Odd infection story

Discussion in 'Apple, Inc and Tech Industry' started by Sydde, Nov 7, 2013.

  1. Sydde macrumors 68020


    Aug 17, 2009
    From over at arstechnica, the "BadBios" virus allegedly gets into the firmware (BIOS or UEFI) and fights all attacks on it. Allegedly, from its deep seated position, it is able to prevent booting from the optical drive in order to restore the system.

    The story claims that the virus was found in MacBook Airs and communicated with other infected machines in order to maintain its resistance to countermeasures: when no other avenue of communication was available (wireless was disabled), the computers seemed to be communicating with ultrasonic signals through speakers and mics.

    This all seems to me to be rather questionable, the story seems riddled with logical and pendantical flaws. Should this be taken seriously?
  2. Intell macrumors P6


    Jan 24, 2010
  3. djtech42, Nov 9, 2013
    Last edited: Nov 9, 2013

    djtech42 macrumors 65816


    Jun 23, 2012
    West Chester, OH
    Virus prevents booting from optical drive on a computer that doesn't have an optical drive? Sounds legit.

    You just restore from the restore partition anyways. Ultrasonic signals? Really?

    Here are some comments on it:

    I don't know, sound card drivers are pretty complex, I really can't imagine a bios malware that can support many audio cards, and sound transmission is very low bandwidth and highly error prone...
    I still think it's a hoax...

    "It's also possible to use high-frequency sounds broadcast over speakers to send network packets. ". Highly doubtful as a standard audio speaker, especially a 50 cent PC speaker, has an frequency role off around 10-15Khz. At and above these frequencies the DB level drops like a rock, so these things are not sending (human) inaudible high frequencies that a 50 cent PC mic could pick up. To send at a DB level high enough for a cheap PC mic to pick up, it would be in the audible frequency range and one would hear it. More likely some source has been infected (CD, USB, etc.). What MIT might do with ultrasonic and highly specialized transducers is not the same thing as what a 50 cent consumer PC speaker and 1/4 watt PC amplifier can do. Period. A $10 mic, a PC sound card and shareware audio analyzer software is all that is need to prove this one way or another.

    From what I read so far I have to assume it is a hoax. In particular, I don't like how he simply states that he has seen data transmission without explaining how he has seen that. Does the OS report a network device in spite of him removing all network devices? If so, what kind of network device is shown? If not, how would he see that data is exchanged? Simply saying that "I removed all network devices and it sill transmits data" is lacking too much technical details. We also need an independent review (somebody who is able to reproduce the problems).
    Here are the key points as I see them:
    * Ultrasound communication:
    Seem to be theoretically possible but probably extremely low bandwidth, could be done in audible sound hidden as noise. Nobody claims the infection happens through sound, only that infected machines can communicate. It is unclear how he saw data being exchanged. Wouldn't he need to see some network device? And if so, what kind of network device was shown? Or how else does he know data was exchanged? What is the observed bandwidth?
    * BIOS reflashed
    The BIOS will check hardware extensions (e.g. PCI cards) for additional drivers to load. So it's possible the malware hides in other places and still gets loaded on system start-up.
    * Drivers for diverse hardware
    The malware could download custom modules for a specific infected machine. So while the module installed in the BIOS (or some BIOS extension) might not have enough space to hold a multitude of different soundcard drivers, it is possible that the malware downloads a specific module for the given infected system.
    * 404 from infected machines on web sites discussion reflashing of flash disk controllers
    If this is indeed the case, it should be possible to compare the exact request sent by the infected machine and compare it to a similar but clean machine to see the differences to find out how the server could identify infected machines (would be extremely useful). Or is it the infected OS that intercepts access to these sites? And if so, how does it identify hosts to censor?
  4. roadbloc macrumors G3


    Aug 24, 2009
  5. needfx macrumors 68040


    Aug 10, 2010
    macrumors apparently
    how about via usb thumb drives?
  6. Sydde thread starter macrumors 68020


    Aug 17, 2009
    Well, 13" Airs have a SDXC slot, I imagine you could format a SD card and boot from that just as easily as from a thumb drive. But the story makes no mention of alternative booting except from a "CD", which sounds to me like unforgivably lazy use of language.

Share This Page