It sounds like the stuff of security researchers’ nightmares, but a mysterious, indestructible strain of malware can infect PCs, Macs and Linux machines – and even “jump” between machines with power cables, Ethernet, Wi-Fi and Bluetooth pulled out. At least, one researcher believes so.
The claims, made by researcher Dragos Ruiu, have invited both alarm – and ridicule, with the rootkit compared to both MRSA and the Loch Ness Monster.
For Ruiu, though, the threat is all too real – in an interview with Ars Technica, the researcher claims that, infected machines could communicate with other infected machines even when their power cords, Ethernet cables, Wi-Fi cards and Bluetooth aerials were removed.
The ability to leap over “air gaps” – a term for when an infected machine is isolated from the network – is only one of BadBIOS’s superpowers, Ruiu claims. He has battled the malware with his team for three years – and found it near-impossible to destroy, he claims.
“”We had an air-gapped computer that just had its BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” the researcher said in an interview with Ars Tehnica.
“At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”
Ruiu concluded that the machines “talked” via their speakers. Describing the malware as “the stuff of urban legend”, The Verge described Ruiu’s conclusion that the malware communicated at high frequency through computer speakers to “jump” air gaps as “the first stages of a larger attack.”
The idea that malware could communicate in this way is not far-fetched in itself – earlier this year, We Live Security reported on research from the University of Alabama at Birmingham, where sound was used as a “trigger”. Researchers found signals could be sent from a distance of 55 feet using “low-end PC speakers with minimal ampliﬁcation and low-volume”, the researchers said.
“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,” said Nitesh Saxena, Ph.D., of UAB. “While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”
The researchers presented a paper titled “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices,” at the 8th Association for Computing Machinery Symposium on Information, Computer and Communications Security (ASIACCS) in Hangzhou, China.
Describing BadBIOS as “the Loch Ness Monster of malware”, The Register said that some in the security community had raised a “quizzical eyebrow” but that Ruiu would reveal more after the PacSec event in Tokyo in two weeks time. “The security conference in Japan may bring much-needed hard information to light on the Abominable malware. Ruiu has suggested he is holding back on the details until patches for software bugs exploited by BadBIOS are made available,” the site said.
Ruiu, though, in Ars Technica’s long and detailed piece, seems pessimistic. “This is the tip of the warhead,” he says.
Author Rob Waugh, We Live Security