It sounds like the stuff of security researchers’
nightmares, but a mysterious, indestructible strain of malware can
infect PCs, Macs and Linux machines – and even “jump” between machines
with power cables, Ethernet, Wi-Fi and Bluetooth pulled out. At least,
one researcher believes so.
The claims, made by researcher Dragos Ruiu, have invited
both alarm – and ridicule, with the rootkit compared to both MRSA and
the Loch Ness Monster.
For Ruiu, though, the threat is all too real. In an interview with Ars Technica, the
researcher claims that, infected machines could communicate with other
infected machines even when their power cords, Ethernet cables, Wi-Fi
cards and Bluetooth aerials were removed.
We had an air-gapped computer that just had its BIOS
reflashed, a fresh disk drive installed, and zero data on it, installed
from a Windows system CD,” “At one point, we were editing some of the components and
our registry editor got disabled. It was like: wait a minute, how can
that happen? How can the machine react and attack the software that
we’re using to attack it? This is an air-gapped machine and all of a
sudden the search function in the registry editor stopped working when
we were using it to search for their keys.”
Ruiu concluded that the machines “talked” via their speakers. Describing the malware as “the stuff of urban legend”, The Verge described Ruiu’s conclusion that the malware communicated at high frequency through computer speakers to “jump” air gaps as “the first stages of a larger attack.”
The idea that malware could communicate in this way is not
far-fetched in itself – earlier this year, We Live Security reported on
research from the University of Alabama at Birmingham, where sound was used as a “trigger”.
Researchers found signals could be sent from a distance of 55 feet
using “low-end PC speakers with minimal ampliļ¬cation and low-volume”,
the researchers said.
“We showed that these sensory channels can be used to send
short messages that may eventually be used to trigger a mass-signal
attack,” said Nitesh Saxena, Ph.D., of UAB. “While traditional
networking communication used to send such triggers can be detected
relatively easily, there does not seem to be a good way to detect such
covert channels currently.”
The researchers presented a paper titled “Sensing-Enabled
Channels for Hard-to-Detect Command and Control of Mobile Devices,” at
the 8th Association for Computing Machinery Symposium on Information,
Computer and Communications Security (ASIACCS) in Hangzhou, China.
Describing BadBIOS as “the Loch Ness Monster of malware”, The Register
said that some in the security community had raised a “quizzical
eyebrow” but that Ruiu would reveal more after the PacSec event in
Tokyo in two weeks time. “The security conference in Japan may bring
much-needed hard information to light on the Abominable malware. Ruiu
has suggested he is holding back on the details until patches for
software bugs exploited by BadBIOS are made available,” the site said.