4 reasons BadBIOS isn’t real

If you haven’t been following the story of Dragos Ruiu’s BadBIOS tale the last two weeks, you’ve missed a compelling saga and an opportunity to find out how much you really know about malware.

A well-respected computer security researcher, Ruiu says he’s found the single nastiest malware program of all time. Purportedly, it lives in the BIOS, survives BIOS reflashes, readily works cross-platform (Windows 8, BSD, OS X), and — get this — communicates with other infected computers using high-frequency sound waves above the range of human hearing. It renders CD-ROM drives and USB drives unusable, and it can erase its tracks when forensically analyzed.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

People following this story fall into a few different camps. Many believe everything he says — or at least most of it — is true. Others think he’s perpetrating a huge social engineering experiment, to see what he can get the world and the media to swallow. A third camp believes he’s well-intentioned, but misguided due to security paranoia nurtured through the years.

A few even think we’re witnessing the public mental breakdown of a beloved figure. They point out that paranoid schizophrenics often claim to be targeted by hidden communication no one else can hear. To be honest, I’ve found myself in all these camps since the story broke, though I’m leaning toward those who think Ruiu is well-intentioned, but perhaps seeing too much of what he wants to see.

My best personal guess is that by the time this all shakes out, little of interest will be found. No big superbugs will be documented. Instead, we’ll be left with supposedly tantalizing “clues” that provide no real evidence of anything extraordinary.

Dragos’ tale

Ruiu’s been around for decades in various capacities, but is especially cherished for his founding and running of the Pwn2Own hacking contest as part of his CanSecWest security conference. I, along with thousands of other computer security researchers, eagerly await the new zero days used and eventually patched in these contests each year.

Ruiu and his lab team have supposedly been fighting the supermalware program for more than three years. The saga only came out in October 2013 because Ruiu made many of the facts public with postings on Google+.

The absolutely amazing thing about this story is that nearly everything Ruiu reveals is possible, even the more unbelievable details. Ruiu has also been willing to share what forensic evidence he has with the public (you can download some of the data yourself) and specialized computer security experts.

Where developments start getting preposterous, no matter how much leeway you give him, is how many of the claims are unbelievable (not one, not two, but all of them) and why much of the purported evidence is supposedly modified by the bad guys after he releases it, thus eliminating the evidence. The bad guys (whoever they are) are not only master malware creators, but they can reach into Ruiu’s public websites and remove evidence within images after he has posted it. Or the evidence erases itself as he’s copying it for further distribution.

Again, this would normally be the final straw of disbelief, but if the malware is as devious as described and does exist, who’s to say the bad guys don’t have complete control of everything he’s posting? If you accept all that Ruiu is saying, there’s nothing to prove it hasn’t happened.

Except it hasn’t — and here are four reasons why I do not believe Ruiu has found a superbug.

1. No smoking guns

As far as I know, at this writing, not a single bit of the evidence shared by Ruiu has revealed a smoking gun. (Ars Technica offers a good example.) No one, including respected experts in their particular field, have found anything remotely interesting. Most have said what they have found is normal and expected, including the portions of evidence that Ruiu said was directly related to the malware program.

This single fact says everything. Ruiu claims to have more experts looking at more evidence, and he even says he hasn’t yet shared additional observations and evidence garnered over three years of analysis. But to me, without a single shred of independently reviewed evidence, we can get a little less excited about this particular claim.

2. Errors in causation

Ruiu points to direct “evidence” of the superbug that simply doesn’t pan out. For example, he points to recordings of ultrasonic sound waves that supposedly indicate some sort of communication protocol used by the malware program. He has captured this information via sound equipment and has posted graphic analysis. To Ruiu, this is evidence of badness.

In all likelihood, Ruiu is capturing either a normal artifact of his computer or an erroneous artifact from the methods being used to record the ultrasonic sound. One commenter even went so far as to identify the chip on his motherboard most likely making the noise because it fits the frequency and characteristics.

But more important, if Ruiu was as scientifically independent as he should be, he would have begun with scientific skepticism — but he didn’t. He’s all in, and he believes what he’s detecting confirms that BadBIOS is communicating ultrasonically. In science, this is known as bias leading to errors in causation. Just because you got hit by bird poop doesn’t mean the bird was aiming for you.

3. The scenarios are plausible, but highly unlikely

Each malicious scenario revealed by Ruiu is possible. This is perhaps the most frustrating part. Most experts, when looking through Ruiu’s evidence, say that in their opinion, what Ruiu suggests is just shy of impossible. What’s driving that skepticism isn’t gut feeling or incredulity. Based on what they know is possible, Ruiu’s claim is highly unlikely.

On the other hand, some are more categorical in their disbelief. For example, a firmware BIOS expert says it’s impossible for all the functionality that Ruiu claims is in the firmware code to both be there (impossible by itself) and to be hidden from forensic view. The forensic dumps shared so far show no evidence of malware or of the telltale signs that something is being hidden.

4. Too much effort and too isolated

To date, Stuxnet is considered the most advanced malware program ever. Advanced analysis by dozens of independent teams has determined that Stuxnet likely took dozens of different teams many months (if not years) to develop with a budget of tens of millions of dollars, as well as the help of at least one or two highly advanced scientific research laboratories. Ruiu’s malware program would be orders of magnitude more sophisticated and resource-intensive to develop.

BadBIOS would had to have been developed by a nation-state. Again, this is plausible — almost. Ruiu says he’s been fighting this for three years. Stuxnet is about three years old. So a nation-state developed an agent far more sophisticated than Stuxnet, at about the same time, and no one else besides Ruiu has heard of it?

When Stuxnet was discovered, multiple antimalware companies around the world were finding copies. It started with one, then quickly spread to the others — not so with BadBIOS. Somehow the most sophisticated superbug on the planet was released three years ago — and only Ruiu has found it. What would be the spreader’s motivation for infecting Ruiu? With Stuxnet, the motivation was to stop World War III. Does Ruiu or his lab have something on the same order that needs to be found out or stopped?

I happen to know a few of the people who were involved in the forensic analysis of Stuxnet, each from different companies. You would easily believe these people to be among the world’s foremost malware experts. None has a copy of this program. And none believes Ruiu has what he claims to have.

A fire drill worth having

In the end, I think this exercise has been good for the security community. We’ve been forced to think about what is and isn’t possible with malware and bad guys plundering pwned computers. Quite a few of my friends think we’re going to see a rash of malware that communicates through PC speakers. Unfortunately, I think today’s malware is working well enough so that we don’t have to invent new superbugs, blue pills (such as hypervisor attacks), or other science fiction malware.

This saga is a tough one to figure out. To discount Ruiu is to essentially say we don’t believe or trust a beloved industry figure. If Ruiu is right and he’s encountered superadvanced malware — three years old at that — then we truly have a terrifying problem on our hands. It would literally change the world over night. If this thing is real, it’s time to call Keanu Reeves … or John McAfee.

This story, “4 reasons BadBIOS isn’t real,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.