Feeds

Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

LANs-free prototype mimics notorious rootkit

Choosing a cloud hosting partner with confidence

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds.

The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

In the system, communications could be maintained over multiple hops for purposes including managing malware-infected machines, as the abstract of a paper for a recent edition of the Journal of Communications explains. The researchers go on to outline possible countermeasures against such fiendish malware, including shielding systems from exposure to high frequency sounds.

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.

The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilising the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.

Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analysing audio input and output in order to detect any irregularities.

The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card, speakers and microphone as sending and receiving devices to move information from one infected node to another in similarly compromised machines, providing bot systems are within 20 metres of each other.

They continue:

Two computers that are not connected to each other via established types of network interfaces (e.g. IEEE 802.3 Ethernet [2] or IEEE 802.11 WLAN [3]) or that are prohibited from communicating with each other over these established types of network interfaces are, nevertheless, able to communicate with each other by using their audio input and output devices (microphones and speakers).

A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there's no external interference.

The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a "covert acoustical mesh network" wouldn't respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.

The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems, and even survive motherboard firmware rewrites. Ruiu (AKA @dragosr) – who organises the annual popular Pwn2Own hacking contest at the CanSecWest conference – said he had come across the malware after it infected his computers but nobody else has seen it. The Register asked Ruiu about his progress in looking into BadBIOS on Tuesday but have yet to hear back.

Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method. He suggests it is far more practical to attempt to use an infected USB stick for a targeted attack against an air-gapped network, the presumed method the ultra sophisticated Flame cyber-munition used to spread. Flame was reportedly cooked up under the same US-Israeli Operation Olympic Games programme that spawned Stuxnet.

"My theory is that this technology could be used to provide targeted malware a means of external communication for contact with a command and control server," Kujawa writes in a blog post. "The infected system would receive commands from the server and assuming that the initial infection on the covert system was via USB drive, perhaps the malware could store stolen data on the USB.

"That data would be sent out later once the USB is able to plugged into  an outward facing system. This is similar to how Flame worked when extracting sensitive data from closed-off networks," he added. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.