Here is something that is just making the security tech rounds, it seems too extreme to be true but some big names are getting behind the researcher who is working on uncovering this:

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

Now.. I'm afraid this is true. I'm also afraid that what I may be seeing is a lesser implimentation of this. It does not have to prevent the computer from being booted on a CD and its coding does not have to have all the implimentations that he is seeing. There could be lesser varients.

Published on Halloween?

That article is mind-blowing! It starts to sound like wild fiction at first then the details and explanations make it all plausible.

I just tested the speakers of an older Sony laptop here. Using a spectrum analyzer on my ipod touch I can see a 20 kHz audio signal up to 6 feet away, and that's at low laptop volume (based on it being low when I ran it at 1 kHz). So it seems that two infected computers with speakers and mics may indeed be able to communicate this way. I don't think it can infect an uninfected computer though, since that would require the mic on and somehow already be turning audio signals into executable commands.

If this story is real, then it really sounds like someone is exploiting an NSA-like backdoor that's been baked into all computer hardware, which would explain why security researchers with non-classified knowledge would be baffled at where the infection is rooted exactly. If it's not real, then I wonder if maybe the author came across some black ops virus technology but wasn't allowed to expose it legally, so he created a fictional analogue to get the info out there anyway. No other sources, and the story being widely released on Halloween are some red flags though, and even the two week run up is no problem for hoaxers. I've seen plenty of hoaxes and viral marketing attempts with one or more year run ups.

If its true it infects everything and could travel through the electricity circuit besides sound. There are some very weird things I'm seeing and can't find answers for. For instance.. when all of a sudden my printer drivers caused problems with my printer which is hard wired to my PC, I was attempting for hours to get a good reinstall that would work, and trying different driver sets from HP (notorious anyway for their crappy drivers) and with the printer removed from the PC, the usb cable out, at certain points of an install of the drivers the printer would react.. I sat here and tried to convince myself it was just coincidence untill on another attempted install it happened again!

Other weird things.. when my mobile phone is plugged into the electrical plug for charging.. why do high pitched sounds occasionally come out of my computer speakers? ... or where are they coming from? I still can't tell.. electrical high pitched sounds now and then though and it seems to be related to the proximity and recharging of my mobile phone.

And then there is the more recent situation that keeps cropping up... broadband stops. I'm hard wired to the router and its not the broadband coming in, rebooting the router doesn't get my pc get back online, only disabling the network adapter and re enabling it immediately fixes the problem.

Ok.... I have assumed this is due to a driver issue that came through a MS Update, and too trivial to try to to remedy, I've also thought this could be because we had fiber optic rollout here and there is a cause for this stoppage somewhere in the data throughput and compatitbility with nework cards 5+ years old.. don't know. But it seems to be happening to others in London too.

I had a very bad virus hit my pc last year and it is called TDSS virus, among other names, but it creates a hidden partition on the hard drive, copies everything over from your system and lets you use the computer but owns your computer and only when you start to see blue screens and go through every hardware check possible and find you can not boot from CD and your MBR is completely hosed.... do you begin to get on top of it.... what a virus that was..

edit to add: the printer is an all in one and has a memory chip in it I think.

On topic of the badBIOS virus, if it's legit then yet another good reason to become a hermit. :) This looks like a relatively balanced article: http://nakedsecurity.sophos.com/2013/11/01/the-badbios-virus-that-jumps-airgaps-and-takes-over-your-firmware-whats-the-story/

---


If its true it infects everything and could travel through the electricity circuit besides sound. There are some very weird things I'm seeing and can't find answers for. For instance.. when all of a sudden my printer drivers caused problems with my printer which is hard wired to my PC, I was attempting for hours to get a good reinstall that would work, and trying different driver sets from HP (notorious anyway for their crappy drivers) and with the printer removed from the PC, the usb cable out, at certain points of an install of the drivers the printer would react.. I sat here and tried to convince myself it was just coincidence untill on another attempted install it happened again!

I've had a cheap HP all-in-one for some 7 years and if I leave it turned on and idle, it tends to move the scanner thingy or the paper conveyor thingies sometimes, whatever they're actually called. :) Maybe that is related to it detecting that the USB cable is unplugged or it moves these moving parts back to resting position if the printer stays idle for a set period of time. All layman speculation.


Other weird things.. when my mobile phone is plugged into the electrical plug for charging.. why do high pitched sounds occasionally come out of my computer speakers? ... or where are they coming from? I still can't tell.. electrical high pitched sounds now and then though and it seems to be related to the proximity and recharging of my mobile phone.
Some good answers for that here, basically lousy charger design:
- http://www.quora.com/Why-would-a-phone-charger-with-no-moving-parts-produce-an-incessant-high-pitch-sound-when-its-charging-a-phone
- http://en.wikipedia.org/wiki/Coil_noise

I can't comment on the network driver issue but if you want to restore the original one, you can try this: http://tinypic.com/r/2mx0c9i/5

Yes, I was reading that article too, thanks. But looking through his twitter feed is also very interesting.

It was at a significant point of driver removal (numerous removals were needed with uninstallers) both times, that the printer moved. I tried to put it up to coincidence also in my mind until this article came out.

The sound I hear is like a high pitched sound that comes through something but it seems like my speakers. Your articles say it is a hum and that becomes magnified though the speakers. It could be the answer to what I've heard.

I think I did a rollback with the network driver after I thought an update had replaced it, and that didn't seem to help. Or there wasn't a rollback available, it didn't help. Thanks for coming up with ideas here.

I think that there could be something to this, at least in lessor variations, and the electricity circuits have only been mentioned in passing but maybe should be considered as well as the sound waves? Depends I suppose at which layer this thing works its mojo... if it does.

A few years back a few of us here in London were seeing laptops that would just shut down. No blue screen, nothing. And this only happened when the clients got their machines back to where they were when it shutdown first. Never away from that area would they just shut down. It was a nightmare to figure out and it was something in their area that caused it through radio waves. Changing the wireless card driver resolved the problem.

Here's an update from my own PC with the network card problem. After getting all worked up following the thread and articles on badbios, I decided to run one more AV product on my machine and downloaded Sophros Virus Removal Tool.
At the point it found something my nic card did its usual routine of stopping its throughput and I had yet again to disable it and reenable it. OK.. so now I know.
But... I'm a computer consultant, I use my PC hard with a lot coming in and out from clients etc. So.. I have run EVERYTHING!! AV wise on my pc to make sure it is clean, especially since I last rebuilt it 3 months ago.
I use AVG free, Malwarebytes and Spybot and use eSet for a confirmation scan. Inbetween I have run AWCleaner, HitManPro and Hijack This etc.. etc..
Nothing picked this up yet before today..
And here is what it is:
http://webcache.googleusercontent.com/search?q=cache:QYlihXyiMAIJ:camas.comodo.com/cgi-bin/submit%3Ffile%3Dee0932894f40c4d6b4366a26acb72f5baf 07864b78464ccfa12321cc624ae8d8+&cd=5&hl=en&ct=clnk&gl=uk

So.. That seems so far the solution to my nic card cutting out, but I would suggest everyone try Sophros AV just to be sure you don't have something in your system everything else isn't picking up.

I read through the article on badbios.
For the sake of discussion, we can ignore the payload (ie does the virus steal personal info? crash systems? etc.), and focus on the transmission, replication, and storage of the virus.

Most of the common virus will infect other computers by:
a) Transmission through a NIC in binary form using the same TCP/IP communications protocol (bluetooth, etc, are alternatives) on both systems.
b) Store a local executable program copy on the newly infected system's hard drive, to be executed.

The badbios paper seems unique in that they report:
a) The NIC is bypassed, and some sort of audio transmission through an infected system's speakers is employed that is "overheard" by the target (soon to be infected) system's microphone and recorded by the system.
b) And the code is then stored, not on the hard drive, but within the EEPROM (http://en.wikipedia.org/wiki/EEPROM) BIOS chip of the system. In PC syntax, a cold boot would initiate execution of the code. Mainframe people call it an IML (initial microcode load) vs an IPL (initial program load). For most people, this would be when the memory is counting off, and BEFORE Windows (or whatever OS) begins the initial load/splash screen.

A few problems present with this scenario.
a) Firstly, a virus is a piece of code, ultimately broken down into binary. This code must be copied to the target system. In a usual infection, this occurs because both systems are running TCP/IP.
What type of communications protocol would work? Morse code?
What sort of protocol is employed that would allow a target system to receive an audio file without first implementing an audio/digital conversion driver?
One simple precaution, disable your mic.
b) Another problem, anyone who has "flashed" a systems BIOS with an update knows it is an intense process.
Any interruptions and the system becomes a paperweight.
How would this virus initiate such a process without being painfully obvious?
Takes a few minutes to run, must use a FLASH program, and every process I've used involves ERASING the entire PROM before launching write process.
I suppose to believe this virus can copy my entire BIOS binary, append itself, and then flash the EEPROM without my noticing?

IMHO, it seems far fetched.... :bleh:

Here's an update from my own PC with the network card problem. After getting all worked up following the thread and articles on badbios, I decided to run one more AV product on my machine and downloaded Sophros Virus Removal Tool.
At the point it found something my nic card did its usual routine of stopping its throughput and I had yet again to disable it and reenable it. OK.. so now I know.
But... I'm a computer consultant, I use my PC hard with a lot coming in and out from clients etc. So.. I have run EVERYTHING!! AV wise on my pc to make sure it is clean, especially since I last rebuilt it 3 months ago.
I use AVG free, Malwarebytes and Spybot and use eSet for a confirmation scan. Inbetween I have run AWCleaner, HitManPro and Hijack This etc.. etc..
Nothing picked this up yet before today..
And here is what it is:
http://webcache.googleusercontent.com/search?q=cache:QYlihXyiMAIJ:camas.comodo.com/cgi-bin/submit%3Ffile%3Dee0932894f40c4d6b4366a26acb72f5baf 07864b78464ccfa12321cc624ae8d8+&cd=5&hl=en&ct=clnk&gl=uk

So.. That seems so far the solution to my nic card cutting out, but I would suggest everyone try Sophros AV just to be sure you don't have something in your system everything else isn't picking up.

I'm trying to read your Malware analysis.
I see "Cleansweep" is highlighted, was that a problem program for you?
Sounds like you ran most of the current antimalware programs.
I have had some luck with SuperAntiSpyware, when others have failed.

What other AV programs did you run? McAfee? Symantec?
Or just the freeware AVG? Maybe AVAST would be a good freeware alternative?
I have not used Sophros before, will give it a look. Thanks for the recommendation.

No, I never would have cleansweep installed, I know it is malware because I remove this kind of thing all the time from clients computers.

But the registry changes and the other descriptives that showed up in the Sophros scan were what I used to try to drill down to what this could be from Sophos generic description of it.

All I know that makes me think everything else missed it was that the nic card cut out just as that threat showed up on the Sophros scan.

I have used all kinds of tools with this computer and that is just to make sure its clean and to try out scanners that I will use for work with clients. Everyone, including me, were feeling quite confident at the end of cleaning out everything or as part of the process to use eSet's online scanner. It is very powerful but so far this Sophros found something that eSet didn't.

Superanitspyware is great with its tools and the way it creates a sandbox for itself to run in and it can help break the back of something to allow you to get the system back to where you can then try to dig everything else out.

Hi Calikid, I just noticed your earlier post where you surmise it is far fetched.
Unfortunately it's not far fetched from the research I spent yesterday on it.

Here is what is going on: In 2005/2006 a "proof of purchase" was presented at the BlackHat Conference on just this kind of exploit:

http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf

With regard to the low frequency data transmission coming out of speakers and mic etc.. apparently they are finding out that by rigging this thing up (several working on it and reporting their findings through the twitter feed) they are transmitting about 1k a minute and around corners as well. Other articles described it would work the same as the old modems, even using leds could work in theory one article said.

Anway, that paper (link above) describes how it can be expoited better than I can recall from my research on it, so I'm sure you will find it interesting.

What worries me is that the genie is out of the bottle now. Everyone is gonna jump on this but the paper above shows how it can be stopped, yet it takes a protective module to do it and that means a jump in OS architecture? I don't know..

What also worries me is that the electical lines could be used as easily if not more so provided the computers are on the same electrical circuit? But extension cords will cause interference, at least they do with extenders when using them to increase a network range.

More updates on it:


Kyle Creyts ‏@hushedfeet 2 Nov (http://www.theoutpostforum.com/hushedfeet/status/396507017612759040) did anybody else think of this paper when they heard about the @dragosr (http://www.theoutpostforum.com/dragosr) #badbios (http://www.theoutpostforum.com/search?q=%23badbios&src=hash)? is it really a bios attack? http://www.stewin.org/papers/dimvap15-stewin.pdf … (http://t.co/oDxKYs9cZU)
Retweeted by dragosr (http://www.theoutpostforum.com/dragosr)


Reply (http://www.theoutpostforum.com/tof/#)
Retweet (http://www.theoutpostforum.com/tof/#)Retweeted (http://www.theoutpostforum.com/tof/#)
Delete (http://www.theoutpostforum.com/tof/#)
Favorite (http://www.theoutpostforum.com/tof/#)Favorited (http://www.theoutpostforum.com/tof/#)
More




Share via email
Embed Tweet
Report Tweet





Expand (http://www.theoutpostforum.com/hushedfeet/status/396507017612759040)

I did read the article.
Seems BOTH systems were already infected, and only then was the audio networking issue noted.

So an uninfected system would not be vulnerable to an audio speaker to mic communication/transfer of the virus. As I said before, without protocols in place there is no way for them to talk.

Have to read more to see where they think the initial infection occured.
Maybe a more mundane method, like spammer attachments, etc.

He did also mention an obvious BIOS UPDATE occured on his Mac as well.
So the methodology, while unusual, was hardly undetectable... guess that's a point in Microsoft's favor. All Apple's have a consistant BIOS. Microsoft runs on any number of different BIOS platforms. Harder for a virus to flash the correct info unless it knows in advance what the existing firmware is.

Looks like the NSA referenced this virus in their interview Sunday night on 60 minutes:



One threat highlighted during the "60 Minutes" visit was dubbed the BIOS Plot, a virus that would attack the firmware that activates the hardware and operating system. Debora Plunkett, who directs cyber defense for the NSA, warns that such an attack would effectively brick computers.

Ahhah... take a look at this new twist and turn:

N.S.A. Devises Radio Pathway Into Computers

http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?partner=rss&emc=rss&smid=tw-nytimesworld&_r=0

Ahhah... take a look at this new twist and turn:

N.S.A. Devises Radio Pathway Into Computers

http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?partner=rss&emc=rss&smid=tw-nytimesworld&_r=0

Good reason to exercise physical security of your computer.
This method requires a person to physically install a device into your computer.
You may have noticed properly designed server rooms (MDF) do NOT have drop down ceilings, and DO have locked doors to provide security against such clandestine activities.

Yes, but it could already be in the printer or the chipset you buy... And then there is .... BAD BIOS ;)