Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate 265
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
Dupe (Score:5, Informative)
http://tech.slashdot.org/story/13/10/31/1955239/ars-cross-platform-malware-communicates-with-sound
May be an attack via the network controller. (Score:5, Informative)
I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it. If someone is sending data over audio, it will show on a scope. Clearly that's not going to do much unless the receiving side has some kind of modem code listening for it.
Then there are claims like "It seemed to send TLS encrypted commands in the HostOptions field of DHCP packets." Attacking via DHCP packets is plausible; DHCP clients get told a lot of things they're supposed to do, and some of the older vendor-specific extensions are very insecure. But TLS? TLS isn't used within the DHCP protocol itself. There's a way to store DHCP configuration info in an LDAP server and have a DHCP server access it via LDAP.
If someone is seeing strange DHCP packets, and reloading the BIOS won't help, it's possible that what's going on involves an attack via the network controller. The fancier network controller parts now have CPUs and EEPROM [intel.com]. This may be an attack which puts code in the network controller which in turn patches the BIOS.
The people studying this need to list exactly what network ICs the machines involved are using. Some network devices are too dumb to be used as an attack vector, but some have whole protocol stacks, WiFi support, remote administration support, etc. It would not be surprising if those were attackable.
I've expected attacks via network controllers [slashdot.org] for years. That's been used to attack servers. [slashdot.org] There's a known attack on PCI controllers [oracle.com] which can survive rebooting and reloading the BIOS.
If the machine has wireless networking hardware and the attack exploits the network controller, it may be able to do wireless networking even if the user thinks they have the hardware disabled. Time to open up the machine, clip onto the JTAG port on the network controller, and read out the device memory with a JTAG debugger. Compare the dumps with other machines.
Re:What a load of complete rubbish! (Score:3, Informative)
He's clarifying what the OP seems to suggest -- that infection might be happening thru the speaker. A detailed read shows they think this is rootkits using USB for the initial infection, then burrowing into various hardware such that reflashing the bios, replacing the HD, and reloading windows off a known CD isn't enough -- the stuff burrowed into PCI or other hardware re-infects the BIOS. The exact role in the speaker ultrasonic data is not yet known, but it also sounds like he's suggesting some communication aiding in the re-takeover of the airgapped machine.
Perhaps the little stub in the PCI controller or whatever doesn't have enough room to store infectors for everything else, so downloads it via audio from another machine.
Re:Complexity, Resources and Skill. Could it be... (Score:2, Informative)
"Because you couldn't here my clear my through when I typed the word adult in reference to the /. community. "
I had to read that about 15 times before it started to make sense. I think you were trying to be sarcastic. Is that possible? English doesn't seem to be your first, or even second language, but to indicate sarcasm one uses quotes.
The latin "sic" means THIS, you use it when you are copying something verbatim but you know it is wrong.
"Sorry that one went over your head"
You might want to check your arrogant attitude and tone it down a bit. You aren't as "adult" as you think you are and could benefit from LISTENING to others and maybe LEARN something instead of looking like a complete JACKASS.
communication versus infection (Score:5, Informative)
These machines do two things:
1. They try to infect other machines. They seem to use several methods for this. One is infecting USB sticks and other media. They have been observed abusing an old windows exploit that uses true type fonts as the vector for that.
2. They are trying to communicate with other infected machines. They use some rather inventive carriers for that it seems. One of these appears to be sound. How it works isn't published yet. Another seems to be to use out-of-band communication by putting data inside host-option packets in DHCP. It's obvious that the malware uses such side channels to avoid detection. The OOB communication is done purely to keep in touch with "the swarm" and is not used to infect other machines.
The real nastiness appears to be that this malware is able to infect multiple operating systems that are usually passed by malware manufacturers and also happens to be able to nest itself on the eeprom of infected machines. Both are more or less "a first" and the combination hasn't been seen in the wild either.
Right now, there's a lot of discovery being done and a lot of speculation taking place as to who made it, what it can do, how it gets itself in eeprom and prevents itself from being overwritten during reflashing of the bios. It's not known if the virus will attempt to infect virtual machines, or will only infect machines that will let it nest in it's bios. Also, anything malicious apart from infecting and communicating hasn't been observed. For all we know, it may be a true worm that does nothing but replicate and is an out of control experiment.
So far, no infections appear to have been seen on virtual machines, or machines that don't have an intel chipset. I haven't seen any linux infected machines mentioned, but don't hold your breath on that, if *BSD and OSX have been infected, Linux may very well be infected too. Windows is infected for certain, but what versions are exactly vulnerable isn't clear to me at this time.
Thus far, the only thing that can be advised to prevent infection is the usual; don't trust content/media from sources that could be spreading infections, knowingly or not and keep your system up to date. If applicable, set your bios read-only with hardware switches or jumpers and if at all possible, put passwords on bioses and put software blocks on updates as well. To this date it's not known if and what software blocks will prevent the malware, but it's best to give it as few attack surfaces as possible.
Re:So? (Score:3, Informative)
A couple notes:
* You don't need a IP stack for a sound card to transmit data - just like you don't need an IP stack over Tor to use Tor
* This BIOS interacts with the OS in an OS-independent way the same way Mac deals with printers -- think `apt-get install $(uname)-driver`
* Lower than 300 baud