lxskllr
No Lifer
http://arstechnica.com/security/201...erious-mac-and-pc-malware-that-jumps-airgaps/
Pretty interesting stuff. It's gonna be a problem when the government's finished using it, and it gets to the the toolkits of ordinary crackers.
-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Meet badBIOS, the mysterious Mac and PC malware that jumps airgaps
- Thread starter lxskllr
- Start date
http://arstechnica.com/security/201...erious-mac-and-pc-malware-that-jumps-airgaps/
Pretty interesting stuff. It's gonna be a problem when the government's finished using it, and it gets to the the toolkits of ordinary crackers.
That's quite an terrifying article.
It's certainly possible. The trouble is that we've got only one guy working on it, and no real independent corroboration of what he's found.
A virus with an integrated audio modem to create ad hoc wireless networks is an astonishing find. If I'd thought I'd found something similar, fedex would be delivering a measurement microphone and spectrum analyser to my door by 9am next day, and the recordings would be going out to any interested party as soon as I had them.
The virus can survive total HDD secure erase and BIOS reflash by infecting the firmware on the audio controller DSP. That's one of the claims the researcher makes on his facebook page. That's so extraordinary, it's bordering on absurd. Possible. But, so far out, that I can't help but be skeptical.
USB sticks that subvert a BIOS on insertion, regardless of OS, and the infection is carried by reflashing the firmware on the USB stick drive controller. Holy smokes. Possible, perhaps. Again, if I really thought I'd found something like that, I'd be buying the protocol analyser first and posting on facebook afterwards.
If this thing is real, then stuxnet looks like a script kiddie's toy. I just hope that this guy is mistaken and is misinterpreting what he's seen.
It's certainly possible. The trouble is that we've got only one guy working on it, and no real independent corroboration of what he's found.
A virus with an integrated audio modem to create ad hoc wireless networks is an astonishing find. If I'd thought I'd found something similar, fedex would be delivering a measurement microphone and spectrum analyser to my door by 9am next day, and the recordings would be going out to any interested party as soon as I had them.
The virus can survive total HDD secure erase and BIOS reflash by infecting the firmware on the audio controller DSP. That's one of the claims the researcher makes on his facebook page. That's so extraordinary, it's bordering on absurd. Possible. But, so far out, that I can't help but be skeptical.
USB sticks that subvert a BIOS on insertion, regardless of OS, and the infection is carried by reflashing the firmware on the USB stick drive controller. Holy smokes. Possible, perhaps. Again, if I really thought I'd found something like that, I'd be buying the protocol analyser first and posting on facebook afterwards.
If this thing is real, then stuxnet looks like a script kiddie's toy. I just hope that this guy is mistaken and is misinterpreting what he's seen.
Chiefcrowe
Diamond Member
Wow, potentially crazy!!! will be keeping an eye out on this one...
SOFTengCOMPelec
Platinum Member
But the author, much, much lower down in the article is saying something about a Halloween joke. (saying that it is NOT one, but in a way which can make you think it IS one).
This makes me suspicious.
It's Halloween (very recently), a VERY difficult to accept story, on the internet, and there is NO corroboration by anyone else.
So it MUST be 100% true!
lxskllr
No Lifer
:shrugs: Dunno. If it's a hoax, he's playing the long con. Dragos has been working on it a few years now. I agree it would be nice to see some peer review, but it's an interesting story in any case, and the complexity's inline with a tool like Stuxnet.
SOFTengCOMPelec
Platinum Member
Even if it is a hoax (it probably is), the information leaking out about how phenomenally extensive the American spy rings have been, e.g. Chancellor of Germany, Angela Merkel's cellphone, being spied on by the US, despite it being a special secure cellphone.
So many things and worries are now coming out, such as that the Intel processors RDrand (Ivy bridge and later) function may have been compromised by the NSA, so that various security capabilities of modern PCs are badly compromised.
It's a real can of worms, and even wild stories like this one, "could" turn out to be at least partly true.
Anyway, I need to switch off the internet now, disconnect all speakers and power leads, put my "tin hat" on, and climb back into my nuclear/chemical/anti-EMP/anti-ultrasonics underground safety chamber.
Kaido
Elite Member & Kitchen Overlord
RootWyrm's article: "The badBIOS Analysis Is Wrong"
http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
Some excellent points on audio frequency & hardware, BIOS payload size & detection, etc.
http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
Some excellent points on audio frequency & hardware, BIOS payload size & detection, etc.
Kaido
Elite Member & Kitchen Overlord
Errata Security blog: #badBIOS features explained
http://blog.erratasec.com/2013/10/badbios-features-explained.html
http://blog.erratasec.com/2013/10/badbios-features-explained.html
lxskllr
No Lifer
Interesting. Good comments to the article also. It's all beyond me, so I can only read and marvel, but I'd love to know what Dragos is dealing with one way or the other. I'm assuming it isn't just a troll, so what is it?
lxskllr
No Lifer
Increasing skepticism on the conclusions...
http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/
http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/
John Connor
Lifer
It's certanly possible to communicate from audio from one computer to another, but the payload and complexity would have to be a huge program not anything that could be the size of a simple BIOS.
As an example I use to decode pager transmissions. This is just decoding audio from a scanner tuned to the pager frequencies. That program was over a MB in size. A BIOS chip doesn't have that amount of size to hold the BIOS plus a virus. Actually, now that I think of it it could be possible if it was BIOS specific.
As an example I use to decode pager transmissions. This is just decoding audio from a scanner tuned to the pager frequencies. That program was over a MB in size. A BIOS chip doesn't have that amount of size to hold the BIOS plus a virus. Actually, now that I think of it it could be possible if it was BIOS specific.
Last edited:
Kaido
Elite Member & Kitchen Overlord
I have seen some pretty crazy things in my 10 years in IT, everything from PBX hacking to wild, wild stuff on USB sticks that people find in parking lots or get infected at offsite locations. The level of hacking going on is horrifically enormous. There are so many invisible backdoors that it's not even funny. Careful about your next washing machine!
http://www.geek.com/apps/chinese-ap...with-malware-distributing-wifi-chips-1575315/
There is a big problem with transmitting anything from one computer to another using high freqency sound: Microphones are designed to filter out any frequencies not needed, and that means anything above 20 Khz or so.
Also, these signals would very easy to detect, wouldn't they? Make sure the room is quiet, and use a microphone designed to capture high frequency sound and a high sample rate, and press record. Open the resulting recording in any sample editing program. Any signal would be extremely obvious.
Also, these signals would very easy to detect, wouldn't they? Make sure the room is quiet, and use a microphone designed to capture high frequency sound and a high sample rate, and press record. Open the resulting recording in any sample editing program. Any signal would be extremely obvious.
ussfletcher
Platinum Member
It now appears that he must be trolling. He posted some 700 pictures (like camera pictures) of procmon, and a video. There was nothing unusual in any of it. He claims he has to do this because the malware will remove its listing in procmon in screenshots and will remove itself from logfiles, but ironically will not hide itself from the user viewing it.. or something.
Last edited:
Source? I haven't seen any of these pictures or video. (edit: nevermind...I see them on Dragos's Google+ page.)
I wouldn't necessarily jump to the conclusion that he's "trolling". Dragos is a fairly prominent and respected person in the Info Sec community. That being said, it remains to be seen if any third party is able to corroborate his claims. Some level of paranoia goes hand in hand with people that do Info Sec...add that natural and necessary paranoia with some technical expertise to image how you would go about creating something like badbois (theoretically, anyway) and add in a little mental health episode, and the outcome may be what we're all publicly witnessing. I don't think Dragos is being intentionally malicious or deceitful...but I think he may be very mistaken and letting his own mind get the better of him.
He's still got a lot of support from some other industry experts.
Last edited:
PrincessFrosty
Platinum Member
Not to mention you'd not be infecting another machine this way, only communicating with a pre-infected machine. Unless there's some kind of crazy buffer overflow type exploit in some common audio decoder drivers which allow you to ping a certain sounds at a mic and have it start executing code in memory, that's some sci-fi shit right there.
What are the modern sizes of BIOS and UEFI these days? I know that a lot have images inside them, stuff like mouse control and more advanced software, it wouldn't surprise me if modern BIOS chips are actually high enough capacity to contain viruses.
As for this whole debacle, who knows, hoax or just the paranoid ramblings of someone losing it, either way it doesn't seem to be backed by any decent evidence as of yet.
John Connor
Lifer
I know the BIOS for a MOBO I want to buy, a Gigabyte board is 6 MB. But how do you customize a particular BIOS to tailor to the malware's characteristics? This would have to be a custom BIOS hack.
grandpaflo
Member
On Covert Acoustical Mesh Networks in Air (RE: Bad Bios)
"Abstract-Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range.
We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities."
Index Terms-malware, network covert channels, wireless mesh networks, ultrasonic communication
Cite: Michael Hanspach and Michael Goetz, "On Covert Acoustical Mesh Networks in Air," Journal of Communications, vol. 8, no. 11, pp. 758-767, 2013. doi: 10.12720/jcm.8.11.758-767"
Volume 8, No. 11, November 2013
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
http://www.jocm.us/index.php?m=content&c=index&a=lists&catid=124
#########################
RE: #BadBios, BadBios, badbios, bad bios
"Abstract-Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range.
We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities."
Index Terms-malware, network covert channels, wireless mesh networks, ultrasonic communication
Cite: Michael Hanspach and Michael Goetz, "On Covert Acoustical Mesh Networks in Air," Journal of Communications, vol. 8, no. 11, pp. 758-767, 2013. doi: 10.12720/jcm.8.11.758-767"
Volume 8, No. 11, November 2013
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
http://www.jocm.us/index.php?m=content&c=index&a=lists&catid=124
#########################
RE: #BadBios, BadBios, badbios, bad bios
ussfletcher
Platinum Member
I don't think anyone was questioning the validity of computer to computer communications with audio, similar (if not the same) technologies have been demonstrated before. The interest in badBIOS stems from the suggested infection and propagation vectors, as well as having the capability to exploit varying BIOSs at will.
Not that stealthy. Again, this would be extremely easy to detect with a microphone and Audacity.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
