[ARS] Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps - Page 16 - Overclock.net

Forum Jump: 
Reply
 
Thread Tools
post #151 of 154 Old 11-04-2013, 08:43 AM
WaterCooler
 
Vagrant Storm's Avatar
 
Join Date: Nov 2005
Location: Rochester, MN
Posts: 11,169
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 415
Quote:
Originally Posted by Hyolyn View Post

Bogus

Everything that is being reported is possible...well, it is questionable about the sound equipment working outside of normal human hearing. I was going to setup a demo of transmitting data by sound, but it is a very well documented procedure and before the days of proper networking it was actually used in many cases instead of a serial connection...and truth be told I just didn't have time.

However, I did test various frequencies to see if my speakers and mic could pick them up since that is really the only thing I question at this point. I discovered there are many frequencies that even if I get activity shown or heard on my speakers...the mic would not pick it up. This isn't high quality audio equipment, well, better than average or what you'd find built into most laptops I suppose. I just downloaded some high pitched wav files and used the dog whistle videos and such. I could not get my mic to show any activity at anything over 15,000Hz. Note that I could still barely hear the sounds at 15,000Hz., but the mic could not. My speakers did not not seem to handle anything higher than 24,000Hz correctly. I could hear it and I doubt I have super hearing. I am guessing in trying to play a sound they were not able to they made a sound at a much lower frequency.

The only other bogus thing about this is that a computer security professional has been working on it for three years without discovering it. I find that hard to believe. It should be fairly easy to spot a process that is using the sound services...as it would have to use it. Unless it was somehow masking itself...but that is typically easy to spot because a oddball service will be running to do the masking. If it was originating in firmware or the BIOS it should be a simple process to dump what is there and compare it to what it should be...when dealing with kilobytes you can look at them block by block in a short time. I also think this hole thing was a waste of time. It is just another BIOS virus...and methods to prevent other BIOS viruses will probably work on this one as well.

MINNESOTA OVERCLOCKERS | The Climate Phenomenon
If it ain't broke...MAKE IT GO FASTER!!!devil.gif
Vagrant Storm is offline  
Sponsored Links
Advertisement
 
post #152 of 154 Old 11-04-2013, 02:08 PM
4.0ghz
 
Join Date: Sep 2007
Posts: 6,631
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 485
Quote:
It’s obvious you are not an InfoSec guy. If you were, you would know that we’ve had hypervisor based rootkits for some time that can evade traditional forensic analysis. Meaning, you will get a bios dump from whatever virtual environment the malware presents to you.

So why not pull the bios chip and throw it in an EPROM reader? Granted on a laptop this would be a huge pain, sonce you would probably have to desolder it, but it would be fairly easy on any infected desktop.

AMD needs to publish a Business Manual called "How Not to Launch a Product: Learn from our Mistakes and Succeed!".
AMD probably wont tho, because that would be a guaranteed money maker.

PassMark System Score: Passmark Rating 5,710, CPU Mark 19,985
CPU-Z Validation: LINK AIDA64: LINK
Cinebench15: LINK Geekbench3 scores: LINK Geekbench4.1 scores: LINK
UserBenchmarks: CPU: 105.5%, GPU: 111.7% MEM: 127.9%
BinaryDemon is offline  
post #153 of 154 Old 11-04-2013, 02:31 PM
WaterCooler
 
Vagrant Storm's Avatar
 
Join Date: Nov 2005
Location: Rochester, MN
Posts: 11,169
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 415
Quote:
Originally Posted by BinaryDemon View Post

So why not pull the bios chip and throw it in an EPROM reader? Granted on a laptop this would be a huge pain, sonce you would probably have to desolder it, but it would be fairly easy on any infected desktop.

You can also connect via the pin out to read it directly without removing it.

Most motherboards solder these things on these days. Never really found out why. I assume it must be cheaper to just tack them on there then build a socket for it to plug into.

As I said above...the most damning thing about this story is that a security pro of some renown can't find it.

MINNESOTA OVERCLOCKERS | The Climate Phenomenon
If it ain't broke...MAKE IT GO FASTER!!!devil.gif
Vagrant Storm is offline  
Sponsored Links
Advertisement
 
post #154 of 154 Old 11-04-2013, 03:50 PM
Commodore 64
 
reqq's Avatar
 
Join Date: May 2010
Posts: 230
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 8
hes posting alot on twitter

https://twitter.com/dragosr/status/397018715151024129
Blk likes this.
reqq is offline  
Reply

Quick Reply

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off