![]() ![]() But he's no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu's computers and networks. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. (A compilation of Ruiu's observations is here.)Īlso unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw. Advertisementīigfoot in the age of the advanced persistent threatĪt times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps. With the ability to target a computer's Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.īut the story gets stranger still. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. ![]() Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world's foremost security experts. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys." "At one point, we were editing some of the components and our registry editor got disabled. "We had an air-gapped computer that just had its BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.Īnother intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. ![]() In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. I've been suspicious of stuff around here ever since." "'We have to erase all our systems and start from scratch,' which we did. "We were like, 'Okay, we're totally owned,'" Ruiu told Ars. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours. He also found that the machine could delete data and undo configuration changes with no prompting. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Aurich Lawson / Thinkstock reader comments 646 with ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |