Meet “badBIOS”: Son of Flame – Stuxnet; To Kill A Centrifuge and Infect the Planet?

Meet “badBIOS”: Son of Flame – Stuxnet; To Kill A Centrifuge Then Infect the Planet?

There's No Stasi Like A New Stasi! Praise God
There’s No Stasi Like A New Stasi! Praise God

(Update: Meet badBIOS, Mac and PC ‘Airgap’ Malware Reproduced Below)

Recently noted information on the Stuxnet Virus shares remarkable multi-level similarities to badBIOS Virus. ‘Stuxnet evolution: NSA input turned stealth weapon into internet-roaming spyware’

“Forensic analysis of the Stuxnet cyber-warfare operation reveals how an initial version of the virus, which was ‘a display of absolute cyber-power’ evolved into a simpler self-replicating and home-reporting malware that was eventually detected.

There were two distinct versions of Stuxnet, the computer virus that is widely believed to have been developed by the US and Israel to hamper uranium enrichment at Iran’s Natanz nuclear facility. The people behind it likely underwent a shift of goals sometime along the cyber-warfare campaign, which involved bringing in new IT people with a whole new arrange of secret knowledge.

The news comes from Ralph Langner, an independent German cyber-security expert specializing in control systems, who has been heavily involved in the study of the Stuxnet and the damage it caused, and shared his conclusions with Foreign Policy magazine.

Another sign of the shift is the difference in infection methods of the two versions. The earlier Stuxnet had to be manually installed to controller systems at the facility by a knowing agent, while the latter version was designed to self-replicate and spread through USB-drives and laptops of unwitting engineers.

The code also used a number of previously unknown vulnerabilities in a Windows operating system – so-called ground zero exploits – and used false digital certificates to pose as valid software.

Langner challenges the common narrative that Stuxnet ‘escaped’ the Natanz facility by accident to be eventually detected and studied by cyber-security experts. He cites the tools in the virus, which allowed it to send reports from infected computers to command-and-control servers.

“It appears that the attackers were clearly anticipating (and accepting) a spread to noncombatant systems and were quite eager to monitor that spread closely,”he says. “This monitoring would eventually deliver information on contractors working at Natanz, their other clients, and maybe even clandestine nuclear facilities in Iran.”

Much more detailed information on the Stuxnet virus is in Langner’s report which clearly notes the use of Microsoft and Apple internal secret certification codes to remain installed during upgrades.  The method of attack for badBIOS is the same as Flame – Stuxnet.  Many of the specific characteristics and effects of Flame – Stuxnet are identical to badBIOS.  Besides, secret fake workable  codes being obtained, unknown secret ‘flaws = backdoors’ were also obtained.  Snowden worked for the NSA at both those companies and has revealed NSA ‘influence’ at both.  A trove of classified information reveals the true depth of NSA surveillance – spy on everyone, everywhere.  badBIOS gives the controller access and total control of any computer, or similar working device.

One has to wonder, was badBIOS the straw that broke Snowden’s back of NSA compliance?

To Kill A Centrifuge  One of many insights revealed was that  at least one of the  Stuxnet versions only clue of infection was a big one, one simply had to look for the file , s7otbxsx.dll.  If s7otbxsx.dll was on the computer, the computer was infected. It is unknown and doubtful that the same sign exists in other Stuxnet, Flame, or badBIOS applications.

Flame Variant: Newly discovered malware linked to Stuxnet, Flame

“Researchers said Thursday that they have identified a new kind of malicious software that appears to be the creation of the same state-sponsored program that produced the viruses known as Stuxnet and Flame.

The malware, the researchers said, shares characteristics with the previously identified viruses, which were aimed at computers tied to Iran’s nuclear program. But the new software has been found primarily in Lebanon. It is designed to steal information, including customer data from banks as well as PayPal and Citibank.

“Nation-states want to monitor activity,” said Roel Schouwenberg, senior researcher for Kaspersky Lab, the Russian cybersecurity firm that discovered the new malware and also discovered Flame. “Seeing how the money is flowing in these bank accounts can be very interesting for them.”

Stuxnet and Flame are believed to have been developed by the United States and Israel.

In its analysis, Kaspersky experts stopped short of speculating on who might be behind the new malware, dubbed Gauss, but they said they believe it “was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state sponsored operation.”

Update: NSA hacked Over 50,000 Worldwide Computer Networks  The US National Security Agency hacked more than 50,000 computer networks worldwide installing malware designated for surveillance operations, Dutch newspaper NRC reports citing documents leaked by Edward Snowden.

Update, 12-3-13: Scientist-developed malware covertly jumps air gaps using inaudible sound
Malware communicates at a distance of 65 feet using built-in mics and speakers.

The 'Stasi Claus' Must Know ALL
The ‘Stasi Claus’ Must Know ALL

Border Agents Have Access to Your Medical Records  Nazis at work

There Was No Change.  There Will Be No Change.
There Was No Change. There Will Be No Change.

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps (Note: badBIOS does not have to exist as only a ‘killer’ application.  In fact, a minor tweeking would turn ‘badBIOS’ into the ‘ultimate’ silent backdoor – essentially the only real door to anyone’s computer since it retains ‘instant, final, and ultimate’ control. )

badBios = Part of US, Israel Stuxnet - Flame? Most Likely Scenario Based on Known Facts
badBios = Part of US, Israel Stuxnet – Flame? Most Likely Scenario Based on Known Facts

Like a super strain of bacteria, the rootkit plaguing Dragos Ruiu is omnipotent.

The US, Israeli ‘God’ Virus: badBios, Partial Clone of Stuxnet-Flame? Being scammed as the Hagerott Virus for confusion. No detection, no cure, infects everything plugged into it. Infects everything with a speaker and microphone. Only way to detect other than your computer doing whatever it’s been told to do, as though you were doing it, is that the computer will no longer boot from a CD.

“Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’snext-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security— retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-conceptmalware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to dirupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.


For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program.And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

It’s too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer’s lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can’t be detected. It’s even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

“It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,” Ruiu concluded in an interview. “The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they’re faced with sophisticated attackers.”

Take the link for many embedded links in the original not reproduced here.

Ed Ward, MD – ; ;

Unclassified Only Happens After All Active Primary Culprits Are Dead.  Won't Happen While the 'Scherff's', and Others Are Still Alive
Unclassified Only Happens After All Active Primary Culprits Are Dead. Won’t Happen While the ‘Scherff’s’, and Others Are Still Alive

Holy Horus: The Jesus Origin Exposed; The Real Truth About Religion and Its Origins, and Annuit Coeptis Novus Ordo Seclorum

Portals: Government Nuclear Weapons’ Top Secret ‘Energy’

Miraculous ‘Unexploded’ Active Super Thermite Burns at 430? Professor, PhD, Steven E Jones’ Search for ‘Truth’

Professor, Steven E Jones, PhD, Still Lying About Tritium and Thermite

UPDATE: Russian Nuclear Anti-Ballistic Missile Splits The Chelyabinsk Meteor

Alzheimer’s Disease: Deadly Infectious Cause Known and Hidden – Prions

Update: Suitcase Nukes, Why No WTC Radiation and Samuel Cohen Quotes on Residual Pure Fusion Neutron Bomb Radiation

Zionism – The Worst Plague In The History Of Mankind

Talmud: The ‘Bible’ of Genocidal Bigots. Conflicting Zionist Lies Expose “Tob Shebbe Goyyim Harog”, and Warning: The Deadliest CAMERA on the Internet

Anderson Cooper and CNN Caught Staging Fake News about Syria to Justify Military Intervention [videos]

Infowars ‘Out Psyops’ BBC: Exposes DC Naval Yard SWAT Propaganda?

US Government ‘Carrots’: The Eternal Path to Servitude

America’s Only Real Choice: Constitution or Tyranny?

The US: “A Distorted, Bastardized, Illegitimate Government.”

Two FBI Agents Murdered Over Danny’s $235,000? The Closing of ‘Loose Lips Sinks Ships’?

Update: Witnesses Saw People ‘Vaporized’ on 9 11

Evidence: Syria Gas Attack Work of US Allies

Dimona Does Damascus: Israeli Nukes in Damascus, Syria

More US Drill Death in Waco Explosion – Drill Stops for Reality, Again

Boston Marathon: The Finish Line For US Treason. Drill Death. Everything’s In Place For Police State. by Ed Ward, MD

Pictures: US Boston Weapon – Both ‘Explosions’ – The Secret of the Pure Fusion Weapon – Li7 – Lithium 7

The US Wouldn’t Nuke Its Own People – Wake Up and Glow

Proven 9-11 Nukes = US Government Involvement

9 11 Fake Video Stars: The J Star Clones – Why Covert Operation’s Cointel Must Have ‘Fake’ Video and ‘No Planes’

Ed Ward, MD VS Jefferson Parish, LA, DA, P D Connick, Jr – DCFS Stasi Child Support Division? Legal Disabled Death  Decrees

Jefferson Parish, LA, DA, Paul D. Connick, Jr’s DSFC: MASSIVE FRAUDULENT ’5%’ ACCOUNTING Is 79.58% Yearly Surcharge? 11/12/2013

Bill Moyers, The Secret Government: The Constitution in Crisis – 1987 – Part 1 of 9

Who’s Lying? A Simple Tale of Unbiased Global Warming Facts: ‘The Mysterious CO2 Planets: Mars, Venus and Earth

GeoEngineering*: The Basic Science of Cooler Summer and Frigid Winter – The Answer to the Scam of ‘If it’s ‘global warming’, why is it so cold?’ *ChemTrails

Global Warming: Massive Ice Methane and More Noted by Ed Ward, MD 2-26-07


Israel’s WWDs: German Made Nuclear Armed Dolphins

FUKUshIMA: Seven Waves, Away… Abandon Ship

Happy 12th Anniversary of Murder and Treason:

What Is Wrong With the US government and all its accessories before and after the fact? Nothing that Work Strikes, Boycotts, Trials*, Accountability, and a quick dance at the end of a rope won’t fix. * Constitutional Trials: Based on all ‘laws’ and ‘rights’ granted or denied by the Original Intent Interpretation of the Constitution and in particular the Bill of Rights – The only interpretation allowed by the Constitution.

Dr. Ed Ward MD, AS, BS, MD – Reporting and investigating Constitutional abuses of the US government for almost 2 decades. AS, BS in Medical Technology – Minor in Organic Chemistry and Physics, volunteer during the Viet Nam war 6 years stateside active duty ‘med tech’ ‘US Air Farce’ – a decade experience in Medical Technology. MD degree from LSU, New Orleans – 2 decades in the field of General Practice. (My) Articles are also referenced by valid experts in their field.

About: Ed Ward, MD’s Blog of Referenced Facts, and Me, Dr Ed Ward, MD Congratulations! If you’ve made it here, you’ve made it through a MASSIVE Maze of government propaganda, censorship, and Psyops. To the Best of my Knowledge and Evaluation, You will only find the referenced, pertinent facts for the ID and Remedy of Our governments fascism, as well as world wide government fascism here… Continues Dr Ed

Author: Ed Ward MD

Ed Ward, MD - Reporting and investigating Constitutional abuses of this government for over a decade. AS, BS in Medical Technology - Minor in Organic Chemistry and Physics, volunteer during the Viet Nam war 6 years active duty 'Air Farce' - a decade experience in Medical Technology. MD degree from LSU, New Orleans - 2 decades in the field of General Practice.. Articles also referenced by experts in their field. Friend me at #DanceMonkeysDance

8 thoughts on “Meet “badBIOS”: Son of Flame – Stuxnet; To Kill A Centrifuge and Infect the Planet?”

  1. “Hitler was Right,” Graffiti in Elad, Israel, Nov 2013 Elad: Hitler Was Right

    In depth well referenced information on Sandy Hook False Flag. Sofia Smallstorm Unraveling Sandy Hook

    Nothing new here for those that read me. “How do you remove molten fuel in melted down reactors? The radiation levels in reactors 1, 2 and 3 are so high that the area is inaccessible to humans. No one knows for sure where the molten core is resting within the basements of the buildings and how far it has penetrated through their floors. The technology does not exist to remove this molten fuel.”

    Nothing to worry about it’s all diluted and safe. Cesium in water starting to show.

    Immune systems destroyed by radiation allow multiple diseases to flourish.

    ADHD – 11%, Autism 1.5%, Birth’s with Major Defect 3 %, Personality Disorder – 20%. CONGRATULATIONS US – WHERE SOON THE ‘NORMAL’ IS ‘F!CKED UP’.

    Nazi cop chief recognizes cop ‘crime’ on the 3rd report? The accusations of sexual misconduct are the third against Neal, the police chief told the Express-News.

    Open power struggle of the ‘god people’ for top billing and therefore biggest piece of graft, power, etc. The jew Zionists vs the Christ Zionists – watch for them, they are all going to group up and show themselves… As stated being passed off as ‘hawks’ but ‘hawks’ is Israel Zionists, and non hawks is Christian Zionists in a take over power play. Very similar to what JFK tried to do by himself and paid the price. This time it is a broad base movement that’s been gaining strength via the ‘paul BS’ for a while. Note: Nazis tend to start calling each other Nazis about now…

    Nazis on the move. How are they with ‘flaming cocktails’? Same as everything else… bring marshmallows

    Texts my ass, you need 24 hour video surveillance to prove your innocence and you need to keep it for the rest of your life If, SOP censoring huffington POS will censor this comment, so posting here: Interesting a supposed article on FALSE RAPE ACCUSATIONS, gives one link to false accusations. It does manage some links to INSANE statistics. So, if the ‘rapes’ are 25%, 1 out of 4, and only 10% report 1 out of 10 = 250% of people are raped. Or, Everyone has been raped 2 or 3 times according to the propaganda BS of fascism and gendercide.

    Scam Heisenberg Uncertainty BS to hide sub atomic spontaneous generation of ‘virtual particles’ proven by Casimir’s law – not temporary, portals, and much more. COMPLETE COVERUP BS. They are only temporary so they don’t have to conform to laws. INANE SCAM BS. What bonds are permanent? There simply are no permanent bonds, ALL ARE TEMPORARY IN THE RIGHT CIRCUMSTANCES. COMPLETE BASTARDIZATION OF Heisenberg’s Principle by BY ALL INVOLVED – does not state temporary reactions may be ignored – merely, due to dual properties – wave and ray – of extremely fast and small moving particles one may not be able to determine BOTH speed and position accurately. One or the other, but not both. From that fact, they somehow get – no need to note any ‘temporary’ bond, reaction, product, by product or energy produced. Not only do they ignore the result of the occurrence, they ignore the reactions that cause it, outside of that ‘no problems’. It’s ‘magic’ physics with no need for actual reactions, products, and other insignificant ‘incidentals’. By using ‘magical ‘temporary’ physics’ anything may now be ‘proven’ or ‘nullified’ based on ludicrous ‘forget about it’ false physics. Portals: Government Nuclear Weapons’ Top Secret ‘Energy’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s