If you haven't been following the story of Dragos Ruiu's BadBIOS tale the last two weeks, you've missed a compelling saga and an opportunity to find out how much you really know about malware.
A well-respected computer security researcher, Ruiu says he's found the single nastiest malware program of all time. Purportedly, it lives in the BIOS, survives BIOS reflashes, readily works cross-platform (Windows 8, BSD, OS X), and -- get this -- communicates with other infected computers using high-frequency sound waves above the range of human hearing. It renders CD-ROM drives and USB drives unusable, and it can erase its tracks when forensically analyzed.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
People following this story fall into a few different camps. Many believe everything he says -- or at least most of it -- is true. Others think he's perpetrating a huge social engineering experiment, to see what he can get the world and the media to swallow. A third camp believes he's well-intentioned, but misguided due to security paranoia nurtured through the years.
A few even think we're witnessing the public mental breakdown of a beloved figure. They point out that paranoid schizophrenics often claim to be targeted by hidden communication no one else can hear. To be honest, I've found myself in all these camps since the story broke, though I'm leaning toward those who think Ruiu is well-intentioned, but perhaps seeing too much of what he wants to see.
My best personal guess is that by the time this all shakes out, little of interest will be found. No big superbugs will be documented. Instead, we'll be left with supposedly tantalizing "clues" that provide no real evidence of anything extraordinary.
Dragos' tale
Ruiu's been around for decades in various capacities, but is especially cherished for his founding and running of the Pwn2Own hacking contest as part of his CanSecWest security conference. I, along with thousands of other computer security researchers, eagerly await the new zero days used and eventually patched in these contests each year.
Ruiu and his lab team have supposedly been fighting the supermalware program for more than three years. The saga only came out in October 2013 because Ruiu made many of the facts public with postings on Google+.
The absolutely amazing thing about this story is that nearly everything Ruiu reveals is possible, even the more unbelievable details. Ruiu has also been willing to share what forensic evidence he has with the public (you can download some of the data yourself) and specialized computer security experts.
Where developments start getting preposterous, no matter how much leeway you give him, is how many of the claims are unbelievable (not one, not two, but all of them) and why much of the purported evidence is supposedly modified by the bad guys after he releases it, thus eliminating the evidence. The bad guys (whoever they are) are not only master malware creators, but they can reach into Ruiu's public websites and remove evidence within images after he has posted it. Or the evidence erases itself as he's copying it for further distribution.
Again, this would normally be the final straw of disbelief, but if the malware is as devious as described and does exist, who's to say the bad guys don't have complete control of everything he's posting? If you accept all that Ruiu is saying, there's nothing to prove it hasn't happened.
Except it hasn't -- and here are four reasons why I do not believe Ruiu has found a superbug.
1. No smoking guns
As far as I know, at this writing, not a single bit of the evidence shared by Ruiu has revealed a smoking gun. (Ars Technica offers a good example.) No one, including respected experts in their particular field, have found anything remotely interesting. Most have said what they have found is normal and expected, including the portions of evidence that Ruiu said was directly related to the malware program.
This single fact says everything. Ruiu claims to have more experts looking at more evidence, and he even says he hasn't yet shared additional observations and evidence garnered over three years of analysis. But to me, without a single shred of independently reviewed evidence, we can get a little less excited about this particular claim.