4 reasons BadBIOS isn't real

Did a noted security researcher find a superbug -- or go crazy? In light of the facts, supposed existence of BadBIOS doesn't add up

1 2 Page 2
Page 2 of 2

2. Errors in causation

Ruiu points to direct "evidence" of the superbug that simply doesn't pan out. For example, he points to recordings of ultrasonic sound waves that supposedly indicate some sort of communication protocol used by the malware program. He has captured this information via sound equipment and has posted graphic analysis. To Ruiu, this is evidence of badness.

In all likelihood, Ruiu is capturing either a normal artifact of his computer or an erroneous artifact from the methods being used to record the ultrasonic sound. One commenter even went so far as to identify the chip on his motherboard most likely making the noise because it fits the frequency and characteristics.

But more important, if Ruiu was as scientifically independent as he should be, he would have begun with scientific skepticism -- but he didn't. He's all in, and he believes what he's detecting confirms that BadBIOS is communicating ultrasonically. In science, this is known as bias leading to errors in causation. Just because you got hit by bird poop doesn't mean the bird was aiming for you.

3. The scenarios are plausible, but highly unlikely

Each malicious scenario revealed by Ruiu is possible. This is perhaps the most frustrating part. Most experts, when looking through Ruiu's evidence, say that in their opinion, what Ruiu suggests is just shy of impossible. What's driving that skepticism isn't gut feeling or incredulity. Based on what they know is possible, Ruiu's claim is highly unlikely.

On the other hand, some are more categorical in their disbelief. For example, a firmware BIOS expert says it's impossible for all the functionality that Ruiu claims is in the firmware code to both be there (impossible by itself) and to be hidden from forensic view. The forensic dumps shared so far show no evidence of malware or of the telltale signs that something is being hidden.

4. Too much effort and too isolated

To date, Stuxnet is considered the most advanced malware program ever. Advanced analysis by dozens of independent teams has determined that Stuxnet likely took dozens of different teams many months (if not years) to develop with a budget of tens of millions of dollars, as well as the help of at least one or two highly advanced scientific research laboratories. Ruiu's malware program would be orders of magnitude more sophisticated and resource-intensive to develop.

BadBIOS would had to have been developed by a nation-state. Again, this is plausible -- almost. Ruiu says he's been fighting this for three years. Stuxnet is about three years old. So a nation-state developed an agent far more sophisticated than Stuxnet, at about the same time, and no one else besides Ruiu has heard of it?

When Stuxnet was discovered, multiple antimalware companies around the world were finding copies. It started with one, then quickly spread to the others -- not so with BadBIOS. Somehow the most sophisticated superbug on the planet was released three years ago -- and only Ruiu has found it. What would be the spreader's motivation for infecting Ruiu? With Stuxnet, the motivation was to stop World War III. Does Ruiu or his lab have something on the same order that needs to be found out or stopped?

I happen to know a few of the people who were involved in the forensic analysis of Stuxnet, each from different companies. You would easily believe these people to be among the world's foremost malware experts. None has a copy of this program. And none believes Ruiu has what he claims to have.

A fire drill worth having

In the end, I think this exercise has been good for the security community. We've been forced to think about what is and isn't possible with malware and bad guys plundering pwned computers. Quite a few of my friends think we're going to see a rash of malware that communicates through PC speakers. Unfortunately, I think today's malware is working well enough so that we don't have to invent new superbugs, blue pills (such as hypervisor attacks), or other science fiction malware.

This saga is a tough one to figure out. To discount Ruiu is to essentially say we don't believe or trust a beloved industry figure. If Ruiu is right and he's encountered superadvanced malware -- three years old at that -- then we truly have a terrifying problem on our hands. It would literally change the world over night. If this thing is real, it's time to call Keanu Reeves ... or John McAfee.

This story, "4 reasons BadBIOS isn't real," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)