Security researcher discovers badBIOS malware that jumps using microphone and speakers

Nov 01, 2013 by Bob Yirka weblog

(Phys.org) —Highly respected Canadian security expert Dragos Ruiu has been fighting, he claims, an unknown bit of malware that that appears to run on Windows, Mac OS X, BSD and Linux, for approximately three years. After much research and effort, which he has been documenting using several online venues (mainly Twitter), he says he believes the malware infects computers via memory sticks, and vice versa. He says also that he's found evidence that the malware is able to create mini-networks between infected machines using high frequency sound waves that are passed from a computer's microphone to another's speakers, and vice-versa. Unfortunately, at this time, Ruiu is the only person that appears to know about the malware, which he has dubbed badBIOS.

All of the things Ruiu has described have been seen before, just not all together. The Stuxnet virus, for example, was passed to infected machines from memory sticks, and high-frequency sound waves have been used to send packets of information for years. What's troubling about badBIOS is that it's either infecting only Ruiu's machines, or it's infecting a lot of other machines but nobody knows about it because of its very sneaky nature. If it is infecting other computers, what is it doing, and why?

Ruiu contends that badBIOS is malware that infects a computer's BIOS, thus reformatting a hard drive won't kill it, nor will running any known commercial antivirus software suite. Ruiu says that despite cleaning every piece of hardware he owns, the infections return. He says it all started around three years ago after installing a fresh copy of Mac OS X on his MacBook Air—the firmware on it updated itself without him doing anything to cause it to do so. Afterwards, the machine refused to allow him to boot from a CD ROM. Over the next several months, he reports, his other computers began behaving strangely as well, modifying their own firmware, occasionally deleting data and undoing changes to configuration information. What really worried him though was that a not connected to a network, or the Internet became infected as well. That led him to discover that encrypted data packets were being sent between infected machines, even those not on a network. The only way to stop them, he found, was disconnecting the microphones and speakers.

Ruiu's tale is a strange one indeed, begging several questions. The first of which is why is he the only one infected? Also, because of the complexity of the , if it's real, it almost certainly has been created by an entity with a lot of money, most likely a government. If so, which one, and why? And if a group or a government went to so much trouble to create badBIOS, why use it to infect one , unless perhaps, the purpose is to use him as a pawn to test how well it does whatever it's been designed to do?

Explore further: UN atomic agency suffers 'malware' attack

Related Stories

UN atomic agency suffers 'malware' attack

Oct 22, 2013

The UN atomic agency said Tuesday that some of its computers were infected by malicious software, in its second embarrassing IT slip-up over the past year.

Apple out to kill widespread Macintosh virus

Apr 11, 2012

Apple said it is crafting a weapon to vanquish a Flashback virus from Macintosh computers and working to disrupt the command network being used by hackers behind the infections. ...

Mac computers not immune to malware

Mar 15, 2013

The biggest vulnerability to Macintosh computers is the belief among their devoted users that Apple's superior operating system makes them immune to malware, experts say.

Malware can take ugly leap forward to virtual machines

Aug 23, 2012

(Phys.org) -- A piece of malware categorized as a malicious rootkit can spread via an installer disguised as an Adobe Flash Player installer and is capable of spreading to four different platform environments, ...

Flame spy virus gets order to vanish: experts

Jun 10, 2012

US computer security researchers said Sunday that the Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities has gotten orders to vanish, leaving no trace.

Recommended for you

Hoverbike drone project for air transport takes off

7 hours ago

What happens when you cross a helicopter with a motorbike? The crew at Malloy Aeronautics has been focused on a viable answer and has launched a crowdfunding campaign to support its Hoverbike project, "The ...

Study shows role of media in sharing life events

8 hours ago

To share is human. And the means to share personal news—good and bad—have exploded over the last decade, particularly social media and texting. But until now, all research about what is known as "social sharing," or the ...

User comments : 38

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka
2.3 / 5 (19) Nov 01, 2013
Sounds very implausible.

Computer speakers generally don't have the range to produce ultrasonic sounds, and it's highly unlikely the microphone can pick them up in the first place because the sampling rate or the sound chip limits the higher frequencies to about 15 kHz. You'd have to be nearly deaf to not notice two computers "tweeting" to each other.

From the strange vague symptoms of data corruption and networks not working, and disconnecting speakers to remedy the situation, it sounds like he's having an electrical fault of some kind - like a ground loop.

One option of course is schizophrenia.
MIBO
4.2 / 5 (5) Nov 01, 2013
You can't transfer a virus using audio unless you have SW pre-installed on the target machine listening to the microphone and de-modulating the data, verifying it and causing it to be executed in some manner. All functions that do not exist on any pre-configured machine.

So if the has an "Audio" virus that needs you to install a piece of SW before it can propagate it's not a very clever virus at all. ( Irish virus? ).

I suggest if he really believes this he seek professional psychiatric help instead.
antialias_physorg
4.8 / 5 (4) Nov 01, 2013
You can't transfer a virus using audio unless you have SW pre-installed on the target machine

I think the headline is a bit misleading. It doesn't 'jump' using microphones and speakers. It merely uses these to talk to other machines which are already infected.
You can't infect a machine via sound through a speaker, as you point out, since you can't enter executable data that way (and the article rightly makes no mention that you can)

You can create sound that is above (and below) the range of people's hearing using speakers which are available in most machines. So the networking part is entirely possible.
Tektrix
4 / 5 (4) Nov 01, 2013
If this is an acoustically transmitted signal, it should be easy enough to capture on an oscilloscope. With a good trace in hand, one could reverse-engineer the protocol.
antialias_physorg
5 / 5 (1) Nov 01, 2013
f this is an acoustically transmitted signal, it should be easy enough to capture on an oscilloscope. With a good trace in hand, one could reverse-engineer the protocol.


Why make it artificially hard on yourself? If you know it's running you can just look at the running processes and find the corresponding executable on your computer - or readout the BIOS if it's in there.
Eikka
1.3 / 5 (12) Nov 01, 2013
You can create sound that is above (and below) the range of people's hearing using speakers which are available in most machines.


Not really. For starters, if your sound codec samples at 44.1 kHz, the highest frequency you can technically output is about 22 kHz, but such a sound will be attenuated and distorted too much by the analog parts of the system to be of any use. Computer audio is no hi-fi. You're not getting any infrasounds or ultrasounds out of an iMac built in speakers.

And picking it up with a typical computer microphone is difficult for the same reason: the microphones are actually pretty crappy and limited in their frequency response.

If this is an acoustically transmitted signal, it should be easy enough to capture on an oscilloscope. With a good trace in hand, one could reverse-engineer the protocol.


No need to. To make it through with any sort of reliability, it would have to be clearly audible and very loud.
antialias_physorg
5 / 5 (1) Nov 01, 2013
Depending on the protocol you use that's not really a problem. 22kHz is way above the hearing of adults (who are for the most part deaf to anything above 16-18kHz). And there's no reason for massive data transfer volumes

There's also no reason why you can't use your own codec if you already are putting malware on the system to use even higher frequencies (personally I'd go for very low frequencies. The data rate would be crap, but the range would be much better).
Eikka
1.6 / 5 (13) Nov 01, 2013
22kHz is way above the hearing of adults


It's also way above what you can pick up with the computer's built-in microphone, assuming that you speakers can generate the sound in the first place.

There's also no reason why you can't use your own codec


The chipset's audio processor won't understand it. The integrated sound chips aren't programmable. You can feed them higher sample rates, but the DAC will sample it down anyways.

(personally I'd go for very low frequencies. The data rate would be crap, but the range would be much better).


Most computer speakers won't go much below 100 Hz and you'd really have to pump the volume up because the efficiency goes way down.
Eikka
1.7 / 5 (15) Nov 01, 2013
Here for example is someone's measurement on a Macbook Pro's speakers: http://www.gearsl...bp15.jpg

The response is down -40 dB at 20 kHz. The frequency range at -12 dB would be something like 300...17 kHz.

There's also the problem that high frequency sounds are highly directional and easily absorbed, so picking them up without a direct line of sight between the speaker and the microphone is doubly difficult.
bluehigh
1.1 / 5 (13) Nov 01, 2013
Perhaps a transmitted burst of 10khz for say 10millisecs. Well within the speakers, microphone and processing systems capabilty. Transfer several bytes. Inaudible. Or the time between bursts could be the data. If the associated receiving sound device driver accesses the bios (eg: an interrupt for port address setup) then you have a possible comms system. Hardly likely to be seen on a scope unless you know in advance what to look for or you enjoy watching grass grow. Not visible as a process because its not. No data stored or it would be detectable. So why bother?
Eikka
1.3 / 5 (13) Nov 01, 2013
Perhaps a transmitted burst of 10khz for say 10millisecs.


It would sound like a click.

All in all, very unreliable and very Heath-Robinson way to communicate. What if the person simply turned the volume down, or muted the microphone?
megmaltese
1.2 / 5 (14) Nov 01, 2013
Is Ruiu an egocentric prick?
antialias_physorg
3.9 / 5 (7) Nov 01, 2013
Well, for shits and giggles I just set up two laptops in adjoining rooms (no line of sight, though an open doorway, about 6 meters total distance ). Using Audacity on both:
- One played loop of a 'dogwhistle' wav that peaks at 19kHz (quite inaudible) modulated with a distinct pattern of silent parts to simulate a signal.
- The second laptop was set to record

Frequency analysis of the received signal showed a distinct peak at the 19kHz mark and the 'signal patches' were also easily visible after cutting out any frequencies below 15kHz (forgot to turn off the TV).

So I'd say a small network using this type of tech should be feasible. Certainly not for long distance communication, but for keeping traffic from showing up on the infected network it should do.

I can't say what kind of data rate one would get, but for 10 minutes effort the results speak for themselves.
Cave_Man
1.1 / 5 (13) Nov 01, 2013
Well, for shits and giggles I just set up two laptops in adjoining rooms (no line of sight, though an open doorway, about 6 meters total distance ). Using Audacity on both:
- One played loop of a 'dogwhistle' wav that peaks at 19kHz (quite inaudible) modulated with a distinct pattern of silent parts to simulate a signal.
- The second laptop was set to record

Frequency analysis of the received signal showed a distinct peak at the 19kHz mark and the 'signal patches' were also easily visible after cutting out any frequencies below 15kHz (forgot to turn off the TV).

So I'd say a small network using this type of tech should be feasible. Certainly not for long distance communication, but for keeping traffic from showing up on the infected network it should do.

I can't say what kind of data rate one would get, but for 10 minutes effort the results speak for themselves.

So much for inadequate technology. Sounds like the world is build by computers and they are firmly in control. ;D
Humpty
1 / 5 (13) Nov 01, 2013
Assuming the guy is an idiot who talks to bananas and hears the voice of mystical entities from outer space etc.

OR

He could be a fanciful yarn spinner, with a great sense of humor, who tells wonderful stories and keeps the world entertained .

But assuming he is neither though....

Look at all the tech to detect, transmit and record - everything...

You can bug a room by transmitting the induced EMF in a speaker magnet, moved by a persons voice... You can record conversations by the modulation of the reflected laser light, from a window pane... Seeing people through walls with assorted means has been done.

The remote control of PC's, their cameras, mikes, is well known.

And while there are some real or apparent technical limitations with some hardware, in some machinery, etc., and there is also in some software with some hardware...

IN my utter relative ignorance - I would not be inclined to discount the relative legitimacy of the claim or the process.
BendBob
1 / 5 (11) Nov 01, 2013
While working for a networking company - oh back in the mid/late 90's - the company was working on a triple redundant network signal which traveled along the electrical wires in the building. The printers and inter-office networking, etc. were communicating via those wires.

So, would it be possible to have a computer power off, yet remain plugged into the wall and become infected at the bios level?
Code_Warrior
5 / 5 (1) Nov 01, 2013
While working for a networking company - oh back in the mid/late 90's - the company was working on a triple redundant network signal which traveled along the electrical wires in the building. The printers and inter-office networking, etc. were communicating via those wires.

So, would it be possible to have a computer power off, yet remain plugged into the wall and become infected at the bios level?

Only if the PCs were equipped with that type of NIC, and only if the security settings on the system allowed for an attacker to wake up the PC from hibernation via the NIC and run a BIOS Firmware update executable with the proper privileges. Is it possible? Yes, but only with properly equipped PCs and incompetently set up security.
Code_Warrior
not rated yet Nov 02, 2013
I have no doubt that a short range networking signal could be used for communication between PCs, but a previously uninfected PC couldn't become infected without human intervention such as plugging in a memory stick with autorun.inf enabled, or, if autorun is disabled for USB hard drives but is enabled for CD ROM drives, a stick with a modified U3 implementation for which the U3Launcher program is infected and is autorun from the U3 CD ROM drive emulation (U3 sticks show up as 2 devices: A CD-ROM and a USB Memory stick).

I have no doubt that once a BIOS is infected, you wouldn't be able to get rid of the infection without physically removing the BIOS chips and re-programming them on a EEPROM programmer since the BIOS is invariably required to interact with the update program on the PC and an infected BIOS would be likely to co-opt the updater to re-install itself.
smsilaphet
1 / 5 (10) Nov 02, 2013
It's NOT a lie. This is serious..the military or government even the town is using Frequency modulators to modify sound waves. The doctor's who test your ears for frequency are possibly using you to terrorize you. My parent's had computers all their lives and I grew up with technology. This is serious it's a troll. They're hiding from you and trolling/terrorizing you. I noticed this since age 4... I am 22 years old now.
smsilaphet
1 / 5 (11) Nov 02, 2013
I think it's the electricity company terrorizing, modulating your computer somehow with electricity or electromagnetic pulse waves. My hard drive talks to me, the fans are modulating. I think there's someone reading my mind..must be why my hair is so poofy...glad to know I'm not the only crazy one out here.
Osiris1
1 / 5 (10) Nov 02, 2013
Given the lack of quality of most computer microphones, I would doubt the transmissability of logical signals via any sound waves that had any common 'pooter grade'......b-a-a-a-a-d mikes in the loop.
Eikka
1 / 5 (9) Nov 02, 2013
Frequency analysis of the received signal showed a distinct peak at the 19kHz mark and the 'signal patches' were also easily visible after cutting out any frequencies below 15kHz (forgot to turn off the TV).


Interesting. What sort of laptops did you have?

And how much processing power was needed to glean the information out of the waveform? One would imagine that a computer doing high-fidelity fourier transforms in real time would show up as interesting CPU usage.
Humpty
1 / 5 (11) Nov 02, 2013
I don't know... but something tells me this is totally feaseable.

Transmitting in binary...

inducing an EMF into the circuits.... that syncs with the BUS traffic....

Hmmmmmmmmm

MIBO
5 / 5 (1) Nov 02, 2013
Eikka, I've written many FFT applications on a PC, both in C++, Matlab, and Labview In code I run regularly performing 480 point FFT without zero padding ( which is not optimum for performance) on complex data sampled at 38.5KHz barely even shows up on the CPU load monitor.
X86 architecture has instruction set extensions that are designed specifically to optimize FFT performance since it is such an important algorithm.
antialias_physorg
5 / 5 (2) Nov 02, 2013
Interesting. What sort of laptops did you have?

One is an Acer Aspire and the other is a Toshiba Netbook (both quite ancient but serviceable).
Audacity (a freeware audio tool) has a frequency analysis function which is pretty much instant on both (and especially the netbook is seriously underpowered but did the calculations so fast I couldn't time it.). But for the communication itself frequency analysis/FFT isn't needed at all - that was just to show that the signal actually got there (as I couldn't tell from just listening to the received signal played back...19kHz is outside my hearing range)

I did crank the volume on the Acer (sender) to max and also the microphone amplification on the Toshiba. But since the signal is inaudible there's no reason to play it quiet.
Tom_Andersen
1 / 5 (10) Nov 02, 2013
His Macbook air won't boot from a CD-ROM? Did he try the floppy drive - it should work fine. http://i.imgur.com/Ei37Eb1.jpg
bluehigh
1 / 5 (10) Nov 03, 2013
Antialias seems to have shown by experiment (well done dude) that its possible regardless of limitations.

Now I wonder if my TV or Radio might be sending commands to my home computers.

* looks suspiciously at TV and switches it off *
Eikka
1 / 5 (5) Nov 03, 2013
But for the communication itself frequency analysis/FFT isn't needed at all


But how then will you process the transmission?
meerling
1 / 5 (3) Nov 03, 2013
Lot of B.S. here. Viruses and other Malware aren't magic pixies.
The common computer does NOT have the software to process received sound into executable code, not even by an overflow error. So it doesn't matter if another computer is broadcasting itself via sound. It would be possible for already infected computers to network via sound, but there's no purpose to that, they are already infected.
The code and methods of infecting each platform (O.S., etc.) differs. Last time I checked, there was no multiplatform infector in existence. MS Office worms aren't multiplatform, their platform is MS Office Basic, not the O.S. of the computer.
Bios infectors are even more difficult as each different bios is essential a different platform. On top of that, there is very little room in a bios for an infector.
Also, each capability you add to an infector increases it's size. The one he claims to have found would need it's own freaking disk to install. (Slight exaggeration)
He's lost it.
antialias_physorg
5 / 5 (2) Nov 03, 2013
But how then will you process the transmission?

At the simplest level you can use an amplitude modulation. That requires no fourier transformation to enconde/decode. And for a low data volume network that is perfectly sufficient.

If you wish to hide any significant load spikes you can always go from processing the data packets on the fly to storing them and processing them at a slower rate. As long as there are no time critical aspects to such a network (and I don't see why there should be) that's perfectly doable.

The common computer does NOT have the software to process received sound into executable code

The article makes no mention that it does. It says infection occurs via memory sticks. The infected computers THEN communicate via sound.

each different bios is essential a different platform

Computers in an office environment (the juiciest targets) are likely of the same make with the same OS and BIOS.
cmn
1 / 5 (4) Nov 04, 2013
The title is a bit misleading, as it appears the malware communicates with sound, not "jumps."

Given the nature of this, and that it doesn't seem like a wide-spread attack, I wonder if he wasn't specifically targeted by a government for some purpose? Maybe a government wanted some software or exploits he was working on? Maybe there's some other interesting aspect of his life or work? Maybe he just pissed off the wrong people? Ruiu is the developer of the Pwn2Own competition, which is specifically geared towards hacking. It's no unfathomable a government might want to investigate him.

The FBI/CIA/NSA, for example, are known to write malware for specific targets. BadBIOS sounds like more of a 'foothold' to be used in conjunction with other kits, not so much the entire malware itself. Maybe once they got in they designed different flavors of "badBIOS" specific to his infrastructure in order to maintain control, knowing that he could/would rebuild his computers regularly.
Eikka
1 / 5 (5) Nov 04, 2013
At the simplest level you can use an amplitude modulation. That requires no fourier transformation to enconde/decode.


But you still have to isolate the signal of interest from all the other noise, which requires bandpass filtering, which requires transforming the signal from time domain to frequency domain.

The infected computers THEN communicate via sound.


The article specifically implies that the computer got infected via the microphone:

What really worried him though was that a computer not connected to a network, or the Internet became infected as well.(...)The only way to stop them, he found, was disconnecting the microphones and speakers.
cmn
1 / 5 (3) Nov 04, 2013
From the wiki below, it appears Ruiu is directly linked with Zero Day Initiative (ZDI), which is "widely known within the security industry for their program which purchases zeroday vulnerabilities, reports them to the affected vendor and then turns them into signatures for their network intrusion detection system, thereby increasing its effectiveness."

If I were a (foreign) government with unlimited resources for this sort of thing and wanted some new exploits or wanted to make sure my infrastructure was secure, I might stick my nose in Ruiu's networks too.

http://en.wikiped.../Pwn2Own
cmn
1 / 5 (3) Nov 04, 2013
The article specifically implies that the computer got infected via the microphone


The article is written to sensationalize the software, or the author is just stupid. ;) Read about it elsewhere on the net, where things are explained better.
bhiestand
not rated yet Nov 05, 2013
The cocky and uninformed replies to this article are a great example of why I don't read physorg that often these days.

"I'm no expert, but I read about viruses on Steve Gibson's site and this article makes no sense... so one of the world's most respected experts in the field must be wrong! DERP!"

Ruiu might be wrong, but don't trust anyone who confidently tells you this stuff is technically impossible. We've been talking about these vectors for at least a decade, and it's all very doable given the resources. Complex, but doable.
Kieseyhow
not rated yet Dec 14, 2013
A competent Assembly programmer can infect the PCI, LAN, optical drive, or the mainboard BIOS. The space requirements for audio processing are minimal; research the code used on Voyager 1. The audio network is like lowering a guy over the wall who opens doors and windows so you can have better access for the soldiers through other means (LAN, Wifi, etc). This is just a system to open ports and buffer commands, not a method for primary communications. You lock a port, it opens it again. You enable updates, it disables them, etc. Command protocols are extremely efficient in Robotics. A 1980's 200 baud process would be MORE than enough. Robotics engineers could accomplish this EASILY.
megmaltese
not rated yet Dec 15, 2013
Wow so many 1 starred comments.
There seem to be a huge amount of little kids here, or retarded adults.
You shouldn't even be allowed to read about science, your place is on the fields, gathering vegetables.
megmaltese
not rated yet Dec 15, 2013
All those 1 starred comments... really, grow up dudes.