FWIS3

A security researcher has discovered several laptops mysterious malware hiding in the BIOS of computers . The BIOS ( Basic Input / Output System) is a set of basic instructions for communication between the operating system and the hardware .It is essential for the operation of the computer , and also the first major software running at the start-up. An attack on the BIOS may have far-reaching consequences and is difficult to detect . Example by a virus on the desktopResearcher Dragos Ruiu , creator of the famous Pwn2Own hacker competitions , reports via Twitter that he has discovered that flashing the BIOS can survive . Persistent BIOS malware In addition, the malware on a BIOS hypervisor , also called a virtual machine monitor ( VMM ) in which a virtual machine is running , and Software Defined Radio ( SDR ) functionality to 'air gaps to bridge .SDR is a radio communication system in which components that are normally part of the hardware (for example, mixers, filters and amplifiers) are carried out by means of software on a computer . A -SDR basic system can consist of a computer with a sound card or other analog-to - digital converter preceded by a form of RF front end.Air gapAn air gap is a computer that is not connected on the internet. Recently left security guru Bruce Schneier even know that he uses an air gap for the documents whistleblower Edward Snowden , he also examines , with a computer that has never been connected on the internet. By means of the SDR attackers would also be able to communicate in this way. With the machineThe malware was discovered by the Copernicus tool that dumps the contents of the BIOS and then to examine them. Dump Ruiu states that Copernicus seen the discovery of the BIOS malware already the main tool of the recent times .laptopsThe researcher reports that the BIOS malware on a Dell Alienware , Thinkpads and Sony laptops is found . Would have become infected MacBooks also possible but has not been confirmed . The malware uses DHCP options for encrypted communication. Using their skill On the basis of the tweets that the investigation into the malware is still in progress . Security.NL Ruiu has asked for more information . As soon as more details are known , we will let you know .

FZR1KG wrote:r.e. flashing persistence of BIOS.
This also sounds really suspicious.
Flashing deletes all the data in the EEPROM or Flash device. It is a non reversible process.
The only way to maintain persistence after flashing a device is to put it back.
This means that the bootloader (the device that reads the data and programs the flash device with said data) must have been compromised.
Bootloaders are extremely simple devices. Almost all are ROM, i.e. non reprogramable.
The reason for that is so they can't accidentally get erased, which would totally brick a device rendering it useless.
Even cheap cub $2 cpu's have ROM bootloaders to load the Flash memory.
I have seen flash bootloaders (and disapprove most intensely) but even in these types the bootloader memory allocated and protected and are very small program wise and easy to check if corrupted because they use system calls to program and have inbuilt data integrity checking.
Pretty hard to hide a virus in a bootloader from both an access and memory capacity point of view.
Also, bootloaders are done by factory, the factory that designed the chip itself.

Unless the PC uses its own CPU to program flash (can anyone say dumb assed design that was prone to failure and known to be unreliable decades ago becore the PC was even concieved) I just can't see it happening. Then again, who knows what regurgitated obsolete design topology is used in the never ending quest to make a cheap product, I have seen dumber shit happening...

So yeah, I'll wait for updates but unless someone shows me how they overcame the above issues I will remain very skeptical.

Sigma_Orionis wrote:Meh, Like I mentioned in FWIS 2.0, "Mistakes and Sloppyness in IT are made three times: once in Mainframes, once in Minis and once in Micros". Nowadays it's four times: once in Mainframes, once in Servers, once in PCs and once in Tablets and Smartphones......

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

Regardless, you’re still at an extreme level of specificity because you’re literally manipulating pins and wires alongside registers. You can’t just take an AMI ROMBIOS8 from one board and slap it on another. Yes, there’s a common core – that’s why we have AMI, Phoenix Technologies and used to have Award (plus Insyde as used by Sony/HP.) But to actually use that core requires extensive work to support the specific silicon and wiring used by a given motherboard. That information is always trade secret, and heavily protected.