An international plot which would have turned huge numbers of PCs into “bricks” by remotely triggeriing deeply buried malware was foiled by the National Security Agency, according to an interview given to CBS by NSA director Keith Alexander.
The scale of the attack could have “taken down the U.S. economy”, an NSA official claimed.
The CBS show 60 Minutes named China as the country behind the alleged attack,which would have arrived “disguised as a request for a software update”, and attacked machines at the BIOS level. BIOS is the simple software which turns computers on, ‘starting up’ hardware such as drives before Windows starts.
The virus would have enabled PCs to be “remotely destroyed,” Alexander claimed in the CBS interview.
Neither Alexander, nor his colleague Information Assurance Director Debora Plunkett specified which nation was behind the attack, nor how many computers would have been affected.
In the hour-long interview, which also dealt with allegations of widespread spying against U.S. citizens, the NSA director made clear that the attack was designed on the mass scale.
“The NSA working with computer manufacturers was able to close this vulnerability”, Ross said, according to The Register’s report.
Debora Plunkett, cyber defense director for the NSA, said, “One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability– to destroy computers.
“The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer. . Think about the impact of that across the entire globe. It could literally take down the U.S. economy.”
Attacks which work at this level are rare, and would require what ESET Senior Research Fellow David Harley describes as “an extraordinarily effective delivery mechanism”.
In a recent We Live Security feature on Five Malware that Kept Researchers Up at Night, ESET Security Researcher Lysa Myers ranked the Chernobyl malware number one on her list, saying that it remained in the news “for years”, due to the “pain it caused its victims,” saying, “In some cases the virus would even flash the BIOS, which is to say it rendered the computer completely unusable by overwriting code on a chip attached to the motherboard that enables computers to turn on. This virus hit over a million computers worldwide, and stuck around for many years after the last variant was found.”
“It’s not totally impossible to make a machine effectively (not necessarily permanently) unusable by trashing the BIOS,” says Harley, “But I’ve never heard of this one, unless the NSA have just become aware of 1998’s Spacefiller/CIH/Chernobyl.”
Harley says that staging such an attack today would also face technical difficulties – beyond those faced by Chernobyl.
“This is essentially what CIH did to vulnerable machines (i.e. PCs using a particular combination of chipset and flash ROM). It changed one byte of the bootstrap routine, which was enough to stop a vulnerable machine from booting.”
But times have changed, Harley says, and crafting such an attack would be difficult these days. “
“Not all machines use the same BIOS,” Harley says. “Even in the days of CIH, some manufacturer’s restricted the initial boot code to a read-only stub, so that the machine could go far enough into the boot process to be reflashed.”
“Some systems had a jumper to write protect the BIOS – that’s pretty standard now, though it’s not necessarily a default. However, where the BIOS is reflashable from software, it does – more often than not – require the customer to disable write-protection. Of course, that does leave the customer vulnerable to social engineering.”
The NSA revealed few details of the BIOS malware’s functions, or how it would be delivered. Harley says that the methods mentioned in the CBS interview were simple social engineering and targeted emails – which may not be “very practical” as a mass attack.
“There is, of course, no guarantee that a new BIOS-trashing program would work exactly or even substantially like CIH,” Harley says. “After all, hardware and malware have moved on. But the sort of nightmare scenario proposed here would also require an extraordinarily effective delivery mechanism. From the transcript of the interview, one of the interviewees was talking about social engineering and targeted emails. But targeted social engineering isn’t very practical when everyone is the target. Clearly, while it’s referred to as a virus, a virus that ‘bricks’ its host has limited value as a delivery mechanism (none, once it has delivered its payload).”
“Unless, of course, the ‘vulnerability’ is in the supply chain, a possibility that isn’t mentioned in the transcript. Surprisingly, given the alleged source of the malware. I’ve no idea how many motherboards are made in China, but I suspect it’s a pretty large number. “
Author Rob Waugh, We Live Security