# BadBIOS circumventing ACPI disabling to load bluetooth cont



## BadBIOSvictim (May 12, 2014)

BadBIOS and FOXACID infected my computers and replacement computers. BadBIOS circumvented booting to live PC-BSD DVD. Dragos 
Ruiu, discoverer of BadBIOS reported BadBIOS circumvents DVDs. Therefore, I purchased PC-BSD and GhostBSD from 
OSDisc.com. BadBIOS prevented booting. 

Therefore, PfSense was installed on the hard drive of my Asus 105PE netbook. To attempt to prevent BadBIOS from tampering with booting of pfsense, I disabled ACPI. Yet, booting with and without ACPI disabled option was identical. BadBIOS circumvented disabling ACPI. 

I attempted to airgap two computers by not using an ethernet cable and removing the combo wifi/Azurewave bluetooth half mini PCI card. BadBIOS 
continued to perform Wake on Bluetooth (WoBT), runlevels remotely syncing my data to a server and other behavior I 
described at reddit.com's BadBIOS subreddit. 

BadBIOS loads Azurewave at usbus4 which is where Intel's Enhanced Host Controller (EHCI) is located. Edit: Azurewave manufacturers wifi/bluetooth/FM radio transceiver chips and webcams. Azurewave at usbus4 is a webcam. Since I selected boot option ACPI disabled, pfSense should not have detected a webcam.

There are two Giant-locks and a fatal trap 12. Azurewave dismounts root which crashes. A shadow filesystem is loaded. BLK(S) MISSING IN BIT MAPS. Dragos Ruiu commented about blks missing in bit maps.

I will ship my Asus 1015PE to anyone interested in performing forensics.

Snippets of the boot splash with ACPI disabled using an Asus 1015PE netbook:

```
atkbd0: (GIANT-LOCKED)
ATKBD0: (ITHREAD)

psm0: (GIANT-LOCKED)
PSM0: (ITHREAD)

Unknown: <INT0000> cant assign resources (memory)
unknown: <PNP0c01> cant assign resources (memory)
Unknown: <INT0000> cant assign resources (memory)

Fatal trap 12: page fault while in kernel mode.

usbus4: 480Mbps High Speed USB v2.0
ad4: 238475MB <WDC WD2500BEUT-80A2310 .01.01A01> at at2-mater UDMA100  SATA 3 GB/S

ugen3.1: <Intel at usbus3
ugen3: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus3
ugen4.1: <Intel at usb4
uhub4: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1 > on usb4.

uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 2 ports with 2 removable, self powered
uhub4: 8 ports with 8 removable, self powered

ugen 4.2: <Azurewave> at usbus4
Trying to mount root from ufs:dev/ad4s1a
Warning: / was not properly dismounted
Configuring crash dumps . . .
Using /dev/ad4s1b for dump device

Mounting filesystem . . .
ZFS NOTICE: Prefetch is disabled by default on i386 ---to enable, add 'vfs.zfs.prefetch_disable=0' to 

/boot/loader.conf

ZFS WARNING: Recommend mem kmem_size is 512 MB: expect unstable behavior. Consider tuning vm.kmem_size and 

vm.kmem_size_max in /boot/loader.conf

ZFS filesystem version 5
ZFS storage pool version 28
Mount: /dev/ad4S1a R/W mount of /denied
Filesystem is not clean - run fsck:
Operation not permitted

** /dev/ad4S1a
**Last mounted on /
** Root file system

Phase 1 - Check Blocks and Sizes

** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts

There are lots of UNREF FILES. 

The last three UNREF FILES are:

UNREF FILE I=18347104 OWNER=root MODE=100644
SIZE=0 MTIME=May 10 22:55 2014
RECONNECT? yes

UNREF FILE I=18347105 OWNER=root MODE=100644
SIZE=0 MTIME=May 10 22:55 2014
RECONNECT? yes

UNREF FILE I=18347106 OWNER=root MODE=100644
SIZE=0 MTIME=May 10 22:55 2014
RECONNECT? yes

** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? yes

SUMMARY INFORMATION BAD
SALVAGE? yes

BLK(S) MISSING IN BIT MAPS
SALVAGE? YES

5818 files, 91880 used, 117149245 free (189 frags, 14643632 blocks, 0.0% fragentation)

********* FILESYSTEM MARKED CLEAN**************

**********FILESYSTEM WAS MODIFIED***************
Disabling APM on /dev/ad4

photo of the above is at ?

Welcome to pfSense 2.1.2 - RELEASE
No core dumps found
Creating symlinks . . . . done
External config loader 1.0 is now starting
Initializing . . . . done
```


----------



## SirDice (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Before trying to reinstall the machine get rid of the BIOS malware first. It's going to be an exercise in futility if you leave that crap on the machine. Get rid of it. Flash the machine with a known good copy of the BIOS/UEFI and hope that clears it.


----------



## zspider (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Is BadBIOS real or is it just paranoia?, I'm still trying to figure that out.


----------



## kpa (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				zspider said:
			
		

> Is BadBIOS real or is it just paranoia?, I'm still trying to figure that out.  :\



I tried to read the OP's post here and decide if he really has virus in is system or not. Futile attempt because there's no real information in it, just claims that the problems observed are caused by a virus and no evidence to support them. All I'm seeing is flaky hardware and misconfigured FreeBSD installation.


----------



## zspider (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				kpa said:
			
		

> zspider said:
> 
> 
> 
> ...



I agree, I certainly haven't seen anything that conclusively proves this "badbios" actually exists. You(@BadBIOSvictim) may just be making a mountain out of a mole hill here.


----------



## BadBIOSvictim (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Evidence of ultrasonic hacking and BadBIOS in Reddit.com's BadBIOS subreddit at: 
http://www.reddit.com/r/badBIOS/comment ... c_hacking/

kpa wrote: "All I'm seeing is flaky hardware and misconfigured FreeBSD installation." Kpa, in my thread I offered to ship my Asus 1015PE to anyone willing to conduct forensics. Would you like to volunteer?

Not flaky hardware. Initial BadBIOS infection was in November 2011. Thereafter, I purchased more than a dozen replacement computers, one after the other. They all became infected with BadBIOS and FOXACID. I returned seven computers before the return deadline. I discarded four computers. I gave one away. I sold five. I have six left.  Would you like me to remove the internal hard drive from my Asus 1015PE and install it in one of my other remaining computers, take screenshots of pfsense boot splash message, type up the message and post it here? I am about to discard my HP Compaq Presario V2000 unless someone wants it for forensics.

Kpa, not misconfigured FreeBSD installation. To prove this, could I ship you an internal hard drive for you to install PfSense? I will then boot to your pfSense install, take screenshots, type up messages and post here. 

If BadBIOS didn't circumvent my computers from booting to live BSD distros, we could quickly rule out a misconfigured installation simply by checksumming the downloaded ISO.

My computers will finish booting to Debian, Ubuntu and PCLinuxOS live DVDs but not Fedora and Gentoo live DVDs. I have screenshots of boot splash messages and /var/logs of several live Linux DVDs. Their boot splash message is similar to pfSense's boot splash message. pfSense gives much more detail. Would it be appropriate to attach them to this thread?

Striking out other possible causes other than an obviously rootkit infected computer is simple. Removing BadBIOS and FoxACID firmware rootkits is impossible.


----------



## kpa (May 12, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Provide a link to a page of reputable virus and malware research organization that verifies that such virus even exist and I might just start to believe you. Now it's just hearsay and second hand information and many claims by non-professionals who in my view have no clue.


----------



## BadBIOSvictim (May 13, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Kpa, which 'reputable virus and malware research organization' shall I ship my logs, infected computers and infected PDF, jpg, mp3, tiff and txt files to for forensics? All firmware rootkits are extremely difficult to detect. There's no antivirus software that scans for firmware rootkit. No guide on how to detect them.

Kpa, you are solely focusing on BadBIOS. I also said my computers were infected with NSA's FOXACID. It is not a coincidence that Kaspersky, a Russian antivirus company, discovered NSA's cyberwarfare: Stuxnet, Flame, MiniFlame and Gauss. Hopefully, Kaspersky will continue their practice of discovering more cyberwarfare including BadBIOS and FOXACID. I don't think American antivirus companies will try.

What Flame, MiniFlame, BadBIOS and FOXACID have in common are infecting bluetooth and bluetooth controller to hack via bluetooth.BadBIOS also hacks via ultrasound.


----------



## kpa (May 13, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

I was afraid the discussion would take this turn and I'm not going to participate in it any longer.


----------



## BadBIOSvictim (May 13, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Filesytem being dumped and replaced by a shadow filesystem occurs with every live linux DVD that my linux boxes can boot to:

HP Compaq Presario V2000 booting to PCLinuxOS FullMonty. Boot splash message loading audio driver, dumping filesystem and loading a shadow filesystem: http://www.reddit.com/r/badBIOS/comment ... ash_photo/

Asus 1015P booting to PCLinuxOS GNOME. Boot splash message loading video driver, dumping filesystem, loading audio driver, loading a shadow filesystem: http://www.reddit.com/r/badBIOS/comment ... e_of_live/

I am requesting Redditors infected with BadBIOS and/or FOXACID to boot to BSD, take screenshots, type up screenshots and post. Thereby, an epidemicological study can be performed. http://www.reddit.com/r/badBIOS/comment ... idence_of/


----------



## Crivens (May 14, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				zspider said:
			
		

> Is BadBIOS real or is it just paranoia?, I'm still trying to figure that out.



Please watch: this about the system controller, and that part about what you can do with USB sticks and memory cards to completely b***er up someone.

And above all: 
Part 1 and Part 2 with actual quotes on the catalog from which some of these letter-soup-outfits order their toys.

If you are short on time, start with Part2 and start at about minute 27.

After that, sweet dreams anyone. And bring out the old C64.

@@kpa: You may want to start with Part2, at minute 45. 

All in all, no one can be sure what is going up there. What I am sure of, hovever, is that it is more likely that things like BadBIOS exist than that they don't.


----------



## BadBIOSvictim (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Boot splash message is not due to flaky hardware. I removed harddrive from my Asus 1015PE and booted it to my HP Compaq Presario V2000. Worse boot splash message! viewtopic.php?f=44&t=46443

Crivens, thank you for recommending the amazing videos.  More evidence that the write protection switch on a SD card is just a software flag. I infected my replacement computers by copying my BadBIOS infected personal files from 'write protected' SD cards.   I follow Jacob Applebaum on twitter.


----------



## SirDice (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				BadBIOSvictim said:
			
		

> I infected my replacement computers by copying my BadBIOS infected personal files from 'write protected' SD cards.


You can't infect a computer by copying some files. It simply doesn't work that way. Just like any other code or application, malware needs to be _executed_ before it can become active. Computers do not spontaneously start executing random code.


----------



## BadBIOSvictim (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

In this thread, Crivens posted a link to CCC presentation on infecting SD cards' controller. Thank you, Crivens: http://media.ccc.de/browse/congress/201 ... _xobs.html

USB malware infects computers simply by inserting the USB removable media. Dragos Ruiu, discover of BadBIOS, found BadBIOS infects computers by inserting an infected USB removable media.

There is a bootable hidden encrypted protected partition on my flashdrives and micro SD cards. The protected partition cannot be wiped. I describe it in more detail at http://www.reddit.com/r/badBIOS/comment ... removable/

I will ship an infected micro SD card and flashdrive to anyone willing to conduct forensics.


----------



## SirDice (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				BadBIOSvictim said:
			
		

> USB malware infects computers simply by inserting the USB removable media.


Not exactly. The action might be simple but what happens "under water" isn't. These things do several things. The first is it presents itself as a "USB keyboard", it then uses this fake "keyboard" to enter commands. Because these things are mostly written with Windows in mind the commands it tries to execute simply do not work on Linux or BSD. So it will never be able to mount the hidden partition and run the executables from there. Even if it was able to mount the hidden partition the executables would be Windows executables which don't work on Linux or BSD (not unless you pull some tricks with Wine).

With USB there's never any "direct" contact with the rest of the computer. USB works with a client-server model, unlike for example PCMCIA and Firewire. Both of these are "directly" connected to the computer's memory using DMA. The DMA transfers can be controlled from the PCMCIA or Firewire device, giving a rogue device potentially unrestricted access to the computer's memory. This is simply not possible with USB because there's never any direct link between the device and the computer's memory.


----------



## Crivens (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

Well, you can check (in a USB device) which OS is being used to access you. One example would be to check if the MBR is read 9 times, IIRC, which would mean that it is connected to a Windows machine. That way, you _could_ prepare a system-aware attack into a USB stick. Practical proof exists, and thinking that the guys in the 'puzzle palace' do not have the resources to do this... maybe this is/was some assignment for some bored intern, and it escaped.

Anyway, I for one would recommend to treat each system infected with such kind of malware no different from nuclear waste. The HDs, the mainboard, the keyboards/mice/USB sticks/... no difference. This kind of malware can be done, and the problem with such software is that it is not staying put. Or dies of old age after a week. Just look up what had to be done to get rid of that infamous morris worm, extrapolate to current system usage, and think again.

Oh, and when I hear the management around here speak of the "cloud of things", I am losing hope.


----------



## tzoi516 (May 15, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



> In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.



Click here to read ...

Not to add fuel to the fire, but hope this Ars article helps. The part about spreading via low frequency via computer speakers is interesting.


----------



## Crivens (May 16, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*



			
				tzoi516 said:
			
		

> Not to add fuel to the fire, but hope this Ars article helps. The part about spreading via low frequency via computer speakers is interesting.


No worries, mate. I may add some fuel, and only to get people thinking.

"Spreading", as in spreading the infection, is most likely not happening. But a C&C connection does not have to have a huge data rate. Also, given the proof of concept in attacking the "secure" cisco phone, like listening in on the phone without lifting the handset, makes this connection interesting. 

Imagine a user who is cautious enough not to have the laptop with the interesting shiny-shiny on any network. He only transfers data on a stick, and rarely does this. Maybe he only has a one-way stick to push data on the laptop. Who might be using such a setup, and also use "secure" phones? Any ideas?

And now you have a command&control link to your highly secured laptop, using the phone on the desk next to it. And wasn't there some work on recovering the keys in use from the noise your voltage regulators make on the board? 

Again, I have no proof that this is really happening. But you would need to be very naive to dismiss it without a doubt. Because it is possible, and thus will be at least tried out.


----------



## BadBIOSvictim (May 17, 2014)

*Re: BadBIOS circumventing ACPI disabling to load bluetooth c*

BadUSB and BadBIOS flashes the firmware of USB devices.
http://arstechnica.com/security/2014/07 ... turn-evil/

Any volunteers to do forensics on my USB devices? Laptops?


----------

