Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate

Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"

Dupe

[Anonymous Coward]

Is it really SO hard to get rid of dupes that are less than 24 hours old? You seriously call yourself editor if you don't even manage to get those basic things straight?

Re:Dupe

[phantomfive]

It even has the exact same link! What is the point of having the 'main link' put in the submission form if you're not going to check it?

So?

[Anonymous Coward]

Bust out an oscilloscope and a logic analyzer and start looking at these signals. It shouldn't be hard to get a waveform capture of the audio running over the speaker and the handshake between a USB device and the host.

Re:Complexity, Resources and Skill. Could it be...

[jrumney]

We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.

You've discounted the most obvious option - an attention whore who isn't adverse to making shit up.

What a load of complete rubbish!

[thesupraman]

What is being 'proposed' is NOT anything infecting through the speaker/microphone, but a pre-existing inection (that was probably USB based)
then communication through these methods - a VERY VERY different thing.

The hype and BS layers need to be peeled off this.

There is no possible infection vector via microphone/speaker, or via power cord as semi-implied (unless you had a powerline modem..), it is simply a
way to get data out of the airgapped but INFECTED machine to others that may not be airgapped.

The 'solution' here is simple, remove the infection! there is more to security than just network airgapping!

Time to go back to security 101.

You Are Five Months Early

[Anonymous Coward]

April Fools Day is five months away. Come back and repost this then.

Re:So?

[Fjandr]

If the internal mic and speaker on a standard laptop can be used to maintain the ultrasonic connection, I don't think this requires an ultra-hifi mic in order to capture the frequencies being used.

Did he bother to check for actual sounds?

[LaughingRadish]

I haven't yet seen mention of someone setting up microphones sensitive to ultrasonic frequencies to check to see what, if any, odd sounds are being made by the computers. A lot of extraordinary claims are being made and I just don't see the requisite extraordinary evidence.

Re:So?

[wonkey_monkey]

You made it very badly.

Re:So?

[Anne Thwacks]

The mics in most Android phones will piss on those in a PC. Load an Android scope app and job done.

I call bullshit: if a machine running OpenBSD is claimed to be compromised, the claim is probably suspect. OpenBSD machines are normally servers, and don't have microphones (and any on-board speakers would have trouble at 300 baud over the noise in a server closet).

As for the story that "its the BIOS wot done it": how is the bios supposed to interact with the OS in the manner described in an OS independent way? And who the hell has a TCP/IP stack that takes its input from a sound card? Its hard enough get one that works on Ubuntu with a Ralink wifi card!