Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Zaphod58
A number of security people have said that it "wouldn't be hard" to develop something that spread through soundwaves. But he said today that it appears that while there apparently IS communication between infected machines, it's not spreading through soundwaves.

edit on 10/31/2013 by Zaphod58 because: (no reason given)

The transfer of data could be done via mic and speaker combination (think old analog modem...) but the two biggest problems I have with claims of this "airgap" virus being possible are
1) if it was transferring via analog speaker modulation, there should need to be a program already on the target machine activated and waiting for such signal trains coming in over the mic. This program would need to demodulate the data and store it to disk PLUS modify the OS registries or startup ffiles/parameters or MBR and other parts of the system.

2) The audio filer and microphones aren't optimized for ultrasonic. The electret type microphones usually fall off on the frequency response scales at below 20Khz. The audio output stages may also filter out non-audible noise , too.

I just don't see how I can believe it.

reply to post by Bassago

I'm calling BS on this. How on earth is anything going to "transmit" without hardware to transmit with. Without a physical layer in the network model you have no transmitting anything. The OS has little to do with this either especially if the power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

I think they are claiming that the computers speakers and microphones are the Physical/Network layer in the OSI and TCP model.

reply to post by ShadeWolf


my guess is that its computer geek horror, just for spits and giggles.

reply to post by ShadeWolf


I call total BS on this.

Wireless operates usually on 2.5-5 GHz (sometimes higher), which is a frequency that most speakers could never ever reproduce, so you can toss that idea out.

Something else is being overlooked here, or this is a complete and total hoax.

Show me a Youtube video of the fresh Windows install and no connection to a network and no wireless card in the device manager, with no cuts or edits to the video, and ethernet unplugged, with the task manager or SysInternals running and showing the packets still being sent, and then I might believe it. Until then, it's nonsense.

~Namaste

PhoenixOD
reply to post by Bassago

 

I think they are claiming that the computers speakers and microphones are the Physical/Network layer in the OSI and TCP model.

Yeah I read that too. Still not buying it. You could reprogram the bios into a small OS. Adding the networking support makes it even bigger.

I have to agree with SonOfTheLawOfOne on this, they missed something. If they "know" it's transmitting packets then do a netcap and provide more info.

This story is no worse than an episode of Bones where someone was able to pass computer infections along by etching the coding for them into human bones. When the images were scanned into the computer, the virus compiled miraculously, and infected the entire police computer system.

I lost it at that point, and had to go on a rant about the crappy quality of television my mother and my son watch together, as i left the room.

reply to post by ShadeWolf

I work in the IT field and I would have to call hoax on this one also. There a number of reasons I don't believe this is happening, but in this case the lack of power convinces me.

If it did happen then their clean machine really wasn't clean when they started rebuilding. Something overlooked, maybe the media.

They could have overlooked some thing as simple as the memory in the keyboard. But they can spy on your key board with a analyzer connected to the ground outlet of the power outlet near the one the computer is on. Also you have CPUs with unused areas built into them. They say the dead area on CPUs are so when they are manufactured if there is a bad spot they can make that the dead unused portion. But with the NSA can you really believe them any more? Especially when the CEO of Intel went directly to InQTel after retiring? Programmable chips do make you wonder. And how about NVidia putting in a hidden user on computers with there video cards? Seems like the perfect way to take over half of the computers out there. And NVidia is the one who made all those scientific cards for the NSAs new super computer. With special modifications just for the NSA?

SonOfTheLawOfOne
I call total BS on this.

Wireless operates usually on 2.5-5 GHz (sometimes higher), which is a frequency that most speakers could never ever reproduce, so you can toss that idea out.

It's not using sound, but that doesn't mean you couldn't network with sound. You could certainly do it with audible frequencies 200 Hz-15,000 Hz that the PC speakers and microphones can handle. How do you think the old modems worked over telephone lines? They used sound to network.

The main problem would be as others have said trying to use inaudible frequencies, say maybe 21,000-22,000 Hz just beyond the range of human hearing, but also mostly beyond the capability of the PC speakers and mics, so if you wanted to design an ultrasound network it might be possible, but you'd use a frequency like 21,000 Hz, not 3 GHz. The frequency response at 21,000 Hz typically declines considerably, but depending on the PC or laptop, it's probably not zero, hence it's not an impossible idea to use this frequency. There is no need to use the wireless frequency for networking.

I guess we can no longer claim that nobody would write a virus for the Mac, though it was good marketing hype to claim that.

reply to post by PhoenixOD


Nah, thats complete toss.

Speakers picking up wifi?

Nope....

dreamfox1
Able to transmit to other computers which have no WiFi or Bluetooth components is still possible due to a computers basic COM ports still physically on the motherboard.

Able to transmit info to a computer which has no power is still possible due to that little battery on the motherboard. CR2016 CMOS

Bios settings remain as long as the battery is alive.

Transfering info to a computer with no power at all is possible due to bios flash memory which needs no power to retain info but can be flashed if outside power ..ie microwave power is involved.

edit on 7/30/2012 by dreamfox1 because: (no reason given)

edit on 7/30/2012 by dreamfox1 because: (no reason given)

edit on 7/30/2012 by dreamfox1 because: (no reason given)

com ports require a protocol and software to operate them and are not active and live by themselves. How do you make a com port hear wifi signals? you cannot just wave wifi signals at them and they read the infos and reconfigure the machine...

bios settings have always relied on the internal lithium battery. what are you suggesting? You cannot talk to the bios when the machine is not powered on to facilitate interaction with it.

And how are you using microwave power to flash a cmos chip?

we used to destroy with with microwaves, sure...

Zaphod58
A number of security people have said that it "wouldn't be hard" to develop something that spread through soundwaves. But he said today that it appears that while there apparently IS communication between infected machines, it's not spreading through soundwaves.

edit on 10/31/2013 by Zaphod58 because: (no reason given)

it falls apart for me when he removes the wifi and bluetooth modues and then it only stops when he disconnects the speakers.

From one machine with no hardware to do it, but somehow gets infected, to antother machine with no hardware to do it. Either some unique and dedicated hardware is being used here, which is not mainstream and therefore pretty much not an issue in the context of the thread, or the guys just a lunatic.

I seriously do not for one moment believe that a machine that is turned off (even in sleep mode) can 'hear' a wifi signal and know what to do with it, so that it reconfigures the bios and then goes ahead to control the machine.

It's 100% a hoax, imo. but one that will have just enough to it that people will keep it going.. oh well.

ShadeWolf
So someone linked me to this earlier, and it looks like prime ATS subject matter. If this isn't the right forum, feel free to move it. And also note there's no independent verification of this story outside what Dragos Ruiu is saying, leaving better-than-even odds that it's a hoax, but I feel like it's worthy of discussion. It's also on a pretty reliable site, so make of that what you will.

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps Like a super strain of bacteria, the rootkit plaguing Dragos Ruiu is omnipotent. by Dan Goodin - Oct 31, 2013 2:07 pm UTC Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since." In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities. "We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Source

edit on 31-10-2013 by ShadeWolf because: Linebreaks

---

Hot Digitty Damn! Dem NSA dudes have been stealing my methods to infect
the BIOS of on-board graphics cards, Ethernet/ATM/Sonet Network Cards,
and internal peripherals that use FPGA (Field Programmable Gate Array) chips
which can run AMD/Intel CPU instructions in Ring-0 Privileged mode which
can BYPASS even Norton Anti-Virus code.

Boot a computer to MS-DOS 7.0 mode using basic drivers and use a debugger to
scan the BIOSes of ALL graphics cards, network cards, Firewire/USB 2/3 cards,
RS-232/422 chipsets, wireless cards, GPS chips, etc.

Then check your d-Link routers and any Gateways or firewall appliances
by scanning the chipsets using a HARDWARE DEBUGGER which will PREVENT
the onboard microcode from executing and you can then scan for the usual
backdoors in dlink, cisco, netgear switches/routers/gateways.

It's NOT the UEFI/BIOS chips that get changed...it's the BIOSes on
all the OTHER peripherals and teh Flash RAM or non-volatile storage
chips they may contain which have malicious microcode embedded into them.

---

I'll disclose the MOST nefarious code storage area which is on connected
PRINTERS and external drives....!!! they are NOTORIOUS for containing
malicious code!!!!!!

----

And FINALLY the BIG ONE!!!! ---A SUPER SECRET AREA to store microcode
which I will disclose TOMORROW which they use on mostly FOREIGN entities!!!!!

--- I LOOOOOVE blowing the lids on this sort of stuff!!!

EAT MY SHORTS NSA/DIA !!!!

reply to post by winofiend


Except that he has said that it's not being transmitted over the air, the infected computers are communicating with each other. It appears that it's spread over USB, through a flash drive. We'll find out when they have the security conference coming up.

I tend to believe it, mostly because all the security people say that while he's been wrong in the past, which they all have, he's never deliberately hoaxed, or given any of them a reason to believe that he's lying to them. So I'm going to believe it unless it's proven to be a hoax, and play it safe.

reply to post by StargateSG7


---

Regarding the speaker parts...NSA/DIA can activate on-board MICROPHONES
of laptops/desktop computers or even use the SPEAKERS THEMSELVES as
microphone-like transducers to receive PULSE CODED MODULATION (PCM)
data files from an external source. Use a pro-grade 5 hz to 1 MHZ audio sampler
to see if you have any incoming audio waveforms within your rooms that look
like pulse coded modulation which then gets converted BACK to microcode
by an embedded application. You can also use MS-DOS versions of audio
card drivers to see what's coming into your AUDIO CARD in terms of
waveform samples and graph it on-screen...bet U see some PCM audio data!!!!

The same thing can be done to onboard WEB or VIDEO CAMERAS which are
activated to receive barely-perceptible pulsed light sources (usually infrared
or near infrared) which ALSO get translated from light-based PCM to microcode
using a hidden or embedded-into-another-app software converter application.
Turn OFF the lights in the room...or leave them on...and use a consumer
or pro-level camera to record any human-eye imperceptible light pulses
from infrared to ultraviolet. Use Video Sample frame rates from 25 to 10000
frames per second and also low to high SHUTTER SPEEDS (from 1/25 to 1/2000th
of a second) and all major shutter speeds in between.

Bet you two bits the MAGIC frequency is 30, 60 or 120 hz for North America
and 25, 50 or 100 Hz for Europe...to account for PULSED light ballasts in
fluro or LED lighting which is used as the transmitter!

----

Some newer computers systems have stickers on chips or actually
EMBEDDED on the SURFACE of the various motherboard chips or as
part of the motherboard copper tracings itself....OR..... embedded
somewhere inside or on the outside of the computer CASE/peripherals
a NEW TYPE of antennae called a FRACTAL ANTENNA which can receive
signals from MANY ranges of radio frequencies ranging from 100,000 HZ to
2/4 GHZ up to 30GHZ microwave or even Terahertz frequencies. These antennae
are fractal-patterns of copper or aluminum traces targeted towards a specific single
small range of RF/WiFi which can get signals from outside of a building or from a
nearby transmitter and then convert data pulses back into microcode which gets
run on your CPU or the embedded microchips on your motherboard or peripherals.

----

BUT THE ABSOLUTELY MOST SINISTER SECRET HIDDEN AREA ON COMPUTERS IS......

1.

2.

3.

....to be disclosed TOMORROW !!!!!!!!!

winofiend
reply to post by PhoenixOD

 

Nah, thats complete toss.

Speakers picking up wifi?

Nope....

The idea is speakers are putting out ultra sound that is then picked up by the microphone of another infected computer. Wifi doesn't come into it , its like an old modem.

I dont think its happening though if the speakers and mic were good enough it could be possible. But computer speakers and mics are just not that good. So IMO i dont think its real.

The new super wifi they are building all over is supposed to using uhf and vhf which allows the wifi to travel over longer distances and even through objects. Not sure how that could tie into anything though. But google does seem to building floating databases in all four corners of the US for Super wifi for Google Glasses to use. The government is now trying to stop them so there could be some thing there?

reply to post by StargateSG7


Well for a start ms-dos 7 is win95.

You'd want 6.22 for a true dos environment.

And you would be very hard pressed to find an ndis driver to talk to a modern nic that operates in a dos environment. Other than that, using debug to scan the memory would be good, if anyone here knew how to do it. Not sure there are many people who even know what debug was, or that you used to have to low loevel format a hard drive with it. but I could be wrong. I ususaly am.

still..

Why do all this hard work when it's as simple as "hey kids, install itunes!!"

Sounds good and stuff, that's for sure!!

reply to post by Zaphod58


But then it's a run of the mill manually spreading bit of malicious code. As long as I can recall if you had a floppy disk, you could spread a virus. The cookie virus used to be cute.

Same issue if you have to plug a usb in and it spreads that way. You have to be the carrier personally, or someone does.

I admit I only went off what was presented in the thread. I could have done better to read the information properly. but from the initial description, felt it would have been infuriating.

It just adds to the people who think the nsa are turning on microphones and able to connect to your pc and watch you and all that jazz.. in a very different reality to the one I exist in, where that happens. And I don't doubt they have that desire, but the practical application of it just falls short of how the real world works with it all. There are far too many clever people out there in the real world who would be on the ball to catch this sort of thing, either in action, in code, or in design.. and it just hasnt happened. Despite the few peices of literature that will have the facts say otherwise.

I really should learn more patience with this topic. it burns my guts. and I know I will lose focus and say things that would be wrong - has happened in the past to which I've happily admitted my error. but wow it is a hard job to remain mindful of the changes around me, while knowing some things are just crazy!!

oO