This may or may not be worthy of being in its own thread. I post this here only because of the similarities with the "strange malware" mentioned here.
Came across something interesting. Sounds similar to this particular mystery malware from this thread... except for that re-writing to the installation media thing. A user on Twitter (who seems to be well known to others, especially since they talk to @ioerror who has been interviewed by the media before, so he seems important)
Anyways, this guy Dragosr ran across some BIOS level malware that survives a flash (not everything is replaced by a flash so no surprise), and has a "hypervisor" inside, restricts boot devices and re-writes files in a Windows OS. This particular behaviour reminded me of this thread's mention of a VM kept in the BIOS. Surely these things are possible? And yet, even this particular BIOS virus has its own outlandish behavioural claim, that it can use wireless without a wireless card being installed! This thing I am not familiar with, they use a term "SDR" to reference this.
...and that's not even interesting part. Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed.
Copernicus BIOS verification. Also if tool is mysteriously failing or weird output full of FFs you may have problem. *
* Original tweet contained shortened URL, posted full URL for posterity's sake.
Supposedly this link is to the captured BIOS ROM file. I have not confirmed. Also, there are complaints that Mega requires flash to download and works best in Chrome. So some of you may wish to use a VM to get this file. Also, I have not heard any confirmation that this file is what it is purported to be.
Friend put this link up(thanks). I didn't pick the site. It would be nice to understand what/who is behind this. https://t.co/zP3vEH8ITX
This URL I can't actually get to. In Iron it reroutes to this:
I have downloaded this file, it is a tar.bz and is 7.7MB.
EDIT: strings list:
Lastly, another tweet that relates to BIOS tools, for those who might be interested.
@newshtwit To dissect the @dragosr image you first have to cut it apart with info from ich_descriptors_tool (flashrom) or ifdtool (coreboot)
EDIT2: I can't open the bin file in any of my BIOS tools.
Edited by Tripredacus, 14 October 2013 - 04:42 PM.