Dragos Ruiu
2 years agoPublic
More on my ongoing chase of #badBIOS malware. It's been difficult to confirm this as I'm down to a precious few reference systems that are clean. I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect. This was on a BSD system, so this is definitely not a Windows issue.- and it's a low level issue, I didn't even mount the volume and it was infected. Could this be an overflow in the way bios ids the drive?

Infected systems seem to reprogram the flash controllers on USB sticks (and cd drives, more on that later) to attack the system (bios?). There are only like ten different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible. Coincidentally the only sites I've found with flash controller reset software, are .ru sites, and seem to 404 on infected systems.

The tell is still that #badBIOS systems refuse to boot CDs (this is across all oses, including my Macs) there are other more esoteric problems with partition tables and devices on infected systems. Also USB cd drives are affected, I've bricked a few plugging and unplugging them too fast (presumably as they were being reflashed) on infected systems. Unsafely ejecting USB memory sticks has also bricked them a few times on #badBIOS systems for clean systems, though mysteriously they are "fixed" and reset by just simply replugging them into an infected system. Extracting data from infected systems is VERY tricky. Yesterday I watched as the malware modified some files on a cd I was burning to extract data from an infected system, don't know what it was yet, I have to set up a system to analyze that stuff.

On windows my current suspicion is that they use font files to get up to some nastiness, I found 246 extra ttf and 150 fon files on a cleanly installed windows 8 system, and three stand out, meiryo, meiryob, and malgunnb, that are 8mb, instead of the 7 and 4mb sizes one would expect. Unfortunately ttf files are executable and windows "previews" them... These same files are locked by trusted installer and inaccessible to users and administrators on infected systems, and here comes the wierd part, they mysteriously disappeared from the cd I tried to burn on a completely new system (a laptop that hadn't been used in a few years) that my friend brought over which had just been freshly installed with win 8.1 from msdn, with the install media checksum verified on another system.

I'm still analyzing, but I'm certain we'll ALL have a large problem here. I have more data and info I can share with folks that are interested.
John Marrett2 years ago
I'm very interested in this issue. Please tell us more about how the BSD system was compromised by the USB stick.

Was the OS immediately affected, or was it only after a reboot?

What was the extent of the impact on the BSD, did it proceed down to OS level or was the impact only at the BIOS/AMT/ME/Whatever level?
Thomas Heine2 years ago
My BIOS does not really mount a stick either but checks if the stick or drive is bootable. So I think your assumption is right.
Tim Johnson2 years ago
I find your ideas intriguing, and would like to subscribe to your newsletter.+15
Alex Wendler2 years ago
If this is real I love it
Super interesting. Rogue intelligence malware?+3
Alex Guetsche2 years ago
Have you tried mounting the windows disk under linux & then extracting the data?
I'd really love to see the 'more data'+4
James Sanders2 years ago
Have you tried turning it off and back on again? #ITCrowd+11
Douglas Otis2 years ago
I ran into this issue several years ago. Attempts to reflash the Bios would cause the source media to be erased.  I had to use read-only media to reflash the bios which was a PITA.  It also refused to boot from optical media.  This was why I felt reflashing was in order.  The different BIOS manufactures all used the same vulnerable compression code where signature checks were bypassed by giving the BIOS an evil logo to display. Here is a reference used in the Windows 8 and Windows 8 RT review.
Dennis Roos2 years ago
So, this is finally happening? It has been talked about for years ;)
And the same sort of thing has been implemented various times as well.

In order to capture the traffic on the USB bus that infects new devices, have a look at Travis Goodspeed's work on the GoodFET/FaceDancer board:
Carlos Ferreira2 years ago
How in the world, can a simple query from the BIOS to the device, re-write the BIOS itself? For that to happen, the malicious code needs to be executed somewhere outside the CPU. This is pretty l33t stuff!+2
Carlos Silva2 years ago
This is big... more info/data would be nice :)+2
Arseny Levin2 years ago
John Atkinson2 years ago
This is really intriguing
Roeland Jansen2 years ago
What Rick states... sceptical.+1
Could you share some info about the affected hardware? One possible vector could be infecting SMI (System Management Interrupt) which allows running code without even kernel noticing it. I have no idea how this attack could be bootstrapped, though.
Dragos Ruiu2 years ago
Hardware: vaio s series, Thinkpad x1 carbon touch, commel Le-564 among others.
Vaios S series and Thinkpad x1 carbon use Intel chipsets with possiblity to run SMI code. However, Commel LE-564 seems to have VIA Eden CPU on a motherboard made by VIA, which I believe does not support SMI. I find it very interesting IF a single piece of malware can run on all these platforms and infect the flash BIOS successfully.
Carlos Ferreira2 years ago
"they mysteriously disappeared from the cd I tried to burn on a completely new system"
Once the data is burned, it stays there. The ony way to make them disapear, would be by ordering the recorder to make a second pass. It is possible since its the firmware that controls that, but the malware would have to infect that previously.

This is getting very weird. How does the malware gets executed in the motherboard in the first place?
Scott Sellars2 years ago
Someone pass me a tin foil hat.+6
Alex Cain2 years ago
have you been able to determine what data it is sending?

also any chance to test it against a chromebook?
Michael Abbott2 years ago
"Pulse" was such a great movie a few years ago (let's pretend the sequels didn't happen tho). 
Ralf Dog2 years ago
It might be fun to take a system with a discrete graphics card, infect that system, pull the graphics card, install it in a clean computer, boot the clean system, look for infection.
Jeremy Pickett2 years ago
Hey Dragos, regarding the potential communication via high frequencies, what tests have been done? It is fairly cheap to get a couple 20H-20KH mics, and with a quiet room plus Audacity it should be straightforward to prove if it doing something anomalous. I'd love to help out if I can.+1
Adi Serghei2 years ago
Can we get a BIOS image dump?
Giovanni Civardi2 years ago
May I suggest to just dump all the EEPROMs? Obviously not from the machine itself, but instead by dumping the chip directly with an external programmer/reader.
AFAIK, the vast majority of memory chips are supported by flashrom ( and that can used with a cheap Bus Pirate ( You can buy it here -> 
I'm not in any way involved with Dangerous Prototypes or Seed Studio, just a happy hacker :) 
Paul Coddington2 years ago
Meiryo and Malgun are the ClearType-enabled fonts for Japanese and Korean respectively, so they are standard issue and are about 9+Mb due to the large number of characters in Asian languages. Does not mean they could not be used as an attack vector, but I thought I should mention this in case a casual reader sees them on a system and panics.+2
Carlos Ferreira2 years ago
I pretty much doubt it would be like that. If the malware could infect at such depth, why not just hide the files and have them off the TOC?
Duane Meyer2 years ago
As for network over audio -
Instead of routing the sound through a radio for TX/RX just use the speakers and mic. It's the exact same thing.

Pretty darn sophisticated as a whole. You need better procedures though if you think sharing USB drives between machines counts as airgapped. :D

@arstechnica- Your Conde Nast is showing. This article is bad.
Matt Seddon2 years ago
Probably an obvious thought, but... are you certain only you had access to all these machines, and someone else didn't have at some point unrestricted access to the machine?
Matt Seddon2 years ago
Without detailed statements from multiple researchers now that this is a real phenomenon, with a solid, well described methodology, this will continue to be met with derision. If this is as serious as you believe, you need to build a vocal group of industry professionals, WAY before you run to the media.  C'ause. Y'know. That's how research works.+2
Chris Stobing2 years ago

Please contact me directly, I have very pertinent information regarding the issue you are having.
Duane Moody2 years ago
You studied this for three years without mentioning it until a month ago. You describe symptoms which haven't been observed in the wild. You imply the vulnerabilities in USB (which exist) are a vector to installing platform and firmware agnostic firmware reflashers which run without error, make baseless claims about the filesize of a Chinese TTC collection, and produce nothing more than some text files of MD5 sums. 

Are you delusional or just really deeply in debt to the point you'd sell your reputation for a hoax?

Post code or shut up.
Douglas Otis2 years ago
Dragos Ruiu,

I am interested in purchasing some of your systems that had their BIOS compromised. Please contact me with the related details.

Douglas Otis
Nikolay Minev2 years ago
So there's a simple solution to check whether your system is infected or not?
Check if it refuses to boot from CD. If there's no CD installed (ultrabook, netbook), check if .ru sites with controller reset software return 404?
Both of them? - Congrats! You're infected. :-\
Todd Madson2 years ago
Very peculiar.  You need to analyze the complete contents of those USB sticks.  But how to do it without contaminating the system doing the analysis.  If PC, Mac and Linux are all potentially susceptible we need another option!   Maybe an in-line packet sniffer wired into the actual ethernet connection that isn't a computer?  +1
Matt Seddon2 years ago
Chris, it can be more complex than that if it's driven from the infected host, but given surely someone of Ruiu's stature could easily mail a laptop down to a forensics lab, I'm somewhat leaning towards calling bullshit at this point.
Ralf Dog2 years ago
Here is what I don't understand, a virus like this sounds state sponsored. At a minimum, it would take a great deal of low level hardware understanding. Why would they block registry editing and booting from a CD? If the virus was compromised by a format, it would just find a copy of it's self and rebuild. Blocking the optical boot is just advertising it's existence. If you have the system rooted, why block a registry editor. Instead of crashing it, just provide fake data.

It's late and I am tired. Am I missing something?
Jeff Barron2 years ago
I had a bad 7-8 month period of a persistant attack and I certainly never understood since I am not a high value target for any group nor is my mother, stepdaughter who had devices comprimised with the same(very similar i cant really claim same yet)  Brossard's paper/talk, core security research were really my only references besides some people on sysinternals forum (all of us were made fun of and called stupid, crazy, trolls. In my case ACPI was used for some things.    State sponsored  in his case but this level of malware is achievable and with little effort than you might think. The more awareness of the possibility alone is a positive in itself. I certainly don't have the background publicly to come out with this and not be assumed dumb, crazy or crooked.  I also note that some of the methods sound familiar to some of the things the Guardian has reported on with heroic journalism by Greenwald.  I wish NSA would stop snooping and man up and say yes we did it or 'leak' how to fix it.

I will warn any douchebags that created the stuff I dealt with read english and decide to start the crap again with me that I will get very loud but not before I counter trojan them.
So here's a thought...if this virus truly does affect BIOS and USB at this low of a level, why not switch your forensic workstation to an older, non-BIOS, non-intel based machine? Think along the lines of say a SunBlade UltraSparc based machine, an HP-UX PA-RISC workstation, DEC Alpha, or even an older Mac G5? If the workstation doesn't have a BIOS and doesn't have an Intel/AMD based CPU then at worst it can flash the USB chips. No BIOS flash, no UEFI, and without the x86 based instruction sets there shouldn't be any code execution and no hypervisor either due to architecture differences.+3
Fábio Olivé2 years ago
I'm skeptical but was just thinking: perhaps this is infecting ACPI? The only common thing you'd have between all these OSes on modern machines is ACPI. Neither OpenBSD or Linux use the BIOS during normal operation, except when ACPI and SMM take over and preempt the OS. So maybe a possible attack vector would be ACPI dealing with the USB device before the OS has a chance to interact with it, the device exploits bugs in the ACPI and installs SMM code that will preempt the OS when it wants, and then hides the exploit area of the device so that you won't find anything. At least for me that makes it plausible, but I'm still skeptical. Like William Gruesbeck Jr. posted above, it would be sane to test in old machines that do not have ACPI and SMM, and on non-x86 machines where the exploit wouldn't work.+2
Daniel Cegiełka2 years ago
Is listening to music or watching movies is still safe?+1
I think the only effective way to fight this thing is to help it evolve up to a point at which it will react like a digital biological entity. Things then will become pretty easier as any such entity must "feed" itself. Find the proper enticement and then put in the proper nasty, crunchy bit of arsenic!
Nick Alcock2 years ago
+Fábio Olivé, I'm reasonably certain that you can only 'install SMM code' by, well, reflashing the BIOS. (Which we know this is doing anyway.)

i.e. it may well be using SMM to retain control post-infection, but before, not so likely -- unless, of course, they've found a buffer overrun in some SMM code some BIOS runs -- but chipsets vary widely in this domain at least, with some running very little SMM at all and some running horrible amounts. But ACPI? Everyone runs an ACPI interpreter, and it's almost always the same one, a modified copy of the ACPICA reference implementation. Find a hole in that...
Dragos Ruiu2 years ago
Fabio, I had the same thought about ACPI. To verify I spent a lot of time configuring OpenBSD kernels without ACPI and APM, (and let me tell you that was a bitch, had to do ugly things to the sys source tree) and the kernel that the USB infections was tested on was one of those. That said, I did find an unusually long 33k DSDT ACPI table on infected laptops.+2
Dragos Ruiu2 years ago
Also finding old non x86 machines with USB... Well the only thing I have like that around here are some old 68k macs... They may get dragged out of storage yet...+1
Nick Alcock2 years ago
It's not ACPI? Colour me amazed. What programmable components are left that it could be? Is the Southbridge programmable? (Presumably the machine doesn't have a BMC on board: God knows those are exploitable. I wish I had some way of turning mine off, since upgrading it to something not a writhing mass of security holes is apparently out of the question. But no, the thing is involved in the boot process: turn it off by brute force and the machine won't boot...)
Andrea Panza2 years ago
Mmmh honestly without any data I feel a little skeptical, but assuming that everything Dragos says is true there is a beast capable of infecting very different machines at very low level and is able to propagate through microphone and speakers... To me it sounds like that the real targets of this stuff are not laptop and desktop computers, but smartphones (and maybe even less evolved phones), what do you think guys?+1
Paul Coddington2 years ago
In addition to my previous comment, I would add that some confusion may be caused by the fact that Windows 8 hides fonts that are not in use by the current user, according to per-user language preferences. Perhaps this feature has a bug which causes font files to be hidden in non-standard contexts/locations (other than the Fonts folder and selection lists), such as a CD-ROM.

My next comment has to do with how this investigation appears in the popular press, so take it with a pinch of salt. I have not followed this story back to the source in any great detail, but this may account for any flak coming your way:

Some of what is being said about this does not ring right from a sceptical and scientific perspective (publishing before results are in; working alone when other people's expertise and equipment is needed; unfamiliarity with the basics of the OS that a non-technical user would be familiar with; much speculation with little or no definitive experimental verification; the surprising number of machines lost during investigation; the contradictions in having a super-bug that reveals itself immediately by preventing boot from a CD-ROM, yet has incredibly sophisticated self-healing and hiding abilities that would require substantial code and processor resources, yet can be quickly transmitted over low bandwidth air-gap modems, etc). It all gives the impression that the axe is blunt and the trees are selected at random. Given your record is praised here and there, I would not be surprised if this is an artefact of the press (we all know how inaccurate news reporting is), but it is not helping matters.
+Carlos Ferreira "How in the world, can a simple query from the BIOS to the device, re-write the BIOS itself? For that to happen, the malicious code needs to be executed somewhere outside the CPU. This is pretty l33t stuff!"

By living in the VGA or network firmware. It can run on either of those CPUs -- more likely the VGA since we're already using CUDA et al to do things like airsnort.

Does anyone know if the Northbridge or southbridge of current motherboards is reprogrammable? I believe on AMD systems one of the two is integrated into the CPU along with the memory controller. 

+Dragos Ruiu why have you not checked an audio spectrum visualizer? If the malware is being transmitted via ultrasonic audio, you could use the visualizer to see the spectrum and decode the "packets" to determine their contents and gain more info into what the malware is doing and how it is operating.

Also, while you mentioned that the malware has been infecting "most known OS," you have failed to mention what, if any, processes are invoked to perform the random data deletions, let alone mentioning specifically what types of files are targeted by the random deletions.
Cee Ell2 years ago
"You studied this for three years without mentioning it until a month ago. You describe symptoms which haven't been observed in the wild. You imply the vulnerabilities in USB (which exist) are a vector to installing platform and firmware agnostic firmware reflashers which run without error, make baseless claims about the filesize of a Chinese TTC collection, and produce nothing more than some text files of MD5 sums."

Yeah, I would strongly suggest a vacation with some R&R, allowing colleagues to assist, then coming back with a fresh approach. Working from a potentially faulty premise can lead you down all sorts of rabbitholes.
Nobody said it was platform agnostic. Just because it runs on both macs and pc's does not mean its platform agnostic. They both use x86 instruction sets now. It is also possible to use the GPU to avoid detection because a process created solely in the GPU (and therefore the video RAM) would not show up in memory and therefore would not show up in any process list -- being that Nvidia's CUDA and ATI's equivalent (don't recall the name off the top of my head) are OS-agnostic, it's easy to see how this could run across multiple OSs. 
Correction: theoretically, its possible for the malware to create processes only within the GPU and video memory, thereby avoiding detection from process lists. The thing that is bugging me the most about this is how you were analyzing packets that "suddenly stopped" when you unplugged the speakers and microphone, without knowing that it was the speakers and microphone transmitting the packets. When I analyze network packets, I typically am presented with a list of network devices. I think I would know if there was a rogue network device. Not to mention on linux, you can turn off the network service, which removes all IP addresses and disables all network interfaces.

I'd like to know more about your packet analyzation techniques that allow you to analyze packets without knowing anything about what hardware is doing the sending and receiving of packets.
Asas asasas2 years ago
Can't you dump the contents of bios chip to a file? On some
motherboards the bios chip is not soldered but
placed into a socket. Remove the chip from motherboard, then read the
data with some sort of hardware. In this way the virus code wouldn't have a chance to hide itself.
It's possible on PC's but I believe most of his hardware is Mac-based and so it is likely not possible.
Fábio Olivé2 years ago
+Thomas Spear
I'm sure Dragos can answer better, but I only saw mentions of two infected boxes exchanging information over ultrasound, not infection over ultrasound and nothing about creating a new network interface at the OS level. So if two infected boxes are communicating over ultrasound, and one of them has Internet access, it will serve as a router to the other. You would only see random packets coming out of it. At least this is what I understood so far. Anyway, if you can see packets going out, I would imagine the first thing you do is capture them and traceroute to the destination addresses, to get a grasp of where the listeners are.
It would be great to be able to read a short paper on this with only the objective technical information, not the story or any speculation. Would make things much clearer. :)
Ralf Dog2 years ago
Fábio Olivé, I am sure, whoever, if anyone is doing this, they would use some kind of bot net, if not  reverse IP Spoofing[1] to a non existent address. If reverse IP spoofing, I guess you could get a general idea of where they were.

[1]If one of the machines along the tracert were compromised, that computer could be forwarding traffic to the real destination. (This would require something close to the backbone be compromised. I will admit, this is very wild speculation. Perhaps the space aliens did it!)
Ralf Dog2 years ago
Anyone have ARM based  hardware with USB, they are willing to sacrifice?
+Ralph Dog I have an old dd-wrt router I'd donate, along with the galaxy nexus I'm young on.+1
Ralf Dog2 years ago
Thomas, that was more of an idea from the peanut gallery than a real request. I was indirectly asking, could that be of use as opposed to asking for one. My thought was, an ARM device could take the USB hit, without executing  x86 code. That could be of use, it could not, just an idea.
Understood, I had the same thought. It seems he either didn't test his router or it isn't infected so it's likely. Could also do it with an ia64 (as opposed to x86_64) system with Windows Itanium, or on a Power PC based Mac though which would be much easier than an arm system.
+Dragons Ruiu I can get ahold of a Mac G5 pretty easily. Were there ever drivers for a USB 1.1 or USB 2.0 controller released for OS9? If so you could install an aftermarket controller on one along with the drivers and continue your tests of the USB microcontroller on the sticks.
Michoo M2 years ago
Can you provide one of infected usb drives, or perhaps if that's impossible could I send you some old pendrive for infection? I should be able to hack up some poor fpga to act as USB bridge/logger (or maybe even gain access to really fast oscilloscope/data logger at univ) and record all transmission on wire-level.
Matt Lazarowitz2 years ago

Would those tools help you? Price-wise, they are pretty affordable.
Joel Seltmann2 years ago
I believe the person that has the right idea to begin with, is William Gruesbeck Jr.....Mac G5 uses the PowerPC CPU. 
You mentioned the term earlier "platform agnostic"...the only reason this is so, is because the new Apples and Windows BOTH use Intel CPU's and compatible hardware thereof! go ahead, get a G5, install MacFUSE, NTFS for Mac OS X, NTFS-3G, or Tuxera NTFS to be able to read the USB file format if it is in the NTFS format, then drop the USB stick into Filebuddy: should be able to find an older version for PowerPC.
If you see anything "dubious", use File Juicer to extract elements that look like they are a type of package or file:
Dragos Ruiu2 years ago
I have my old flowerpot iMac. However I don't have time to fire it up. I'm sure something in Akihabara can be sorted out next week. :-)
Russel Griffin2 years ago
+Dragos Ruiu I've been reading a lot about this virus thing and I have so many ideas about it.... I'm no computer genius but honestly it doesn't actually sound like malware or a virus at all... I do suggest though to take a major look into the sound it's putting off and either enhance the sound till you really hear something then also slow it down or even speed it up... If you hear something please send it to me.... Btw stop trying to fight it and just let it do what it wants for awhile... You might be thinking at this point what I am but please email me or contact me
Glen Estes2 years ago
I was just thinking.. It will reflash itself in bios even if you flashed with legit firmware anyway. What about audio chips? Could it be hiding in writable MIDI eprom? To be completely frank.. It could hide in multiple places but possibly using some eprom elsewhere as a staging area to burn the code after initial infection?

This sounds like it's going to get to the level of having to use digital debug/voltage monitoring hardware to figure this one out..

Kind of makes me lament the advent of ease of using flash from OS level bios software.
Russel Griffin2 years ago
+Glen Estes actually what I was thinking is that it's in multiple places that it stores parts of itself so it can repair but honestly what does it do if left alone and is recorded with sound and video separately tho
What about the Red/Blue Pill Code from Rutkowksa and the former ACPI VM-Hypervisor trojan/rootkit?
i found in the years 2005-2007 a VM-ACPI Hypervisor example code.
Later after Rutskowka made her work and presentations on the BlackHat Conference, the code was gone without a trace.
that was around 2009/2010.
exaclty the same timerange your problems started
may be combined with reversed functionality from the tempest of eliza
Russel Griffin2 years ago
+Michael Schuh well your first thing about Red/Blue pill doesn't sound like this thing much cuz it's detectable but that second part actually might be part of it but in a completely different reason... Think of my idea of recording the sound and either slow it down or speed it up... Honestly I think it wants to be known and try to communicate with ppl... Ppl can call me crazy but think about it if it came from no where then how can it be this complex... Plus it learning to defend itself against everything +Dragos Ruiu throws at it
+Russel Griffin Rutkowska showed it is possible to make the ACPI-Rootkit undetecteable. it is even able to manipulate the bios-seetings and much more.
ok i am not really deep into it, but we shouldn't forget the time i found the VM-Trojan example code was 2006-2007, thats quite a lot of time to fix it or improve it. even if the infected systems got already 2009/2010 infected.
remember the Blue/Red Pill stands for a proof of concept not for what is exactly in the wild.
if i understood Rutkowska correctly it is possible and you will never detect it until you dissassemble the HW/rip out the Flash Chips and investigate them from Hardware side without to activate that thingy.
for sure such things do not come from nowhere.
What if the virus is not fully coded as we may think, like a single programm? what if the virus/malware is using system functions and acpi code very efficiently so the malware itself is just a piece of the puzzle?
if you control the ACPI-Code you control nearly everything in the system including power on/off mechanisms and what happens at that times.

this way you can keep the malware very small.
and as the text of Ruiu showed that thingy tries to communicate or at least to send data to ipv6 networks.
Further if it comes to the code itself, it has to be assembler code, not just compiled C code.
if you programm assembler by hand you can write very efficient code, more efficient as a compiler. this way the code is also very small.
Also is there enough space in the entire computersystem to spread the code over the entire system.
if i would be the designer of it, i would put parts of the malware directly to that place i like to control.
the firmware and microcode of each component. everything what has no space for microcode would i keep in a central place.
p.e. cpu stuff will get into the space for the microcode of the cpu, nic stuff into the firmware space for the nic and so on.
there are much components in the box, which need their own firmware.
CPU, NIC, BIOS, GPU, TPM. for the reason the System is all the times at the powercord or at least it has a battery to keep the bios timer and the bios settings, it is also possible with ACPI-Code to move the malware, just before you use your memory or your GPU. this technique is not new, normally just on another level. so it is possible the malware stays in memory or the memory of the GPU and at the time you push the power button it moves or it simply stays there and manipulates the report of the amount of memory to the operating system. do you really notice if there is 2MB of your memory or your GPU memory is missing?
NO. No one really cares of the accuracy of the numbers of the amount of the GPU-memory.
this way you can have much more space for malware. more as it would be the need to have it at one piece at all.

To get this puzzle solved you have to put your brain at the position of the attacker.
where would you hide? what would you do if?
how will you communicate with the system?
if this thingy uses advanced technolgy and is able to manipulate an operating system, how will you get this thingy catched?

you can't even be sure, that another system you like to use to investigate network traffic isn't infected. :-D
+Vipin Ashodhiya i got this idea too. a Raspberry Pi or Ardurino as USB-Bridge, so see what flows over the USB-Bus, if a device get's plugged. but if the malware is ACPI-Shit the Arm bord must be free from ACPI-Chips and support.
or directly measurement of the lines with an oscilloscope, which can record and write protocols/logs.
Dragos Ruiu2 years ago
This thing isn't tiny. More like humongous. We've been watching it for three years, and it touches a dazzling array of system components. Had occasion to trigger a couple of reinstalls on infected machines. Let's put it this way, when they hit the bug out button, it took hours to slowly uninstall.+1
Ralf Dog2 years ago
Dragos, the way I understand it, there is on or several very small, boot loader programs that flash themselves into peripheral systems, then root the computer so the main virus can not be detected and download the payload or the smart part of the virus. If the virus is able to compromise the USB firmware on non ACPI, devices, could it be "Smart" enough to root a cell phone, tablet or such, then download the ARM version of it's payload. Somehow, I don't think this is true or no one would be able to boot from optical media today. This thing would be everywhere.

If this virus did not have the bit about not booting from optical and crashing when you try to edit specific registry keys, how would you detect it?
Russel Griffin2 years ago
For how it acts proves my theory +Dragos Ruiu and I highly recommend you to stop trying to find it and stop fighting with it cuz it honestly might not just be small part of the computer but it could honestly have by now be the computers OS and everything else... If ppl only think logically then they forget about the things that actually can happen... This thing is NOT programed by a person or there would be a sign of who it's from... No matter how smart ppl are at creating something they always put something in it to make their mark... THINK OUTSIDE THE BOX
Ralf Dog2 years ago
Dragos said, "Let's put it this way, when they hit the bug out button, it took hours to slowly uninstall."

So, what you are saying is, it is gone? Do you have any of it left? I am assuming the USB fobs continue to be infected. When did they (whoever they are) send the destruct code?

How about a nice FAQ page, with a nice timeline?
Russel Griffin2 years ago
+Ralf Dog he also said it was on a couple of systems which means there is still at least one computer left with the "virus" but even if someone was controlling it there should be a trace somewhere cuz something so isolated shouldn't be able to be controlled by the outside world so I'm wondering if it hit a bug out knowing it couldn't go anywhere
Ralf Dog2 years ago
Russel, it was never isolated, that is the point of this thread. He had an infected computer that was disconnected from the network. He had an unknown number of infected computers that were connected to the network. This software had a fallback function that, when disconnected from normal networks, would use sound to see if there were any infected computers that had internet access.

If it finds a path to the internet, by ultrasound network, it connected to the command and control computers, wherever they are, gave a status report and waited for humans to give instructions. The virus is not showing skynet like intelegence, it just has some cool networking tricks and lots of mini viruses, designed to fit backup code that reloads the main virus, if it get's erased. These functions were not created real time to try to get out. They were preexisting, however the virus may have been upgraded by Command and Control after the initial infection.

The questions are, is this real? If it were anyone other than Dragos, I would say, it was a hoax. If it is real, what is the reason. One possibility is,  someone is messing with Dragos, trying to disrupt his reputation (NSA or such.) It could be, the virus is everywhere, someone sent him an easy to detect version, with the intent that he go public, (Snoden 2.0.) It could be, someone sent a localized version, just to mess with his computers, much like the Iranian nuclear enrichment plant.  It could be, Dragos flipped a bit and even with his good reputation, decided to have a bit of fun with us. 

We don't have the information to know the answers.
Russel Griffin2 years ago
And none of you are getting to the main thing out of everything that has been said what is the one common connection that all the computers had.... SOUND... figure out what it's actually sending thru sound... It must be running something to analyze and decode the sound or its giving commands at such high speed that it breaks it down slow enough to process in the main computer... Sound is the key.... You can go thru the files all you want but if it can erase things on discs he burnt or even corrupt USB drive then hell good luck reading those files
Ralf Dog2 years ago
Sorry for spamming this board. I understand why anyone would not want to let this out into the public. If the wrong people got this and played with it, things could get bad. That said,  find some nice credible university group, send them an infected USB stick, with lots of digital hazard stickers and warnings on it, then let them rip it apart. Validation of even part of these claims from an unrelated party would be cool.
Ralf Dog2 years ago
+Russel Griffin , public private cryptography. If you were to dig through the code, byte by byte, you might find the public key. That would be worthless as, to read the data, you would need the private key on the control servers.
Russel Griffin2 years ago
I honestly don't want it to be sent to other ppl cuz hell if it was to get all over the world which it might have already and we just can't see it but the only thing I'd do really is to see what it's purpose is and what does it do besides defend itself from being deleted
William Smith2 years ago
Can you say where it was trying to send IPv6 packets to?
Ralf Dog2 years ago
+Russel Griffin ,

Probably just rip off all your banking usernames and passwords, check to see if you have any porn, turn on your webcam to watch you undress and use your computer to generate Bitcoins. It might also send out Russian Viagra spam.

More than anything, it just opens your computer wide up, so the people who may or may not have done this can do anything they want with your money and your life.
Russel Griffin2 years ago
+Ralf Dog try to simplify things tho and don't over complicate things.... Honestly the most simplest things always get overlooked no matter how in depth you look into it... And I highly doubt it would be for anything like that cuz hell I wouldn't send a virus so complex and intelligent as this to some guy in a computer security business...
Russel Griffin2 years ago
If anything make a game with this virus and send it out to gamers I bet you anything you will have what you need then
Nicodin Bogdan2 years ago
is there any independent research to confirm this  ? at least some colleagues from work. that will do.  you posted no code , no packet capture , nothing relevant really. Just a spooky story. this is unprofessional and you are discrediting yourself. it's been 2 days now since this went public and all you have to show for it is a comment on this thread saying "how humongous it is". what does that even mean ? Kb , Mb , lines of code ? If you truly believe what you are saying I fear you went mad.+1
Researches on high-frequencies sounds as computer-to-computer communication vectors are pretty old ...I would well as BIOS and Chip Hacking/malware techniques...but mixing both into one malware/attack technique it's pretty new and funny..... have a look at this.... 
Brian Bosak2 years ago
Something about this whole #badBIOS  thing reminds me of this:
Dragos Ruiu2 years ago
The files that disappeared on the CD were missing from the original data set, and differed on subsequent burns of the same CD image made by Windows.... On a non-networked box.
Nicodin Bogdan2 years ago
Maybe the wish fairy took them. +Dragos Ruiu 
Ralf Dog2 years ago
+Dragos Ruiu , I see lots of skepticism about your posts, understandably so. I have a few questions that might quiet a bit of that skepticism.

1, Have you shared any of the code or infected devices with other respected researchers? I understand, those researchers may not want their names involved until a bit more research is done. A yes or no would be a very cool answer.

2, If the answer is yes, is there a general time frame when we might expect public confirmation of any of your findings? Not looking for anything specific, just a general time.

3, If the answer to question 1 is no, why have you chosen not to share your samples and when might you choose to do so?

4, Can you talk about any law enforcement or intelligence agency contact about this issue? Again, a yes or no answer would be great.
Raul Ramirez2 years ago
I have few queries, I will not speak specifically for English and use a translator.
1. - This virus was tested on the PS3 or XBOX can infect
Two. - Would be the same with the BIOS Recordable TV.
Three. - Same with Blackberry, Ipod, Ipad
Joris Lambrecht2 years ago
+Vipin Ashodhiya Thinking the same thing here ( Deep Shit Creek ) Even it is a hoax ran out of control, there's been a lot of interesting conversation ( if one ignores the professional skeptics ) Especially the part on ACPI. Personally i'd feel sooo much better if non x86 based machines and operating system were to become common in use. Maybe Dragos has a hard time admitting he's impressed with Windows8 or would that be OsX


If i were him i'd relocate the machines to a far away location, preferably in a research facility to eliminate any outside influence and see what happens. Shield it with lead, damned.
David K2 years ago
it would help to have a list of infected systems, with brand,model, bios version, etc. maybe there's a pattern someone will notice. also, is 'legacy' bios vulnerable or only efi? how about openboot? could you dump and upload an image of the BSD machine? there's a lot of details to go over with this and the more eyes the better
karthick gopi2 years ago
If anybody is looking for samples. I suggest to look for the simple keywords in APAC based search engines other than google, bing or yandex. Goodluck in finding in forums (.ru,.ch).

Test it at your own Risk ! Hope i helped those who like playing with codes.
To pwn, or not to pwn...that is the question.
Joris Lambrecht2 years ago
Since some of the nay-sayers actually seem to cut wood i felt obligated to think of plausible scenario's for this to be a non-technical construct. I'm not responsible for anyone taking me serious.

a) Releasing such plausible scenario will invite people to show color. Separate the mentally capable from the mental 'flock'.

b) This is actually a POC and it is always good to test the temperature of the water before stepping in. All them comments also supply a plethora of angles to present and position such a POC.

c) This is real and it is actually a good idea to release it like this into the public for the same reasons as presented in b. 

d) People grow tired, irritated but also amused. Let's give them something to chew on while we have something completely different up our sleeve.

e) the outer limits ... payed to create a subliminal advertisement campaign  about W8 or OsX ? ( funky, spreading like a virus uh ? )

Anyway, it's been fun. Now where's the jelly ? It's not even being discussed on the snort or vrt mailinglists while Mr. Ruiu is likely to be a 'major contributor' In 21 years i've never heard of anything jumping across all major operating systems, though i'd not be suprised if such were ultimately possible given they all run on the x86 platform.
Itex Pass2 years ago
Here's how I think BadBios starts. 

4.2 Loopback booting
GRUB is able to read from an image (be it one of CD or HDD) stored on any of its accessible storages (refer to see loopback command). However the OS itself should be able to find its root. This usually involves running a userspace program running before the real root is discovered. (TRUECRYPT HIDDEN OS THAT BOOTS THE MOMENT IT RECEIVES POWER, BEFORE BIOS ) This is achieved by GRUB loading a specially made small image and passing it as ramdisk to the kernel. This is achieved by commands kfreebsd_module, knetbsd_module_elf, kopenbsd_ramdisk, initrd (see initrd), initrd16 (see initrd), multiboot_module, multiboot2_module or xnu_ramdisk depending on the loader. Note that for knetbsd the image must be put inside miniroot.kmod and the whole miniroot.kmod has to be loaded. In kopenbsd payload this is disabled by default. Aditionally behaviour of initial ramdisk depends on command line options. Several distributors provide the image for this purpose or it’s integrated in their standard ramdisk and activated by special option. Consult your kernel and distribution manual for more details. Other loaders like appleloader, chainloader (BIOS, EFI, coreboot), freedos, ntldr and plan9 provide no possibility of loading initial ramdisk and as far as author is aware the payloads in question don’t support either initial ramdisk or discovering loopback boot (TRUECRYPT FAVORITES FEATURE ACCOMPLISHES THIS IN EVERY OS IT CAN RUN ON. )   in other way and as such not bootable this way. Please consider alternative boot methods like copying all files from the image to actual partition. Consult your OS documentation for more details

2.  Easily implemented with this gadget
Mark Fisher2 years ago
A colleague of mine has reported exactly the same issue; other symptoms include 'morphing' files and folders, unscheduled events of all kinds (automatic re-mounting of the CD and USB), file-systems that only appear on infected machines, direct infection of clean machines (multiple OS's) from unformatted USB drive, continual screen glitches, random faces and glyphs appearing, hums and whistles from hardware which continued after the devices were disconnected and power supply removed, 'subliminal' effects from speakers and monitor.
It seems impossible to perform any kind of analysis in software due to the virus' ability to infect any machine that it comes into proximity with. For this reason, I believe some kind of nano-robot may be involved, which is programmed to target specific individuals. We'll be looking at the mainboard, peripherals and PSU, as well as speakers, mic and monitor, very closely, looking for bore-holes, tiny wires, and blobs of glue or glass-like matter, which would indicate that some kind of sub-microscopic activity has occurred.
Crusty Saint2 years ago
Awesome, sounds like a mix between stargate, x-files, fear and loathing in las vegas, lets not forget Blood Music by Gregg Bear. Do not shoer while unattended.
Crusty Saint2 years ago
shower, damned.
Vegas Bitcoin2 years ago
I know someone with similar issues.
Crusty Saint2 years ago
Are usb sticks a portal for alien reconnaissance into the matemathical constructions we use as computers, did they conclude computers are more straightforward to communicate with ? Or is the grid awakening ? One more upgrade and we will know .... this sounds eerilie like an older virus revamped
+Edward J i am not that sure, that i am not affected. :8~)

for the sake of the information flow and the ongoing observations
i will not say much in public.
i noticed in the near past some crazy happenings.

I am very sure about my former sayings.

yes it is known, that some hacks come through gaming.
it is a nice way to meet new targets.

if we communicate over affected devices, the entities have an advantage, they are informed. and exactly that, is part of the crazy happenings i mentioned before.
they can control nearly everything, including infiltrated downloads of Software.
Also encrypted disks will not help then. :-)

So keep in mind, everytime you speak about it, post something, mail something... they know about it. 
if you speak about things you notice, in public and over your affected devices, you inform them about their errors and mistakes.
they will improve. :8~)
if i type here some text and you read it, they know.

i had the impression they even know, if i type in text and delete it afterwards to write something different.

means: we have to go into the past, search for old CD-Images of network capable operating systems which include the ability to investigate network traffic. like old life cd's p.e.
further we need hardware which is also so old, that it contians no single bit of acpi code. it has also to be so old, that it is free from the possiblity to run fully virtualized systems. No VX extention on the CPU, no ACPI shit in the entire system. Plain audio Support to listen to the high frequency or low frequency data transfer., no usb support or if possible secure USB-support.

then we have a slight chance to investigate this.
but the game is over, if that shit can infect such old systems through the net or the USB bus.
if i understood Dragon right, that shit travels over any media.

i have to think about this. specially about the USB-Part.
more communications in private please.
and all microphones, speakers, network-plugs ...
if your phones and the computers are infected , there is always the possibility to listen.
they know nearly everything about you.
Destroying the object of investigation is the wrong way.

Getting angry makes a foggy mind.
you need a clear mind for logical solutions
and answers.

I pointed to a way to investigate.
Danny Bradley2 years ago
I have the Same Problem. On My System are things workingwhich shouldn't exist. I broke up (old but Same Mobo) a Chip with 3 Middlewave-Antennas in and it is connectet with onboard LAN. It seems it works for My Bios is also flashed and it have a Shadow-Copy in My Geforce gtx660 vram. On My Hdd i found different Filesystems which have different Cluster/Sector/size Setups. They are connected via When i try to Format them with DBAN on UBCD, the existig
Thomas Maher2 years ago
i would love to know more i had these 3 worm files supposable they were called with all different names and numbers never knew they existed till comodo found them then only way to fix my os from the disaster it left  behind was do a reupgrade of 8.1 pro
Thomas Maher2 years ago
+Edward J I have never been hacked was close but they failed lol but i have seen some computers that i was fixing for some of my friends or in school in IT get hacked even after fresh install of windows
Thomas Maher2 years ago
+Edward J better yet jsut disable all remote access to :) lol
Thomas Maher2 years ago
Ah i see
Crusty Saint2 years ago
Thus far i have yet to see useful protection measures, ips works it best as does av but the real protections are system and network administration skills paired with continuous analysis. Though the downside is these are labourintensive and are often subject of ridicule, these actually require passionate professionals, not hacky hipsters.
Thomas Maher2 years ago
+Crusty Saint if you want real network protection jsut go to download there software for protection its the best
Crusty Saint2 years ago
Thomas Maher never heard of it, never saw it reviewed, was their ssl ca not hacked a few years back ?
Thomas Maher2 years ago
idk but works perfect for me although it does have those few bugs of not working correctly sometimes but ya i agree firmware hacks are very hard to know but luckily i can tell i think as i seen a computer get hacked even on new os install wich made no sence because nothing was installed so it must of been a firmware hack and i heard the noise usb make going in and out of a computer repididly till it malfunctions so thats also a firmware hack only way to stop it is either turn off wifi wich prob wont stop it or restart ur computer and make sure nothing connected to it
Crusty Saint2 years ago
Dude, come back in a few years, firmware hacks are pervasive penetration, you would not what hit ya unless you made copies of each bit of firmware and knew at what positions changes are permitted to occur
Thomas Maher2 years ago
+Crusty Saint oh lol well its not like im an expert at everything lol i dont know much at all about firmware but what it is plus i jsut finished 12th grade in high school graduating on june 7 but ik alot about computers and stuff so i have lots more to learn and stuff 
Crusty Saint2 years ago
No prob, just informed here. Start by studying on o.s. and processor architecture, also network protocols suh as ethernet, the rest will follow by pssion or not at all
Thomas Maher2 years ago
+Crusty Saint im pretty good at knowing somewhat about alot of stuff on os but networking stuff i stink at lol tried studying it was jsut to much couldnt get it
Vanessa Steenson2 years ago
Sounds like you have a very similar virus to mine. I have lived with it for coming up six years now. I fight with it, it kills my phones, usbs, PC, Mac, Linux lime etcetera etcetera system I am endeavouring to function normally on, sometimes I win the round and it behaves for a while. It's more interesting than an Xbox game that's for sure. This week it wiped the system in my car after I deleted some of its favourite programmes. My friends and family have all come to know it. They do t ever ask to bludge my net connection, never bring any electronics near me that they love and are quite used to the cell transmissions going haywire for 24 hours after coming over for drinks. Would be interested to see data on yrs to see if they are similar. I'm not an It person but I have had to learn a lot since this gremlin showed up. Every now and then I get fed up and pay an it specialist to "fix my computer" bit not one of the 30+ attempts has ever even come close to even patching it for more than an hour. Right now it has set up a little network in my office from a nearly new win 7 compaq desktop and is happily exchanging goodness knows what with my two week old imac and the router, that it has decided is actually another computer. It's not boring I guess. Pity the compaq will have degraded beyond repair by end next week. They don't live very long. It somehow for want of a better term "eats" them.+1
Vanessa Steenson2 years ago
Today I apparently have SPE aFlame variant loitering in the assembly.
I cannot fathom what anyone would want to "pursue" me for. I think is more likely sheer dumb bad luck. Not that I doubt what you are saying - there is certainly a very uncanny human aspect to this virus. I have four phones so thst must keep them quite busy. I might leave then on the coffee table and crawl into the freezer instead :-) hmmm I am looking into the vmware thing - thanks! I will see what I find. Yeah im computer shopping again tomoorow. My new mac is stuffed.
Vanessa Steenson2 years ago
Interesting.i have stashes of veeery old machines and disks and the like. I agree. I had the best example with clear logging of whatthey were doing but before I could do anything with it, it got stolen. Like seriously? Wouldnt have been $30 the state it was in.
Thomas Maher2 years ago
+Vanessa Steenson i feel very bad for you have you tried comnodo software to see if it can fix it?
Thomas Maher2 years ago
very interesting virus you have its kinda funny though to but serously do these people who hack really have no life lol+1
Vanessa Steenson2 years ago
Hey. Comodo cant even run.
I just setting up new mac. and lo the ip scanner says i have 60 ports chattering.
Thomas Maher2 years ago
Vanessa Steenson2 years ago
Yes Thomas really :-)

However I have had a wee breakthru in the last 24 hours. Is pretty exciting after this many years.
Vanessa Steenson2 years ago
+Edward J wow I just checked out the book online. Im gonna have to get it I think. Sounds unbelievable and horrific!
Thomas Maher2 years ago
+Vanessa Steenson funny thing is i showed my it teacher the problem ur having he was shocked and said no theres no such thing and told me to not believe it idk what to think now lol but if its true then how people really have no lives when they do that lol 
Vanessa Steenson2 years ago
I guess yr IT guy needs to upskill a bit.
Just this week was on the news about a piece of malware the islraelis built that can jump air gaps like bad bios.
And yes malicious code can definitely do all of the things people have mentioned on here - and more. Its only been since approx 2006 that its got more and more out if hand. Coding is state of the art with almost ai capabilities.
However I found out kast night why mine can: its an apsche module not a virus. Somehow I am attached to a module that is very rare. And because its apache in c, it if course can read android and other unix based software.
Vanessa Steenson2 years ago
Sorry my typing is terrible as im down to my galaxy ph at the moment
Vanessa Steenson2 years ago
You only have to google zombie bits to know that an infected pc will likely upload 1000s of emails etc per hour. I once upliaded 60gb in one evening unknowingly. Mind you there is a very big difference between an it technician and a malware expert so I wouldnt worry too much what yr guy says.
Vanessa Steenson2 years ago
Bots not bits
Vanessa Steenson2 years ago
Yup very scary. I was entirely ignorant of all of this until I got hacked in 2009. Took me a long time to open my eyes. I wad so frustrated that I coukdnt just chuck a boot disk in or run combofix and make it all go back to normal, you know like what most people do to fix their computer. But now I can see and boy we are up against some genius deviants. The only thing we can really do Is learn like crazy to try to keep up. Oh and not let it drive you crazy, cos it damn near will if you let it :-)
Vanessa Steenson2 years ago
I have about 10 variants of my virus in various appliances. Its a fatty man. It gets to about 9000 files and weighs in at a whopping half gb. Yet when an it 'expert' sits down to assess my machine they either dont notice it or dont know the back end well enough to see such a glaring anomaly. Im always like wtf????? Its practically cuddling you! These days I can clearly show it to anyone and it scares them and they leave pretty quickly.
Thomas Maher2 years ago
+Vanessa Steenson i think i may have a solution get system machanic pro and ill show u what u need to have and do hopefully it will fix it and u can get this program for $20 online or so activate system shield for virus spyware protection then use system gaurd for block all unknown or danguarous processes then use the insinerator to insinorate these files that u can see yet no one else sees them and use drive scrubber to clean all free space and do some of the other improtant fixes it has
Vanessa Steenson2 years ago
Hi Thomas :-) well you have good taste in software huh. I have it. Is one of my favs. I use it all-the-time :-) pretty much any software you can think of, I will most likely have it, have had it in the past, or else its rogue ware. Thank you for thinking of me tho, I appreciate it.
Thomas Maher2 years ago
Np :) I like helping ppl if I am able to :)
Vanessa Steenson2 years ago
That's very nice of you.

I wonder if this guy will be happier if I give him some of my malware?
Thomas Maher2 years ago
+Vanessa Steenson lol who knows and what guy are u talking about? the person nwho giving it to u or the it person that has come to ur hosue to fix it or try to ?
Thomas Maher2 years ago
+Vanessa Steenson btw i think i may have thought of a solution to that problem with the file keep growing in size :) if you wanna know about it :)
Vanessa Steenson2 years ago
Ok sure? Im all ears :-)
Thomas Maher2 years ago
+Vanessa Steenson create a folder on your desktop copy the bigest file that u know is safe keep pasting it over and over in that folder to fill up all drive space delete the file that keeps gaining space and then fill up your drive with that file u used to do it and wait a few days then see if its trying to increase or remake itself again and delete a few of those files then see if the file reappears and grows in size if its gone then the problem you had gone :) and repeat this process for all your devices that have it
Michael Farrelly2 years ago
For all you posters and Dragos Ruiu.....................

I hope this helps some of you and you will take note that binning stuff works as a way out.

The diary of a madman.............
I was taken out by something weird like this 4 years ago on a pc I had.
It fried the machine. I had to bin the whole thing and lost a lot. I am IT tech heavy so I had several pcs. I have being in the IT industry since before windows and mice and have been around, so I know a dead puppy when I see one and I have fixed literally thousands. I knew something was up. This does not happen at all. Something had got me.

The story of an idiot........
The pc was connected to the internet. It was setup as a standard pc for interent, email, docs, etc.  (Firewalled, A/V, malware and up to date with all.) I was downloading stuff using a bittorrent version and doing my usual tramping around various websites and blogs.

I suspect/know it had something to do with a download - complete wikileaks database. (I know - I was an idiot to do it but I was curious to see what I got)

What did I get?.........
It first hung the machine and it would not power off using the "power off" button (motherboard switch). I had to plug it out. On power up it would not boot beyond the first bios point and left the pc with a flashing cursor and then it would reboot itself. This is the way it stayed, repeating this cycle. It would not power off unless I pulled the plug on it.

The pc would not boot from cd. It would not let me into bios setup on startup. When I removed the hd and installed a known working and tested standby clean o/s disk, it started a boot sequence and as I tried to get into the bios setup at this point - The pc flashed its bios setup for a second and then powered off. On power up, it did the same thing again.

The way out using an airgapped rig.........................
I suspected that there may have been some type of motherboard failure on the pc and removed the standby disk and tried the standbay hd on a clean airgapped system that was setup as a disk testing rig.

It checked ok and when run as a boot system in the rig, it booted clean. I had run this disk as a standby disk on the pc previously and on the rig and it worked ok. I knew that the problem existed in the pc/hd of the dodgy machine. I removed all hd units from the pc and set them aside.

There were now no hds in the system. I powered up with a boot cd installed in the machine while it was not powered. On power up, the pc first flashed a cursor and tried to read the boot cd as first boot device. It did not accept this as a boot device and looked for hds. It did not find any and it rebooted itself. It repeated this cycle and would not allow me access to the bios or allow me to power off using the motherboard power off sw.

I removed the boot cd and tried a cold power up boot with no cd device or hd installed.

Death occoured..............
What happened next was weird. On power up using the mains switch, ie direct ac power on/off sw, the pc did not attempt a boot sequence or the usual bios messages for "no disk" etc. It flashed the cursor and the mother board and the power supply fried. I heard it make a strange noise and it died.

The power supply burned out and I thought ok, and installed a new one. On power on - nothing - a dead baby.

I suspected it may have been something that I was downloading or that I was spiked.

The power supply that failed in the pc was dead, the mother board was dead. The power supply installed after the fail was ok, as the motherboard would not power up.

A dead pc is a dead pc..............................
I still had my hds from the pc and the standby disk.

The fix.......eventually.........
The rig I had setup still had the standby disk in it, as a boot disk - not primary boot but first in boot sequence. I pulled the power from the rig and removed the standby disk.

On power up of the rig, it looked for the standby disk and went into disk missing bios mode. It froze and I pulled the plug. On power up, this time it went through a boot cycle and started the correct rig o/s hd. It then froze and rebooted it self.

I then connected the standby into the rig with all other disks removed and rig hd as primary.

The standby was showing a root virus and several corrupted files in the hidden file area of the disk. I reformatted this disk and checked the rig o/s - virus in root. I could not get rid of it no matter what tools I used. I tried for 4 days using tons of s/w. No good. It would say it was clean and then would re infect from bios.

I ran the rig using a boot cd dos only installed and found the bios corrupted. I reinstalled the bios in the motherboard and after several attempts at this, it "took" and worked ok as a motherboard/bios/cd only dos machine.

The pc o/s hd was binned.
The standby o/s hd was binned.
The rig hd was binned

The other hds in the pc were set aside and eventually tested in a seperated rig, using cd boot as primary in dos.

I found that any hd from the pc that was in primary was infected.
These were binned.

As the bios was now infected, I had to rebuild the seperated rig bios per above and test the secondary hds from the pc. These were ok.

Data recovery.................
I cleaned out all data from the hds and reformatted them.
I tested everything again and again and again. Clean.

The result.............
I built a Internet/office pc with external plugin hd units.
The plugins are NEVER connected while on the Intenet.
All data acquired from the Internet lives on the o/s hd of the pc. It is firewalled/AV/malware and up to date.

I never transfer data to the external unit while Internet connected.
Before I transfer data, I run complete A/V Malware checks using several sw products and when checked clean  - the data is transfered to an external hd specifically for Downloads only.

My own data  connects to an airgapped device and never makes it to an internet device. I use CDs to transfer to and from the airgapped pc

I never bittorrent from either machine - That is done on another device.

I have been hacked and virus infected several times again on both devices that I use for Internet and have a rebuild system cd that has been used several times. It is quicker to rebuild a pc from a boot cd.

Moral of story...................
Keep any stuff you really need away from the Internet and burn and use the build cd to make sure it works ok, so you don't waste days trying to save data or pc.
Thomas Maher2 years ago
+Michael Farrelly wow i dont know what to say sounds scary all those pc being fried and no use because of a bios infection very sad now it got me thinking well onc ei get my data back up how can i tell my bios is infected as my computer been weird but works fine like did start up repair today on windows 8.1 pro even though it booted fine jsut wanted to see what it found it did sfc and failed to repair then i did sfc on windows under admin commanc propmt and it found no problems can some one help me with this? also seems like my 4 gb ram with no page file make smy computer fail and reboot and have problems yet with page file works fine it worked fine with my 8 gb ram no page file had to go back to 4 gb so i can get replacement for my 8 gb ram as it was overheating to much the ram got way to hot
vanessa CZ2 years ago
+Michael Farrelly I'm going to try that. Sounds like it could be a possibility. I currently have shut down my 4 machines, all android phones and I'm sad to report after weeks of trying my nemesis has hacked my iPhone - only the 4s it seems not the 5 which is odd? The log files prove it as does it constantly turns off now randomly at full power, plus it pulses in and out volume when I'm talking on it, which is excruciatingly annoying.
Dave Morgan1 year ago
I can't help but think this a hoax. I would like to get a usb stick with this supposed badbios on it for my own analysis. I just find it hard to believe, and I am willing to sacrifice a few motherboards if needed.
Thomas Maher1 year ago
Dave Morgan1 year ago
Does anyone have this bad bios? I will send a usb stick to you with return postage if you will share it with me. I'm an IT professional with expendable hardware.
Hi guys. I have been doing a lot of testing (and computer breaking) but I tell you if you even have any peripherals the have a board the bugs will jump. I had a screen with 2 ports and it jumped
Thomas Maher1 year ago
If theres a cure i like to know
Thomas Maher1 year ago
Vanessa Steenson thx luckily never had this but if i do now ik what to do and see if it works thx :)
Suzie Haslinger1 year ago
I HAVE BEEN FIGHTING THIS VERY THING FOR 3 YEARS, every similarity, down to the extra fonts. Found and deconstructed a file the other day, 100 pages of text reporting the subsystem installation. All through, it made references ti FBI software
Thomas Maher1 year ago
any one come across a solution to permanently fixing this known bug that in bios?
+Dave Morgan
I don't reccomend asking for it. I am sure although they may not comment that all researchers who have used this thing are infected, unless you move out of state, change your name and run for the hills. You do realize this is Dragos Ruiu right? Founder of....yes all of that.
The program will put you on a hypervisor, so that any subsequent inspection is flawed. The USB will dump false data...thus the mention of the firmware being hacked on the USB. I got one for you though but I wouldn't wish it upon my worst enemy. Think long and hard about what you are asking for.
BTW -  Thomas Maher sounds like the typical troll playing dumb...which is typical from my research. All the interest. Unless he is a fat ugly kid with nothing better to do than send obviously "slow" messages to derail the conversation...I would guess he is part of the crew.
All the interest, mentioning Comodo Firewall, etc. Lulzang. Welcome Michael (no reference to Michael F above who was very helpful). Glad to have you with us. Can I buy you some Cheetos?
Suzie Haslinger1 year ago
In my experience, the BIOS IS programmed to incorrectly read the size of any given drive; it reads as somewhat less than 100%, even if a drive is Nuked, I write zeros to a 500 g drive, and the system still reads it as 485 , that kind of thing.  Also, regarding Dragos' comment about what may be written to a CD while in the drive, I inserted my Genuine, purchased, MS-provided W7 disk to attempt a Repair System; while in the drive it did not repair the system, but it DID re-write the OS ON THE DISC, so that my Genuine MS OS disc is now corrupted with the RAT instructions.  Didn't know those discs COULD be written to....   Nothing I have is safe or reliable anymore.  It jumped to the Android phone  sitting in the drawer; IT (after an 'update') now has a Linux OS on an andriod GUI.  If I look at application manager\all, I can see that 'Android OS'  is not running, nor is there even one kb associated with it. 
theLuigiFan00079 months ago
F*** this shit. My worst fear in terms of security is a stealthy BIOS rootkit.
Fascinating stuff though if this is for real, I want to read more on it.
Suzie Haslinger9 months ago
Did anyone EVER figure out what this is? or how to recover from it?  Ive lost so many laptops and phones to this; it jumps to every damn electronic comes in the door
theLuigiFan00079 months ago
+Suzie Haslinger
I have no idea.

Just so you know, Android is Linux, with a Java based user interface. That is completely normal. Android does not list itself or it's disk usage by default in some versions. I question whether the device is really affected.

The Windows disk however, could be infected. It's possible to corrupt CD/DVD disks in odd ways by writing to a finished (read only) disk.

If you need to remove the virus from a computer, I suggest finding someone who can attach a EEPROM flasher to the MB and overwrite the BIOS chip while the PC is powered off. This will kill it off. From what I'v researched, BadBIOS (IF it exists, I'm still skeptical) cannot infect from sound, it communicates with already infected devices over sound or your a wireless network. It CAN infect devices over BlueTooth, WiFi and USB, even if no network is connected because it can fake itself as a router. And you know what devices do when they find a open network, autoconnect.

I know this sounds like a bad idea, but could I have a copy of the first 10MB of an infected drive as a file? Trust me, I will not write it to a real drive, I know better then that. I want to open it in a plaintext hex editor and poke around the code and try disassembling anything that looks suspicious.
Suzie Haslinger9 months ago
I can send you a full drive of corrupted Windows, for your fun and enjoyment.  Also have a TON of logs, reports and deconstructed dlls.  how ever much you want to see, I'll send it. If you can help me in a ny way, nobody would be ever more grateful than me.  ITt IS TSR and I dont know how to clean the himem crop.  please please.  I even have a giant apreadsheet full of the NAMES of the business pukes using my machine on this Microsoft SQL server.   Im so mad I want to kill.... I won't but you can imagine, I DO want me system back.  Thank you SO much!!!!

Suzie Haslinger9 months ago
And, ca you email me direct at  I truly don't trust Google+.  Thanks!!!!!
Thomas Maher9 months ago
There program out there that fixes currupted windows
Suzie Haslinger8 months ago
Can you tell me what the program is?   The problem I run into is that since the RAT uses legitimate Windows functions, no tools recognize it, except pre-boot UBCD tools, things like that.  My opinion is that so few people need remote administration, that should be an OPTION when loading Windows, NOT a defaulted load.   Currently keeping my eyes open for an OS that doesn't even HAVE remote tools.  Thanks
Judea Eden4 months ago
I think this is what I've been battling the past month on now four machines,,, I've been suspicious of root & boot manipulation, USB driver access, font susceptibility among other things. Anything new to report?? Just found this page logged in from my gf's account,,, my email: if any additional discoveries and/or behaviors seen. thx