Skip to main content

Computers infected with badBIOS can "whisper" to each other in ultrasound

An advanced form of malware dubbed "badBIOS" has been using the speakers of infected computers to communicate between infected machines, repair itself and evade attempts to remove it, according to a report by security researcher Dragos Ruiu.

The malware apparently uses high-frequency sounds to allow corrupted computers to "whisper" to each other even when they are not connected over the Internet or a Bluetooth connection.

It achieves this, Ruiu claims, by infecting the Basic Input Output System (BIOS) of a computer, a fundamental piece of software stored on a small memory chip on the motherboard. Examples of such malware have been around for years. However, badBIOS appears to be operating-system independent, burrowing down into the lowest levels of a computer and infecting it from there. The use of ultrasonics to pass information is also an alarming development.

Ruiu, who is the organiser of the renowned CanSecWest and PacSec conferences, had his suspicions aroused when he discovered that badBIOS was somehow passing encrypted data packets between infected machines that he had purposefully disconnected from the network - even removing their Wi-Fi and Bluetooth cards. The communication allowed the malware to protect and repair itself when it was under attack.

This is significant because one of the first steps security experts will take when disinfecting a compromised machine is to create an "air-gap" – disconnecting the computer from the Internet and all other networks that could allow the virus to seep back in.

"We had an air-gapped computer that just had its BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said.

"At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

"The air-gapped machine is acting like it's connected to the Internet," Ruiu said. "It was weird."

Ruiu has taken sound recordings of the high-frequency noise passing between machines, and is currently analysing them.

The badBIOS rootkit has some other scary features. Just plugging an infected memory stick into a clean system will apparently infect that system. It also bricks the USB drives if you eject them unsafely, but brings them back to life when you plug them into an infected system. Infected computers seem to infect USB drives, and vice versa.

The extremely sophisticated nature of the malware has led to speculation about its origin. Some have questioned whether badBIOS is a state-sponsored virus that has found its way by accident onto the network of a renowned security researcher.

Other big names in the security world are cautious in their statements, as Ruiu's findings haven't yet been peer-reviewed. However, they certainly vouch for his credibility.

"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," said security researcher Arrigo Triulzi. "Nothing of what he describes is science fiction taken individually."

Indeed, early networking standards used high-frequency sounds to broadcast network packets, and ultrasonic-based Local Area Networks (LANs) have been the subject of a study by researchers at MIT. However, this is the first discovery of real-world malware actually using this technique.

Triulzi added, "we have not seen it in the wild ever."

When contacted by ITProPortal, Adrian Culley of Damballa Security said, "we've had 25 years of depending on anti-virus and firewalls for defence, and whilst these technologies will always be needed, its clear that as attack techniques become increasingly blended, we must develop blended defence techniques."

"We can no longer solely depend on 'scan and detect', 'fire and forget', 'patch and proceed' approaches," he told us. "The research illustrates the 'arms race' nature of cutting edge attacks."

However, others have dismissed Ruiu's claims out of hand. Security and BIOS expert Phillip Jaenke has described the claims as "hilarious", while conceding that "it is absolutely possible in theory."

Indeed, the outlandish nature of many of Ruiu's claims have led Ars Technica to describe the badBIOS investigation as akin to a "Bigfoot sighting".

It's still too early to tell whether Ruiu's original hypothesis stands up to scrutiny, but one thing's for sure: the malware threat is constantly evolving, and with inventive new ways of compromising machines, security may soon struggle to stay one step ahead of the game.

Image: Flickr (neonbubble)