Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Ars: Cross-Platform Malware Communicates With Sound

Comments Filter:
  • by NeverWorker1 (1686452) on Thursday October 31, 2013 @04:44PM (#45294177)
    Explaining why the whole thing is probably a hoax.
    • At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.

      • by NeverWorker1 (1686452) on Thursday October 31, 2013 @04:59PM (#45294339)
        Besides the many, many stretches of the imagination required for his story (e.g., it infects the firmware on all major brands of USB drives, he never extracted a binary blob or sent the infected device to the manufacturer, the audio communication silliness, the fact that he apparently thinks infection could spread through the power cable, and so on...) the biggest issue to my mind is that if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.
        • " Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
          It would be odd for him to screw up his rep with a hoax like this.

          http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]

          • by Anonymous Coward on Thursday October 31, 2013 @05:44PM (#45294831)

            Name one reason why he didn't send the BIOS or a copy thereof to be examined by the OEM....***after three years of not being able to fix this***.

            My next question would be: why did it take him so long to figure out that the USB might be the vector? But before you answer that question ask yourself this also: why hasn't he contacted the major USB drive manufacturers since this seems to be FAR more about a vulnerability at the USB controller level(far, far, far below control of the OS) that has been leveraged to then exploit writing a new firmware?

            If this is a USB hardware exploit then the rest of this is superficial but after 3 years, you'd figure that someone would have found another copy of this thing by now yet he's the only one. If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.

            IF it's a USB exploit, I'm fucking impressed but since he's played the "how many people can believe that I'm this stupid" card so many times in his "research" on this(I'm saying nothing of his other experience, mind you), I'd say it's likely a hoax of some sort.

            • by icebike (68054)

              If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.

              No doubt his friend or colleagues all have more smarts then to plug in some random jump drive.
              I seriously don't even trust these things myself any more. I hate it when someone sends me something on a flash drive.

          • " Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
            It would be odd for him to screw up his rep with a hoax like this.

            http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]

            Dunno, but in order for it to work, you'd need to park the infection on the airgapped machine in the first place.

            To top that off, good luck making such an arrangement work in a server room, where ambient noise would pretty much destroy any hope of receiving an audible signal...

            • by icebike (68054)

              Server rooms seldom have mics, most don't even have speakers.

        • by Tuidjy (321055) on Thursday October 31, 2013 @05:26PM (#45294631)

          I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones. Duh! How would it know to listen and interpret noise as instructions. The claim is that once infected, the machines communicate using their speakers and microphones.

          Is it possible? Sure. Do I consider it likely? No. It's one Hell of an effort for very little gain... in general. But we all have hobbies, so someone may have written a virus that infects through USB drives, overwrites BIOS, and resists the clean up of physically disconnected machines by communicating via sound.

          Do I believe this particular story? Hmm... no. Mostly because, despite the reputation of the author, the article makes it sounds that basic mistakes were made during the cleanup process, and because not enough information has been shared with the community.

          But if I was told the story is true, I could come with a great conspiracy theory to explain it. The author tries to keep all the fame for himself, the author is being threatened by the high tech agency that developed the strain but let it escape, the virus has alien origin...

          • by taustin (171655)

            It has not been my experience that computer speakers are capable of making sounds much outside the range of human hearing, nor computer micophones capable of picking such sounds up. Maybe he buys comptuers with extremely high end sound equipment, but I'm a bit skeptical that nobody noticed the audio.

            Maybe he sniffed a little too much of the magic smoke the virus let out.

            • A small laptop speaker can make very high frequency sounds. I don't know about microphones, maybe the same applies. A high-frequency sound has also the benefit of travelling long distances in air. However it might be that the speaker and microphone circuitry have some frequency filtering going on to make the signal nicer, which would defeat the idea. Other than that, communication between computers outside the hearing range is technically possible.
            • by Tuidjy (321055) on Thursday October 31, 2013 @06:51PM (#45295365)

              I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.

              I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.

              I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.

          • by icebike (68054)

            I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones.

            Not many here are making that mistake. Several have already posted how silly it was for him to be plugging in thumb drives.

        • by ericloewe (2129490) on Thursday October 31, 2013 @05:30PM (#45294679)

          Assuming this is more than a hoax, here's a bit of devil's advocate:

          After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.

          More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.

          Again, this is just speculation as to why this whole story took three years so far.

          And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...

          • Umm... powerline networking, are you referring to a method developed by power monitors, Inc, communicating data as the voltage crosses through zero, then disconnecting as the voltage spikes high?

          • And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE).

            Yes, but you need special hardware to do it. I don't see any way to do this with commecial pc/laptop power supples without first hacking the hardware.

            I find the idea of using a computers' microphone and speaker as a kind of high frequency modem highly intriguing. I did read enough of TFA to see that once he physically removed the speaker and microphone from his computer the mystery network packets stopped. That's pretty strong evidence this is one of the attack vectors if it is indeed true. I don't know the

        • by icebike (68054)

          if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.

          Because, he speculates, the the initial infection of a machine must be done via USB stick, and being the professional security researcher that he is, he nonchalantly plugs his USB sticks willy-nilly back and forth between his known infected machines and his brand new machines.

          A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.

          This guy apparently has no concept of a clean room for virus research.

          I don't discount the ability to use sound for communication between infected machines, but clearly you have to be infected FIRST for that to work.
          (Not to mention hav

        • by Tom (822) on Thursday October 31, 2013 @08:56PM (#45296457) Homepage Journal

          As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).

          And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.

          Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.

      • At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.

        That is next month's article: "Cross-Platform Malware spread through common table salt"

        • by rubycodez (864176)

          I've seen her! I've seen that little minx with her yellow dress and using umbrella and rain for cover, with the canister of unspeakable evil under her arm spreading the infection everywhere.

      • by gandhi_2 (1108023) on Thursday October 31, 2013 @05:48PM (#45294859) Homepage

        I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.

        Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.

        If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?

        Communicating via sound or ultrasound from speakers to microphones. Possible. The rest of it... leaves me dubious.

    • Or EMI (Score:5, Interesting)

      by goombah99 (560566) on Thursday October 31, 2013 @04:57PM (#45294321)

      Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.

      IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.

    • Article: "Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."

      OK, so now you have a single action (eliminating acoustic duplex mechanism) and suddenly the data transmission ceases. That is pretty convincing that an 'entity' has wound up programming a system to manage/infect/reinfect computers near each other even when all I/O methods are turne

  • by bob_super (3391281) on Thursday October 31, 2013 @04:48PM (#45294227)

    I'm confused, you mean information can actually be conveyed via air vibrations?

  • Hoax (Score:4, Insightful)

    by Khyber (864651) <techkitsune@gmail.com> on Thursday October 31, 2013 @04:50PM (#45294237) Homepage Journal

    Sorry, that sort of acoustic coupling is bound to be loaded with errors. You might be lucky to get 16 BYTES per second, and even then, those speakers aren't powerful enough to transmit very far.

    Airgapped room? Those frequencies from laptop or regular internal computer speakers aren't going to make it past the walls.

    Give me a break, slashdot.

    • by Krishnoid (984597)
      Seriously -- I mean even his photo [arstechnica.com] is so obviously derivative [wikia.com].
    • Now tell me what acoustic modems transmitted at for POTS lines, even up to today.

      If you use higher & higher frequencies, your data rate goes up & UP!

    • by geekoid (135745)

      wow. simply... wow.
      16 BYTES(it could be much higher) could allow for a lot of data to exchange. Depending on the time.
      And it's exchanging information with another infected system.
      This is coming form an expert who runs pwn2own(Dragos Ruiu), so I would give it a little more thinking if I where you.

      http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]

      • by Khyber (864651)

        I don't give blatant trolling any thought. Airgapped room? You're not bypassing walls at those frequencies, not with laptop speakers or internal computer speakers. Even if you had speakers powerful enough to get past that, you'd need a hellaciously sensitive microphone on the other side, and equally powerful speakers to transmit back if desired. Can we say feedback loop? Not only must the microphones deal with trying to pick up a faint noise through an airgap, they're also trying to ignore the noise of thei

    • by fred911 (83970)

      Amtor mode b is FEC running at 100 baud, transfers some 70 words a minute.

    • Re:Hoax (Score:5, Informative)

      by DdJ (10790) on Thursday October 31, 2013 @05:38PM (#45294761) Homepage Journal

      Sorry, that sort of acoustic coupling is bound to be loaded with errors. You might be lucky to get 16 BYTES per second, and even then, those speakers aren't powerful enough to transmit very far.

      You know that ultrasonics are precisely how a modern Furby communicates with its companion iPhone app? (There's even perl code implementing it so you can hack them.)

  • In Space (Score:4, Funny)

    by Anonymous Coward on Thursday October 31, 2013 @04:51PM (#45294255)

    Nobody can hear your infected computer's scream.

  • Giving the C64 Datasette as an example of reliable data transfer has to be the most ridiculous thing I have even read.

    LOAD
    PRESS PLAY ON TAPE
    ?LOAD ERROR
    READY.

    Was an all familiar message for C64 users. Hell I managed to type it from memory after 30 years.

  • Smells like BS (Score:3, Insightful)

    by Pope (17780) on Thursday October 31, 2013 @04:55PM (#45294293)

    I don't care how many tweets this guy's posted about, it doesn't pass the sniff test IMO.

    • by Tom (822)

      I know Dragos personally. He's not the guy to run an April Fools in October, and he's got too much reputation to lose to bullshit everyone for a few minutes of fame.

  • by Beavertank (1178717) on Thursday October 31, 2013 @04:56PM (#45294305)
    That is how one of the original iPods had their firmware dumped after all, it was played out through the little piezo click speaker at some absurdly low data rate.
  • by Tablizer (95088) on Thursday October 31, 2013 @04:59PM (#45294349) Homepage Journal

    This story is generating a lot of buzz.

  • E-x-t-e-r-m-i-n-a-t-e!

  • This assumes two airgapped computers, both with compromised BIOS capable of sending and receiving ultrasonic messages from hardware and the ability to infect USB drives.

    Therefore, it would be trivial to infect a new machine, and compare BIOS before and after.

    It would be further trivial to not only test with and without speakers, but with speaker with a bandpass filter applied.

  • Why would two computers infected with malware need to communicate this way? Couldn't they just use the net? Is this malware spread with thumb drives?
    • Read it and now it makes sense. Target computer is not connected to network. Target computer and bridge computer are infected. target and bridge send each other packets using sound. bridge sends packets over network to attacker.
      • by rickb928 (945187)

        Please, I'm as dumb as a blade of grass and I see why this explanation is hooey. Target is not connected to the network. What on the target got the audio network up and running? Magick? USB stick? That's sneakernet. Nothing? then the audio on the target isn't talking or listening.

        But I'm still trying to figure out where March went to...

        • Not hooey. The idea is that people transfer files with USB between the air gapped machine and network connected machines. You can get your malware on both by spreading the virus to USB drives. Using this technique the air gapped machine is connected to the network.
        • by suutar (1860506)
          since parent said that the target is already infected, one would guess that the virus got the audio network up and running.
    • by gmuslera (3436)
      What about hardware backdoor activation? There had been rumors of intel putting 3G radios in vPro cpus [softpedia.com], and there had been backdoors in FPGAs [erratasec.com]. There had been a nice presentation in DEFCON17 [youtube.com] around this topic.
  • by mbone (558574) on Thursday October 31, 2013 @05:11PM (#45294487)

    This will never happen if you are running your gear on the Lunar surface.

    Just saying...

  • Muting your microphone?
  • 1) it is impossible to contaminate a computer with sound. You would have to force the targeted non infected computer zto 1) open the micro channel 2) start saving the data in a format which 3) would be executable and 4) execute it and I probably forgot a few other improbable points. Most likely a computer was contaminated by other means, like USB sticks. Furthermore , ultra sound ? Frequencies around 20 KhZ ? I am doubting that in a normal room with air, and with other sound, those register properly. But I
  • Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

    This is as far as you need to read. Geez, Clearly this virus has infected the system and re-written power management subsystems to utilize the CMOS battery to provide enough juice, probably reprogramming an EEPROM on the I2C system to execute code and infect other systems.

    Wa

    • by asylumx (881307)

      Was this article written by a Hollywood screen writer? Who is going to star in this one... Willis? Bullock?

      Bollocks.

    • System was a laptop.

    • I was thinking the same thing...then I realized the author of the article probably just did a crappy job of making it clear that he was talking about laptops that had their power cords unplugged to rule out powerline networking and the like. I'm willing to give them the benefit of the doubt on that one, since claiming that an unpowered computer can receive signals from an infected machine is patently absurd.

    • by mythosaz (572040)

      Clearly this virus has infected the system and re-written power management subsystems to utilize the CMOS battery to provide enough juice, ...

      CLEARLY the article mentioned it was a laptop machine, with a laptop battery in it...

  • That sounds nuts, but it is a time-tested method of data transfer, after all.

    And it can be expected to be a handy way to bypass firewalls far into the future [schlockmercenary.com] as well. B-)

  • by Anonymous Coward on Thursday October 31, 2013 @06:45PM (#45295331)

    A staggering number of people commenting on this story seem to have failed to read and comprehend this article. There must be a few dozen comments stating that it's impossible to infect a machine with malware via audio. I can't find any mention of this happening in this article. The section that speaks of the communication via sound is referring to two previously infected machines. They are already infected, so now they communicate.

    I don't know if this is complete BS or not, but at least read and comprehend the article before pouncing on it and making yourself look like an idiot for not reading it.

  • by connor4312 (2608277) on Thursday October 31, 2013 @06:51PM (#45295371)
    It seems like the vast majority of people started flaming without reading the author's comment [arstechnica.com], so here it is:

    Dear Ars readers,

    As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

    The ninth paragraph of my article reads:

    Quote:
    "At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw."


    Here and elsewhere in the post, I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable.

    I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

    I have no doubt that researchers will pore over every laptop and USB drive Ruiu makes available and independently arrive at their own conclusions. I fully intend to report whatever they find. If they find no evidence to support Ruiu's account, Ars readers will be among the first to know.

    Regards,

    Dan Goodin

  • Read the article! (Score:5, Informative)

    by Egdiroh (1086111) on Thursday October 31, 2013 @09:44PM (#45296701)
    1) The assertion is that this malware infects as many bioses on the machine as it can. But a bios isn't big, so instead of containing code to directly infect the main OS, it contains code to setup a mesh network with it's peers to download the appropriate OS root kit.
    2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
    3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.

    None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.
  • by C R Johnson (141) on Friday November 01, 2013 @10:24AM (#45299995) Homepage

    Just about every sound card ( and everything else ) in the last ten years had been made in a factory in China. What is to stop the PLA from slipping just this kind of malware into a sound card chip? Maybe they can even activate and update using sounds from a television.

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...