Originally Posted by Xaero252
The code behind this could be revolutionary. It'll probably be twenty years before we see it being used commonly (Take a look at Farb-Rausch's tech demos - specifically Fr-08 which generates several TERABYTES of data from a single 64kb demo executable and produces a full dynamic world with animation, sound effects and lighting. That was (is) revolutionary. When that type of data generation and manipulation is available on the fly... it'll be a different world.)
Yeah, pretty impressive for a 64KB file. The Demo Scene likes to pack as much into 64KB and 256KB. I watched a 256KB demo before and it was a robot walking, don't remember who the group was that released it.
This is pretty much the nail to the coffin to this badBIOS attaching itself to the BIOS. Phillip Jaenke, who has been developing and modifying BIOS's for the past two decades, explains how BIOS's are written and how they work. Someone else commented on how audio works with a set frequency in speakers.Warning: Spoiler! (Click to show)
Originally Posted by wrl
to add another nail in the “high-frequency audio” coffin, with input signals around 20khz you’ll start to run into whatever anti-aliasing lowpass is present in the audio codec, which will also vary somewhat from vendor to vendor. at 44100hz, your nyquist is 22050hz so on a cheap card (i.e. the embedded ones on motherboards) 20000hz is likely to already be in the transition band. you don’t have a lot of range to play with up there, because the edge of human hearing is generally where a manufacturer will put their filter.
I saw how high frequency was explained by someone else on Arstechnica in the comments saying that a consumer would never get a speaker with high enough quality to output those high frequencies. So BIOS infection and high frequency communication is out of the question now. Honestly, it looks more like a USB micro-controller reprogramming/infection at this point.
This is from Dragos' Google+ account:
Warning: Spoiler! (Click to show)
More on my ongoing chase of #badBIOS malware. It's been difficult to confirm this as I'm down to a precious few reference systems that are clean. I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect. This was on a BSD system, so this is definitely not a Windows issue.- and it's a low level issue, I didn't even mount the volume and it was infected. Could this be an overflow in the way bios ids the drive?
Infected systems seem to reprogram the flash controllers on USB sticks (and cd drives, more on that later) to attack the system (bios?). There are only like ten different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible. Coincidentally the only sites I've found with flash controller reset software, are .ru sites, and seem to 404 on infected systems.
The tell is still that #badBIOS systems refuse to boot CDs (this is across all oses, including my Macs) there are other more esoteric problems with partition tables and devices on infected systems. Also USB cd drives are affected, I've bricked a few plugging and unplugging them too fast (presumably as they were being reflashed) on infected systems. Unsafely ejecting USB memory sticks has also bricked them a few times on #badBIOS systems for clean systems, though mysteriously they are "fixed" and reset by just simply replugging them into an infected system. Extracting data from infected systems is VERY tricky. Yesterday I watched as the malware modified some files on a cd I was burning to extract data from an infected system, don't know what it was yet, I have to set up a system to analyze that stuff.
On windows my current suspicion is that they use font files to get up to some nastiness, I found 246 extra ttf and 150 fon files on a cleanly installed windows 8 system, and three stand out, meiryo, meiryob, and malgunnb, that are 8mb, instead of the 7 and 4mb sizes one would expect. Unfortunately ttf files are executable and windows "previews" them... These same files are locked by trusted installer and inaccessible to users and administrators on infected systems, and here comes the wierd part, they mysteriously disappeared from the cd I tried to burn on a completely new system (a laptop that hadn't been used in a few years) that my friend brought over which had just been freshly installed with win 8.1 from msdn, with the install media checksum verified on another system.
I'm still analyzing, but I'm certain we'll ALL have a large problem here. I have more data and info I can share with folks that are interested.
Things don't add up though.
If the infection is through micro-controller from the USB drive on the OS, then how is booting a CD disabled? Well unless the BIOS is being modified to not allow booting optical disc but like Jaenke explained you would clearly see any modifications if you extracted the BIOS and analyzed it.