Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

by Dan Goodin, Ars Technica

Oct 31 2013, 10:07am EDT

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with-but was in close proximity to-another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

It’s too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer’s lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can’t be detected. It’s even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

“It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,” Ruiu concluded in an interview. “The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they’re faced with sophisticated attackers.”

Well, this story has been making the rounds recently and it’s my sad duty as a Computer Professional to tell you it’s theoretically possible.

Anything except a write once, disk at a time CD ROM, DVD, or Blue Ray can become infected.

Standard Industry Practice for virus removal is to take an ‘air gapped’ machine fresh from the box (and by machine I mean motherboard, video card, memory, power supply, case, monitor, mouse, and keyboard- that’s it) and a brand new hard drive, then install a fresh Operating System from scratch, add the strongest anti-virus software you happen to have, and finally scan and fix (hopefully) the media you think is infected.

In reality you work with whatever crappy spare parts you have on hand (after all, you may end up with an infected machine and have to re-do everything).

Back in the early days of flash BIOSes I and some of my colleagues argued that it was the perfect place to put a virus and therefore a very bad idea.  Today you can hardly buy a motherboard without one.

Likewise driver and Operating System updates require an Internet connection and then you’re connected to a source of possible infection.

I haven’t independently verified sonic transmission, but I’ve used an analog modem and it’s the same thing in principle.

So if it doesn’t already exist just like Tom Clancy’s Debt of Honor it soon will.

Scary huh?

1 comment

Comments have been disabled.