index

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.LL

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

For you more technically-inclined folks, I suggest you read the full article…it’s a doozy.

Thanks to our Commenter Tim



  1. gmunni says:

    They are discussing this right now on “security now”, Leo is skeptical. EP.#429

    • Anony Mouse says:

      They already covered this on Tek Syndicate. (Google it, if you dare to use Google.)

  2. bobbo, the pragmatic existential evangelical anti-theist who once manuevered into office would rule like Machiavelli says:

    My router was down for a while and I rebooted my puter only to find a notice from Adobe Systems that an update was available and did I want to install it? I wondered how this was possible given the system status, so I clicked “ok”. 5 Seconds later I got a notice the update could not be installed…I forget the reason why but it was not stated it was because I was off the internet.

    Our computers….. lie. Not very artificial intelligence if you ask me.

    • Anony Mouse says:

      Please don’t show your idiocy like that.

      Anyone who uses Adobe products like Reader, Flash or even one of their editors is clearly an IDIOT! Probably not stupid by choice, but then ignorance is non selective when we become complacent.

      Quite simply, there are alternatives to Adobe. Things like implementation of HTML5 instead of Flash or even Firefox’s now built in ability to read PDF’s. But since those alternatives are not as easy to use the techno pawns like yourself don’t care to even know about them. In fact, it’s a good bet that all of the techno pawns out there have also bought into an even bigger lie — that Apple is immune from viruses. Just look at the sales!

      Of course, Apple virus immunity is total bullshit. But beliefs are hard things to refute even when there are overwhelming facts. And I’d even be willing to bet that this latest virus/worm/RK is being spread almost exclusively by those numbnut Apple owners who are probably oblivious to the horribly infected systems they themselves are running too.

      And since no one of any significance makes a descent virus scanner for Apple, things may have to get worse before they get better. Because admitting failure like that – that a belief is indeed wrong – might be too much for the Apple community to take. Sort of like Russian communism!

      Now, would you care to learn about the evils of Google?! Or have you also fell victim to that even bigger swill of stupidity? (Don’t take my word for it. If you’re brave, try checking it out on your own at, http://ddg.gg.)

      …And don’t even get me started on Java (not Java Script).

      • bobbo, the pragmatic existential evangelical anti-theist who once manuevered into office would rule like Machiavelli says:

        Excellent review. All conclusion and no analysis though.

        Totally missing/not addressing the point of my post. Did you notice that or was it just a trip wire?

        Lets test:

        …………………………Adobe…………………….

      • Tim says:

        I like *old* SumatraPDF. It clunks around just enough to pop open processexplorer so smooth as to permit one to make a copy of what just happened and forward it to an ObomaSCoare navigator.

      • sho off says:

        What’s the big deal?

        We now know every single bit and byte is archived by NSA.

        They should easily be able to thwart the foreign terrorists who make this crapware.

        I can’t wait for the lawsuit requiring NSA to provide exonerating evidence for someone that was falsely accused in a federal trial.

        Has anyone ever wondered why federal prosecutors have 95-99% conviction rate?

        They have inside info. They know you’re innocent they never bring it to the grand jury or indict you. You never find out why. NSA? Surely.

  3. Anony Mouse says:

    I told you so.

    UEFI is BAD!

    But then your fist clue should have been why why Microsoft and Apple have tried to push it onto everything we use while most of the Linux camps were bitterly complaining.

    Just why this “virus” didn’t happen sooner is the question I want answers to. Because it would seem like they were just waiting to let things settle down while we all got more comfortable with the idea of UEFI before they started “probing” our systems.

    Now, it seems that someone like the NSA or even AlQuaida has got in on the fun and has developed code to append to UEFI dependent devices (too). What’s more, they appear to be in the process of delivering it!

    And this whole turn of events almost has me looking for a Ethernet card for my old 8-bit Comodore 64.

  4. Tim says:

    Naturally, the guy is now getting ARS-consensused pegged as *stressed* but they, also, use the term ‘denier’ for people who think carbon taxes are odious. It’s sad, when the good ones crack like that — I think, he might have a bright future as a crisis actor, or something.

    From reader comments —

    “” Regardless of what happens, the security field just got murkier. If Ruiu is right – well, we are truly fucked. If he isn’t right – well, it’s a sign that the paranoia is starting to eat away at the people who we rely on for advice, and that we can’t even trust people who are on our side. Either which way, we all just lost.

    “”I also continue to believe that @dragosr is a respectable professional in my industry (infosec) and he isn’t deliberately hoaxing us.

    “”BUT the seed of doubt is being well-nurtured I’m afraid. Last night he tweeted that it appeared someone had tampered with his uploaded files and removed sections. He then deleted that tweet overnight. I don’t want to say it but I think the very paranoia that makes one a good infosec professional is wearing on him. I don’t want to see anyone being mean about it. It could happen to any of us and it WILL.

    I don’t NOT believe in badBIOS: I believe that at least part of it might be real. But I now really doubt that *all* of it is real.

    — a professional paranoid 🙁

    http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/

    And, Really. Goodin is probably playing the Faux News fair-and-balanced act for his life — What is a journalist to do?? Does anyone here really want to read about Dan Goodin’s flawless auto-performance of David Carradine on bigger dick pills?

  5. McCullough says:

    Think high tech acoustic coupler.

  6. BubbaMustafa says:

    “Three years ago, ” ????

    Talk about zero-day

  7. sargasso_c says:

    I’m not buying it.

  8. IM75 says:

    Me neither. It’s rubbish.

  9. MikeN says:

    This explains Dallas’s toadying.

  10. dcphill says:

    I think that I have just been tricked into beliving it’s April First.

  11. Mr Diesel says:

    It is clear that the guy infected his systems with a USB key and not some weird alien like virus spreading through the airwaves.

    It is also funny how some people on this blog pretend to know anything about computers, software and or security.

    Funny

    • Tim says:

      Oh, look. Someone has poured Gadolinium all over your keyboard. I wonder if that’s a good way to clean it?

    • deegee says:

      I designed computer hardware in the 80’s-90’s, I wrote microcontroller assembler for data acquisition systems and robotics, and even did some work with TI. Am also published. For the past two decades I have been an IT Pro and software programmer in the fields of server virtualization, and GIS/3D for film and games…

      Is that enough pretending for you Diesel? :-p

      The article is full of BS with enough sprinkling of bits to make people believe it “just might be” true.
      Not even a Picard Double-Facepalm is sufficient for this one.

      • Tim says:

        Perhaps. But I believe Goodin did a great job in bringing it into the conversation. People have been kicking these ideas around for awhile and it seems all the little sub-ideas have been shown to work, in concept?? If it can be thought up, it can be done, hmmm?

        I wonder who has budget, advanced technology, and manpower and has probably been doing such things as that for a very long time. I wonder if the on-board watch battery in combination with the bios (or UEFI, whatever) can make the onboard speaker ‘chirp’ under it’s own power?

        I’m sure there are plenty of unscrupulous IT guys out there, only most of which are forced to don cheap Ray Banz and uncomfortable shoes, doing their best Goldblum The Fly knuckle-balling imitation and thinking “Why didn’t I think of that? It. Can. Work!! Mhuuuhhaaa. {and it would have been all mine exept for those meddeling kids…}”

        And, sonic couplings aside, consider this —

        “”This combination of hardware from Intel enables vPro access ports which operate independently of normal user operations. These include out-of-band communications (communications that exist outside of the scope of anything the machine might be doing through an OS or hypervisor), monitoring and altering of incoming and outgoing network traffic. In short, it operates covertly and snoops and potentially manipulates data.

        http://tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr

        • deegee says:

          The majority of desktop and server motherboards no longer have an on-board POST-code speaker, even if they still have the header pins for one, they usually only have the audio IC.

          Portable devices like laptops, tablets, and phones have a variety of audio configurations, but they are all limited cheap designs with limited frequency response that will not produce ultra-sonics.

          The issue with attempting to send ultra-sonics over standard computer audio systems is three-fold:
          1. I would require both a microphone and speakers on the systems. External powered speakers would have to be on.
          2. The majority of the audio codec ICs use a DAC filter with a cutoff of 16kHz to 20kHz, so they cannot produce ultra-sonic frequencies.
          3. The driver (cone/diaphragm) frequency response is less than 20kHz, so they cannot produce ultra-sonic frequencies.
          Which means that the audio system and speakers cannot reproduce ultra-sonic frequencies. It would require special hardware connected to the device to achieve ultra-sonics.

          The next issue is, even if I had a modified laptop that could produce ultra-sonics and send a virus in that manner, so what?
          Any nearby laptop would require a microphone, AND modified hardware with an ADC whose filter was also >20kHz, AND already be infected by malware that overrode its default microphone ADC input management (ie. inject incoming data vs record as pcm wave).
          So it would be impossible to transfer malware in this manner from an infected system to a non-infected system unless I installed special hardware and pre-infected both of them.

          IF we assume that the manufacturers of computer systems are not secretly putting specific extra hardware and firmware/software into their systems in order to covertly attack, monitor, or control a consumer device, the only other method that malware programmers can use is finding exploits on existing firmware/software systems where they can inject code and force it to execute.

          But these types of malware are becoming very difficult to do with the current move into sandboxing, virtualization, etc., since “catching” malware on a virtual devices does not give it direct access to the underlying physical devices, so it cannot infect the host.

          For the past few years I do all of my Internet access through virtual machines, not only for significantly greater protection against malware, but also for the easy backup and restore, rollback, cloning, replication, etc.
          And I don’t own an iPhone etc.

          • Tim says:

            I certainly wouldn’t limit the possibility to what *high fidelity* above 20 kHz would entail — one may just as well call ~15 kHz *ultrasonic*.

            I can imagine other schemes to check for ‘on’/’off’ bits — imagine a sort of psuedo pink(white?) noise that sounds just like ordinary hiss and Johnson noise with lack of audio input but can certainly still be superimposed upon it. Now, if there were a time-based way to sync up when exactly to listen for the coded state then one may employ the whole frequency spectrum, but at around the noise floor in any given band, such that if it’s only polled a few milliseconds each second then we’re not going to hear it with our ears. Or perhaps listen for two tones or do phase-shift modulation with one of them — No one is talking high data rate, here. Just enough information to trigger a switch for the other machine to do something. Bad machine may have all day to whisper a few bytes to other bad machine at, say, 5 or 10 baud??

          • Tim says:

            “”if I had a modified laptop that could produce ultra-sonics…

            Ultrasonic Local Area Communication
            http://alumni.media.mit.edu/~wiz/ultracom.html

            “”the audio command packet is transmitted using a simple Frequency Shift Keying (FSK) modulation at some carrier frequency, where fc is the center frequency, fc+δf is the frequency for the transmission of a binary 1 , and fc-όf is the frequency for the transmission of a binary 0. The packet consists of a stream of binary digits sent using one of these two tones. The puφose of the various segments of the packet are as follows:

            Preamble – to allow the CADM to synchronize to the symbol centers of the binary data signal. The preamble is typically an alternating binary sequence, such as 1010101010.

            Frame Synch – to provide word alignment to the control, data, and parity portions of the command packet. The frame synch is typically a short binary sequence such as a Barker code, Lindner Sequence, Maury-Styles Sequence, etc. One suitable frame synch word consists of the binary sequence 0010 0000 0111 0101………………………………
            bla
            bla
            bla …………………………..

            http://google.com/patents/WO1997031437A1

            So. It’s not a matter of if this *technique* is practical but rather a question of if a sort of *McGuyver* may take off the shelf hardware and do these things to mess with grandma’s head allow one to have a home network through concrete walls or heavy radio pollution and such.

          • Tim says:

            and this seems outside the realm of ultrasonics — curiouser and curiouser.

            “”It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.

            http://securityartwork.es/2013/10/30/badbios-2/?lang=en {thx, Dummy Up}

      • Tim says:

        Some user comments shot at another debunker article —

        “”It is obvious that assuming this was real, most features would run on the OS level as a rootkit, with a tiny module in the BIOS used to re-infect clean operating systems (or possibly providing an hypervisor, I think something like that was also mentioned). It would certainly be possible to generate interceptable signals. There was a paper analyzing the sound emitted from some power regulating component on mainboards during RSA private key operations, and AFAIK they were able to at least distinguish which key from a certain set is being used. On many cheap notebooks, you can observe this yourself by simply listening very closely while applying different CPU loads (e.g. encryption, scrolling in a PDF file, …)

        If the mechanical vibrations caused by the varying load are strong enough to be audible to the human ear, I’m pretty sure you can use it to send signals to highly sensitive equipment designed to intercept such signals. You can transmit AM radio, receivable with a regular shortwave receiver, using just a CRT and a piece of software (google “tempest for ELIZA” if you don’t believe me – it works, I tried). TEMPEST is a problem by itself, so it certainly can become a bigger one if it is used intentionally.

        “”As for the acoustic data transfer, it seems that he may not be very far off in his analysis of that, I did a little searching and came across this http://www.disneyresearch.com/project/mobile-phone-arrays/ granted they are combining the data with audible sound so they could simply be modulating that, but what about the high frequencies, I know that the ‘cricket’ ring tones were popular with young kids because adult hearing had been sufficiently been diminished in the high end that most adults couldn’t hear them.

        http://rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

  12. FN Magic says:

    We have met the enemy… and the enemy is feature-rich, complex technology hurried to the consumer marketplace to turn a quick buck.

    These ain’t toasters folks. We’re all Tyfoid Mary’s swapping binary spit at the speed of light. Kiss me.

    • CBI9000-rev 2 says:

      Ack ……………………………………………. RST ……………………………….

      cache poisoned
      error 601
      have a nice day
      stop
      end

      • Tim says:

        I hear ya, brother {stupid git}. Yea, they’re free; But, two packets exchanged and those stupid ObamaComputerBrainInterface implants make you feel like the guy with the gecko at a David Icke rally.

        If he hadn’t peeled off the mask to reveal a little tiny human face on the lizzard then he might still be amongst correctly-status’d welfare recipients today. <– {I have it on good authority that this statement's construct is never wrong. Then again, I've never been an outspoken supporter of logic-nazi fascism.}

  13. CrankyGeeksFan says:

    The ultrasound is NOT a vector for infection. It’s how the already infected computers communicate.

  14. deowll says:

    Any time I hear some computer expert tell me they run without using anti-malware because they know how to avoid infections I just want to laugh at them.

    • LibertyLover says:

      I don’t run any anti-mal ++++++++

      [stop]
      [overflow error 666]
      [reinit]
      [All your base are belong to us]

      WTF?!

    • Tim says:

      I would certainly not be an expert but I don’t run anti-malware until I’m pretty sure I’ve got malware.

      I have been bitten from time to time and have learned to at least find instructions for the various cleanup tools. Active malware scanners would not have saved me from one serious breach as that was due to my own ignorance and sharing nature {people of the future — it is probably not a good idea to set up as a ToR outlet node allowing everything through an unpatched machine}.

      That being said, I find the great advantage to not running it is our greater sensitivity to any variations in its now hyper-responsive state; That is, one *gets to know* their machine. But, as one can’t judge subtle changes in his vehicle performance with the stereo bumping so hard the headlights are modulating niether can one just instinctively pick up on something ‘amiss’ with his I-Cherry-2000 if the *normal* state is for it to be running off and doing only M$-knows-what all the time or non-stop making sensual drive crunching sounds everytime your back is turned or the lights are out.

      • Tim says:

        and I hate it when my Cherries break.

        http://youtube.com/watch?v=Y6KJtFZoflc

      • Dummy Up says:

        It’s pretty sad that most people associate the word “virus” when they really mean to say “trojan” or even “crapware.”

        That said, it would be my guess that your system is running 100-percent and that you believe there is nothing wrong with it.

        GOOD! That’s exactly what they want you to think.

        Please also don’t look up what a zombie system is because your picture just might pop up.

        • Tim says:

          Fast Zombie {screw those horn’d beasts of suck} – yaaaee?

        • Tim says:

          And, how would one know?? Oh, wait… You are waiting for some third-party protection racket to send you a ping.

      • MikeN says:

        I just buy three computers at a time, so when one goes down, I have a backup ready.

        • Tim says:

          But, if you leave them sitting on concrete too long then the memory discharges.

  15. Uncle Patso says:

    Kind of reminiscent of the Varley story “Press Enter■”.

  16. HUGSaLOT says:

    Asus makes motherboards that can flash it’s firmware with a USB stick into a special blue USB port that has a button next to it, and press the button.

    The PC doesn’t even need to be turned on, the motherboard doesn’t even need to have RAM nor a CPU installed. It just needs standby power from a PSU and you can flash it’s BIOS.


1

Bad Behavior has blocked 9421 access attempts in the last 7 days.