Computers infected with badBIOS can "whisper" to each other in ultrasound

[emerglines]

An advanced form of malware dubbed "badBIOS" has been using the speakers of infected computers to communicate between infected machines, repair itself and evade attempts to remove it, according to a report by security researcher Dragos Ruiu.

The malware apparently uses high-frequency sounds to allow corrupted computers to "whisper" to each other even when they are not connected over the Internet or a Bluetooth connection.

It achieves this, Ruiu claims, by infecting the Basic Input Output System (BIOS) of a computer, a fundamental piece of software stored on a small memory chip on the motherboard. Examples of such malware have been around for years. However, badBIOS appears to be operating-system independent, burrowing down into the lowest levels of a computer and infecting it from there. The use of ultrasonics to pass information is also an alarming development.

Ruiu, who is the organiser of the renowned CanSecWest and PacSec conferences, had his suspicions aroused when he discovered that badBIOS was somehow passing encrypted data packets between infected machines that he had purposefully disconnected from the network - even removing their Wi-Fi and Bluetooth cards. The communication allowed the malware to protect and repair itself when it was under attack.

This is significant because one of the first steps security experts will take when disinfecting a compromised machine is to create an "air-gap" – disconnecting the computer from the Internet and all other networks that could allow the virus to seep back in.

"We had an air-gapped computer that just had its BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said.

"At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

"The air-gapped machine is acting like it's connected to the Internet," Ruiu said. "It was weird."

Ruiu has taken sound recordings of the high-frequency noise passing between machines, and is currently analysing them.

The badBIOS rootkit has some other scary features. Just plugging an infected memory stick into a clean system will apparently infect that system. It also bricks the USB drives if you eject them unsafely, but brings them back to life when you plug them into an infected system. Infected computers seem to infect USB drives, and vice versa.

The extremely sophisticated nature of the malware has led to speculation about its origin. Some have questioned whether badBIOS is a state-sponsored virus that has found its way by accident onto the network of a renowned security researcher.

Other big names in the security world are cautious in their statements, as Ruiu's findings haven't yet been peer-reviewed. However, they certainly vouch for his credibility.

"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," said security researcher Arrigo Triulzi. "Nothing of what he describes is science fiction taken individually."

Indeed, early networking standards used high-frequency sounds to broadcast network packets, and ultrasonic-based Local Area Networks (LANs) have been the subject of a study by researchers at MIT. However, this is the first discovery of real-world malware actually using this technique.

Triulzi added, "we have not seen it in the wild ever."

When contacted by ITProPortal, Adrian Culley of Damballa Security said, "we've had 25 years of depending on anti-virus and firewalls for defence, and whilst these technologies will always be needed, its clear that as attack techniques become increasingly blended, we must develop blended defence techniques."

"We can no longer solely depend on 'scan and detect', 'fire and forget', 'patch and proceed' approaches," he told us. "The research illustrates the 'arms race' nature of cutting edge attacks."

However, others have dismissed Ruiu's claims out of hand. Security and BIOS expert Phillip Jaenke has described the claims as "hilarious", while conceding that "it is absolutely possible in theory."

Indeed, the outlandish nature of many of Ruiu's claims have led Ars Technica to describe the badBIOS investigation as akin to a "Bigfoot sighting".

It's still too early to tell whether Ruiu's original hypothesis stands up to scrutiny, but one thing's for sure: the malware threat is constantly evolving, and with inventive new ways of compromising machines, security may soon struggle to stay one step ahead of the game.

Read more: http://www.itproportal.com/2013/11/04/computers-infected-with-badbios-can-whisper-to-each-other-in-ultrasound/#ixzz2jgbIBAnf

[Ambrocious]

So...via sound frequencies eh...dam. From this point on just consider that they can spy on you in many other covert ways.

[emerglines]

So...via sound frequencies eh...dam. From this point on just consider that they can spy on you in many other covert ways.

Yep! they say that the man who found it isn't sure of his information maybe he blaf i hope so !

[Cypher3927]

Oh you mean like this nonsensical theory is visually infecting my brain even as we speak? :rofl:

No that wasn't an attack on you emerglines just this idiot researcher. As a computer programmer, network administrator and music producer that knows quite a bit about sound I can tell you right now that this is nothing but a fucking joke and a bad one at that. I could thoroughly demolish all these claims in excruciating detail but honestly I just don't have the time to write an essay. Suffice it to say that no this is all a load of bullocks from any angle you wish to approach it. :rolleyes:

[eurobyn]

sorry , can not believe this.

[emerglines]

Oh you mean like this nonsensical theory is visually infecting my brain even as we speak? :rofl:

No that wasn't an attack on you emerglines just this idiot researcher. As a computer programmer, network administrator and music producer that knows quite a bit about sound I can tell you right now that this is nothing but a fucking joke and a bad one at that. I could thoroughly demolish all these claims in excruciating detail but honestly I just don't have the time to write an essay. Suffice it to say that no this is all a load of bullocks from any angle you wish to approach it. :rolleyes:

Yep i'm with you on that but still waiting for more information if so that confirms i'm wrong, i know its blafing but maybe its close to what stuxnet was, like spreading through Bluetooth connection...

[el_espaniol]

:wtf: Really scary:...if is true...,...is incredible...!!!! :lol:....

Seems we need a Faraday cage or military Tempest protection...hehehe... :D

Edited November 5, 2013 by el_espaniol

[emerglines]

:wtf: Really scary:...if is true...,...is incredible...!!!! :lol:....

Seems we need a Faraday cage or military Tempest protection...hehehe... :D

Lol! true, with some guards !!

[Avitar]

Oh you mean like this nonsensical theory is visually infecting my brain even as we speak? :rofl:

No that wasn't an attack on you emerglines just this idiot researcher. As a computer programmer, network administrator and music producer that knows quite a bit about sound I can tell you right now that this is nothing but a fucking joke and a bad one at that. I could thoroughly demolish all these claims in excruciating detail but honestly I just don't have the time to write an essay. Suffice it to say that no this is all a load of bullocks from any angle you wish to approach it. :rolleyes:

I have one statement to make to you: "Speech recognition and voice commands" Now I'd like to see that essay so I can actually CODE software to do what you say it cannot. I have a University behind me waiting to prove you wrong and score excellent grades on our research project. Publish your "essay" we'd help you publish it...

Now having said that, right click on your volume icon in the taskbar and select 'recording devices" then turn your mic sensitivity all the way up and look at the noise meter. Your mic is on all the time unless you mute it.

Do tell me again what your degree or PhD is, with all that experience?

[Avitar]

--NULL--

Edited November 5, 2013 by Avitar

[VileTouch]

i call shenanigans on this one. if it was remotely viable to transmit data reliably via computer speakers..(possible, yes. viable...hardly) it would already be implemented in a more productive way. i think this researcher is just swinging his stick at an invisible piñata. ALL speakers produce some form of ultrasonic noise due to static. and while i don't doubt that it might have corrupted the bios, it would make more sense to create a tiny virtual machine, isolated from the os and have the main rootkit comunicate with it via a hidden virtual network interface.

i mean, isn't this how technology evolves? building on top of other KNOWN technologies instead of totally new breakthroughs.

i'm sure the author(s) of such rootkit must be laughing out loud by this so called "researcher's" statements.

[Whi5t1eR]

Oh you mean like this nonsensical theory is visually infecting my brain even as we speak? :rofl:

No that wasn't an attack on you emerglines just this idiot researcher. As a computer programmer, network administrator and music producer that knows quite a bit about sound I can tell you right now that this is nothing but a fucking joke and a bad one at that. I could thoroughly demolish all these claims in excruciating detail but honestly I just don't have the time to write an essay. Suffice it to say that no this is all a load of bullocks from any angle you wish to approach it. :rolleyes:

WOW.. your one talented guy... i know a lot of codderz, not one is also a music producer. They must not have your talent and they certainly do not explain thing's in such a technical detail as yourself, blow us away, do the paper.

[Avitar]

i call shenanigans on this one. if it was remotely viable to transmit data reliably via computer speakers..(possible, yes. viable...hardly) it would already be implemented in a more productive way. i think this researcher is just swinging his stick at an invisible piñata. ALL speakers produce some form of ultrasonic noise due to static. and while i don't doubt that it might have corrupted the bios, it would make more sense to create a tiny virtual machine, isolated from the os and have the main rootkit comunicate with it via a hidden virtual network interface.

i mean, isn't this how technology evolves? building on top of other KNOWN technologies instead of totally new breakthroughs.

i'm sure the author(s) of such rootkit must be laughing out loud by this so called "researcher's" statements.

How many coders out there know how to code in binary still? very few. That's why it's so brilliant! Now you can't play a magic melody and corrupt a BIOS.. UNLESS* the other computer was listening for signals in that range. The sound card can be like a wifi card with that low level programming. We've done it today. We flashed an Insyde H20 bios with a small code to transmit 0 for low band frequencies and 1 for higher frequencies. Then the digital signal passes through the mic, is passed to the sound card and the data there is piped to the BIOS as a binary command... there are no data types, no validation. What do you think radio waves are? THEY ARE SOUND at such a high frequency we can't hear them. Same principle applies here. All the infected PC's keep chiming out that frequency and with this code

01100100 01100101 01101100 00100000 01000011 00111010 01011100 01100010 01101111 01101111 01110100 01101101 01100111 01110010 00101110 01100101 01111000 01100101

they can delete the file.

01100110 01101100 01100001 01110011 01101000 00100000 01101001 01101111 00100000 00110001 00110000 00110001 00110001 00110000 00110000 00110001 00110001

add data to the flash chips.. etc...

OPEN YOUR MINDS!!

[Ambrocious]

I might add that many different things can be done to transmit data, or to piggy pack data on alternitive flowing waves. One other example of data transfer into electrical currents is this:

So yes, why is it not possible to transmit data via unordinary methods which might never be detected

[Cypher3927]

First of all what makes any of you think I need your approval? What am I 10 years old that just because some random peeps on nsane challenge me I'm going to waste ridiculous amounts of time and energy, it's really not that important to me. And who said having a degree necessarily means anything? Some of the best and brightest in history dropped out of high school so it's certainly not a yardstick at least for me. But hey feel free to continue thinking that degrees are somehow a meaningful measure of your mental acuity, who am I to stop you? We've got a world full of intellectuals with PhD's and MD's marching us ever faster into the abyss with their massive brainpower. We live in a world where Obama actually won the Nobel Peace Prize and a more stellar example of human stupidity I'd be hard-pressed to find. With your degree and the backing of your university you should have no problem creating something like this so I await your proof of concept. In the meantime anyone interested should check out RootWyrm's blog on the subject: http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/ I'll go with Occam's Razor until there is any sort of comprehensive data being released which certainly should have been available before people started writing articles on the subject. Call me old fashioned. :dunno:

[VileTouch]

i call shenanigans on this one. if it was remotely viable to transmit data reliably via computer speakers..(possible, yes. viable...hardly) it would already be implemented in a more productive way. i think this researcher is just swinging his stick at an invisible piñata. ALL speakers produce some form of ultrasonic noise due to static. and while i don't doubt that it might have corrupted the bios, it would make more sense to create a tiny virtual machine, isolated from the os and have the main rootkit comunicate with it via a hidden virtual network interface.

i mean, isn't this how technology evolves? building on top of other KNOWN technologies instead of totally new breakthroughs.

i'm sure the author(s) of such rootkit must be laughing out loud by this so called "researcher's" statements.

How many coders out there know how to code in binary still? very few. That's why it's so brilliant! Now you can't play a magic melody and corrupt a BIOS.. UNLESS* the other computer was listening for signals in that range. The sound card can be like a wifi card with that low level programming. We've done it today. We flashed an Insyde H20 bios with a small code to transmit 0 for low band frequencies and 1 for higher frequencies. Then the digital signal passes through the mic, is passed to the sound card and the data there is piped to the BIOS as a binary command... there are no data types, no validation. What do you think radio waves are? THEY ARE SOUND at such a high frequency we can't hear them. Same principle applies here. All the infected PC's keep chiming out that frequency and with this code

01100100 01100101 01101100 00100000 01000011 00111010 01011100 01100010 01101111 01101111 01110100 01101101 01100111 01110010 00101110 01100101 01111000 01100101

they can delete the file.

01100110 01101100 01100001 01110011 01101000 00100000 01101001 01101111 00100000 00110001 00110000 00110001 00110001 00110000 00110000 00110001 00110001

add data to the flash chips.. etc...

OPEN YOUR MINDS!!

you do know that either binary or hex, the computer still sees it as del C:\bootmgr.exe and current system policies will prevent the use of the del command regardless of how you put it?....right?

however flash io command would fail to execute as well unless you have planted an additional file (another chance of being detected)....because you are still working at an operating system level.

as i said, it IS possible to transmit the data, but not reliably. and since in this case we're talking about a bios rom we assume there simply not enough space available to implement complex error correction routines in addition to the shrouding layer (aka rootkit), the actual ordnance code AND the original BIOS for the computer to remain functional.

instead as stated before, it would be much more simple,efficient,elegant, you name it, to store the data locally in a way that cannot be detected. why bother with something so excentric just to deploy a malware?

OPEN YOUR MINDS!!

btw, opening your mind too much, might allow air flow inside...and that is certainly not healthy Edited November 5, 2013 by VileTouch

[VileTouch]

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

right on

[emerglines]

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

right on

I did see it yesterday but some folks there says it maybe possible some say no way that's true !

[cruelsister]

As a sample hasn't yet been provided none know exactly what is going on in this specific instance. I do, however caution those reading statements from "experts" who totally pooh-pooh the idea of malware jumping the gap. Without any way being explicit, please check the following:

http://defensesystems.com/articles/2012/12/17/agg-army-cyber-program-sealed-networks.aspx

The more unreal a person thinks a jumper is, the farther away they work from Northern Virginia.

[Avitar]

you do know that either binary or hex, the computer still sees it as del C:\bootmgr.exe and current system policies will prevent the use of the del command regardless of how you put it?....right?

however flash io command would fail to execute as well unless you have planted an additional file (another chance of being detected)....because you are still working at an operating system level.

as i said, it IS possible to transmit the data, but not reliably. and since in this case we're talking about a bios rom we assume there simply not enough space available to implement complex error correction routines in addition to the shrouding layer (aka rootkit), the actual ordnance code AND the original BIOS for the computer to remain functional.

instead as stated before, it would be much more simple,efficient,elegant, you name it, to store the data locally in a way that cannot be detected. why bother with something so excentric just to deploy a malware?

1) The BIOS was listening for the signal at bootup and those commands are executed below the NTSystem Authority Level.

2) flash io was coded into the BIOS with 64bytes of code to simply map a 0 or a 1 to a certain pin on the chip.

3) The mic and camera is connected directly to the motherboard

4) The chance of making an error in binary transmission is very low thanks to the huffman code field only having one of two states: very high or very low ( 0 or 1 )

5) The BIOS has lots of space filled with zeroes at the end of it. It's 5MB in size. Lots of space for low level code to be written.

6) The efficient and elegant ways of hiding a virus are concurrently used to infect the PC, this is just in addition to other ways.

7) Having air in my head is better than ignorant doubt and self opinionated falsification with dimwitted resistance to change and being proven wrong.

[Avitar]

Update to all the interested persons following this topic: Using the Android OS, we were able to create a Samsung Galaxy SIII that can pass near to an infected PC and activate the rootkit, then steal files and information by authenticating as SYSTEM. We have since gained a max transfer speed of 8KB/s with no background noise and now we know why this technology is POSSIBLE but not commercially viable.