Latest Event Updates

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Posted on

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such asProcess Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSecconferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllersthat sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.


For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security




Hackers rusos robaron datos de identificación de los 54 millones de ciudadanos turcos:

Posted on Updated on


Hackers rusos han incautado ‘datos de identificación porque los partidos políticos de Turquía y de la Comisión Suprema Electoral (YSK) comparten los votantes del país “54 millones de ciudadanos turcos información personal, un gerente prominente compañía de investigación ha dicho.

“He oído hablar de él. Los hackers en Rusia tienen números de ID de 54 millones de ciudadanos turcos, direcciones, nombres de padre “, el gerente general de la empresa de investigación de KONDA, Bekir Ağırdır, dijo la semana pasada en Ankara en una reunión para evaluar las próximas elecciones locales en el país, según un informe el portal de noticias en línea T24.

Ağırdır también dijo que algunas partes no tienen un sistema anti-virus, pero cargado de información todos los electores en línea y “en dos horas hackers descargado toda la información.”

Ana Bella
Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security

LOCKER MALWARE :copycat de Cryptolocker

Posted on Updated on

Cryptolocker viene un software copycat desagradable que contiene los archivos de la víctima al rescate – pero el cifrado del recién llegado es potencialmente frágil , se nos dice .

Inicio Seguridad IntelCrawler reclama un ” gran distribución ” de la nueva llamada de malware Locker comenzó a principios de este mes .

Locker, una vez ha infectado un PC, copias y encripta los documentos de la víctima , la adición de una extensión “. Perfecta ” , a continuación, elimina los datos originales. El troyano también coloca un archivo contact.txt en cada directorio que contiene los datos de contacto del autor de malware – por lo general un número de teléfono móvil de usar y tirar o una dirección de correo electrónico.

Las víctimas se les advierte que si acosan o amenazan el extorsionista , se eliminará la clave de descifrado para desbloquear los archivos , revelando la forma de pensar de los cabrones detrás de la estafa.

IntelCrawler contactó a un ladrón que aparece en el archivo de contactos , y me dijeron que alguien tendría que pagar hasta $ 150 a un número de tarjeta virtual Perfect Money o QIWI VISA para recibir la clave de descifrado necesario para restaurar la información en la maquina infectadas Locker.

Con el fin de descifrar , es necesario proporcionar un código de identificación escrito en el archivo ” contact.txt ” , así como el nombre de host del equipo comprometido.

” Parece ser que los hackers simplemente comparar la lista de direcciones IP infectadas de los usuarios , junto con sus nombres de host “, según IntelCrawler .

Locker es un esfuerzo rango de aficionados en comparación con la tripulación CryptoLocker , que dirige su estafa utilizando una red de servidores de comando y control y el uso de una combinación de AES 256 bits y 2048 bits RSA de cifrado para almacenar los datos de rescate ( la llave maestra que se celebra en los servidores de los Crims ‘ ) .

Pero a pesar de su diseño menos avanzado , Locker ya ha logrado atacar los ordenadores que funcionan con Windows en los EE.UU. , se nos dice – incluyendo Washington DC , Texas y Missouri – además de PCs en los Países Bajos , Turquía, Alemania y Rusia. Locker también , se nos dice , evita máquinas herramientas utilizadas por los investigadores de seguridad que se ejecutan infectante, sin duda, una táctica destinada a garantizar que el malware se mantiene por debajo del radar durante tanto tiempo como sea posible.

Los spreads de software desagradables en su mayoría por descargas no autorizadas de sitios web comprometidos . Los ejecutables disfrazados de archivos MP3 son otro vector de infección.

El malware Locker utiliza la biblioteca TurboPower LockBox , un conjunto de herramientas criptográficas para Delphi : concretamente, se utiliza AES -CTR para cifrar el contenido de archivos en los dispositivos infectados. Pero las deficiencias en la programación serán aparentemente hacen posible que los investigadores desarrollar llaves maestras capaces de descifrar los archivos en el kit comprometida. Los investigadores de IntelCrawler están trabajando en un antídoto universal.

“Hemos encontrado un método de descifrado y cadenas universales [ claves ] de descifrado en cualquier cliente infectado, ” Andrey Komarov , jefe ejecutivo de IntelCrawler , dijo a El Reg .

Komarov añadió que la detección del malware por los paquetes antivirus es baja, con sólo Avira capaz de detectar el patógeno a partir del jueves por la noche


Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security

Hackers se infiltran en las redes ministeriales europeos en la cumbre del G-20

Posted on

Hackers se infiltran en las redes ministeriales europeos en la cumbre del G-20

Hackers chinos comprometidas las redes de cinco ministerios europeos a través de una campaña de phishing de lanza durante la Cumbre del G-20 de septiembre, según los expertos.

El personal de los ministerios, que incluyen Portugal y la República Checa, se enviaron correos electrónicos falsos que contienen archivos adjuntos maliciosos, incluyendo uno titulado “US_military_options_in_Syria”, según un informe de Reuters.

Los investigadores de la empresa de seguridad FireEye expuestos a los ataques después de la vigilancia servidor de la computadora principal de los hackers durante una semana en agosto. Con el tiempo perdieron el acceso cuando el grupo cambió servidores.

Debido a que China es el idioma predeterminado que se utiliza tanto en sus servidores de control y en las máquinas que se utilizan para probar el código malicioso, los expertos determinaron el origen de los hackers.

Mientras FireEye no podía atar los ataques a un grupo específico, algunos expertos en seguridad especulan que era una campaña patrocinada por el estado, el New York Times informó el martes.


Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security


Posted on


Microsoft has confirmed they will be issuing a patch for a TIFF zero-day flaw in its GDI+ graphics component that is known to have been actively exploited in targeted attacks using tainted Word documents sent by to victims via email since early November.

“This is yet another TIFF exploit. The TIFF format seems all but irrelevant to end users but, hardly a month which passes without a CVE stemming from TIFF parsing,” said Craig Young, a vulnerability researcher for Tripwire.

The zero-day flaw is present in many older versions of Microsoft products, such as Windows Vista, Windows Server and Office 2003 through 2010, and security experts believe some of those older versions should be retired.

“Microsoft needs to become more aggressive with their end of life policies. Users should not still be running Office 2003, Office 2007, Windows XP, and Windows Server 2003,” Reguly said. If you removed that software, this zero-day would not exist. If it’s more than 5 years old, it’s probably time to end support.”

Microsoft had released a temporary Fix it workaround that would block the attack by changing the configuration on the computer to prevent the rendering of the vulnerable graphic format, but it does not mitigate the vulnerability itself.

Not on the patch list for this week is a zero-day vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild in order to bypass the sandbox in unpatched versions of Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3.

Microsoft stated that they plan to mitigate the vulnerability either with a Patch Tuesday release or by way of an an out-of-cycle security update, depending on the results of their investigation, and it now appears that the fix will pushed off until next year.

Users are encouraged to upgrade from the archaic Windows XP operating system in favor of Windows 7 or 8, and should ensure they are running the latest versions of Adobe Reader.


Data on 20M Chinese hotel guests dumped online by hackers

Posted on

Data on 20M Chinese hotel guests dumped online by hackers

The privacy of millions of Chinese hotel guests is at risk after hackers leaked their personal data online.

Calling themselves the “harbours of evil goods” – a reference to the Later Han dynasty – the miscreants gained access to the data after taking advantage of a security loophole in the software used by some of the most popular hotel chains in the country.

According to a report by the South China Morning Post, personal information – including booking details, names, phone numbers, email addresses and residential addresses – of an estimated 20 million individuals was compromised in the hack.

The hackers leveraged a flaw in the encryption technology found on the software created by CNWisdom, a Zheijian-based provider of wireless internet for hotels.

The leaked data can be found on at least three websites, as well as WeChat, a popular messaging service where the hackers have opened an account.

Android game steals WhatsApp chats and offers them for sale

Posted on

Android game steals WhatsApp chats and offers them for sale
If you’re new here, you may want to subscribe to the RSS feed, like us on Facebook, or sign-up for the free email newsletter which contains computer security advice, news, hints and tips. Thanks for visiting!

An Android game has been removed from the official Google Play store after it was found to be secretly stealing users’ WhatsApp conversation databases, and offering them for sale on an internet website.

Balloon Pop 2

The game, Balloon Pop 2, is nothing to write home about – but behind its simple exterior lies the ability to scoop up private conversations that you may have made via WhatsApp on your Android device, and upload them to a website called WhatsAppCopy.

Code from Balloon Pop 2

The attacker can then visit the WhatsAppCopy website, enter the phone number of the Android device they are targeting, and (for a fee) access the private conversations.

WhatsAppCopy website

Install the game, find your phone, read your conversations
FREE Try it, it works!

The WhatsAppCopy website openly advertises the BalloonPop2 game as a way of “backing up” a device’s WhatsApp conversations.

Of course, the people behind the website and the BalloonPop2 game would probably argue that they are providing a legitimate service to people who want to create a remote backup of their WhatsApp conversations, and it’s not their fault if the game is misused by people trying to snoop on other people’s privacy.

Balloon Pop 2 and WhatsAppHowever, if that were really the site’s intentions, wouldn’t it be appropriate if a big fat unavoidable warning message was displayed before the game did its dirty deed – giving users the option to realise what was occurring and opt out if they wanted?

Google clearly takes a dim view of the app, as it has now removed it from the official Google Play Android app store.

But, of course, it’s quite possible that the app will be widely distributed via unofficial stores – and future versions could be distributed using other disguises than a balloon-popping game.

Clearly, there are a few lessons to be learnt here.

One is that just because an app is in the official Google Play store, it cannot necessarily be trusted. Google, unfortunately, has a pretty poor record in policing its Android app store. This isn’t the first time that a dodgy app has been found up there, and it won’t be the last. Google, can you please get your act together? Your chairman’s claims that Androids are more secure than iPhones are laughable.

At least Apple has tight reins over the programs which make it into the iOS store for iPhones and iPads.

Second, WhatsApp needs to get better at security. If Android is going to allow apps like BalloonPop2 to scoop up users’ private conversations, then maybe WhatsApp (and similar programs) need to do a better job of encrypting those conversations on the device itself.

Security researchers at McAfee tell me that they are adding detection of the offending BalloonPop2 application as Android/Ballonpoper for their customers, and I imagine other vendors will follow in due course.


Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security