- [Cryptography] programable computers inside our computers

Quoting Viktor Dukhovni (2013-10-22 06:50:38)
> I am much more concerned about the proliferation of miniature programmable
> computers inside our computers (CPUs and programmable firmware in disk
> controllers, battery controllers, BMC controllers, with opaque binary firmware
> update blobs, and complex supply chains) that about secp256r1 vs secp521r1.
>
> We thought embedded devices were for physical infrastructure
> engineers to worry about, but now they are proliferating inside
> our general purpose computers.  The next Stuxnet will run on one
> of the invisible computers inside your computer.

http://www.metzdowd.com/pipermail/cryptography/2013-October/018380.html

===

Researcher discovers mysterious BIOS malware [Translated]

Friday, October 11th, 2013, 14:53 by Editorial

"A security researcher has discovered several laptops mysterious malware hiding in the BIOS of computers. The BIOS (Basic Input / Output System) is a set of basic instructions for communication between the operating system and the hardware.

It is essential for the operation of the computer, and also the first major software running at the start-up. An attack on the BIOS may have far-reaching consequences and is difficult to detect. Example by a virus on the desktop

Researcher Dragos Ruiu, creator of the famous Pwn2Own hacker competitions, reports via Twitter that he has discovered that flashing the BIOS can survive. Persistent BIOS malware In addition, the malware on a BIOS hypervisor, also called a virtual machine monitor (VMM) in which a virtual machine is running, and Software Defined Radio (SDR) functionality to 'air gaps to bridge.

SDR is a radio communication system in which components that are normally part of the hardware (for example, mixers, filters and amplifiers) are carried out by means of software on a computer. A-SDR basic system can consist of a computer with a sound card or other analog-to-digital converter preceded by a form of RF front end.

Air gap

An air gap is a computer that is not connected on the internet. Recently left security guru Bruce Schneier even know that he uses an air gap for the documents whistleblower Edward Snowden, he also examines, with a computer that has never been connected on the internet. By means of the SDR attackers would also be able to communicate in this way. With the machine

The malware was discovered by the Copernicus tool that dumps the contents of the BIOS and then to examine them. Dump Ruiu states that Copernicus seen the discovery of the BIOS malware already the main tool of the recent times.
Laptops

The researcher reports that the BIOS malware on a Dell Alienware, Thinkpads and Sony laptops is found. Would have become infected MacBooks also possible but has not been confirmed. The malware uses DHCP options for encrypted communication. Using their skill On the basis of the tweets that the investigation into the malware is still in progress. Security.NL Ruiu has asked for more information. As soon as more details are known, we will let you know."

https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware

===

- New Bios Malware

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998

===

EOF (but not the end in further developments!)

**********************************
PLEASE COPY AND SHARE THIS ARTICLE
View raw paste Child paste by: Clive Robinson Reply