Malware which makes use of (even more) unexpected covert channels (than usual).

Jan 18, 2014

Late last year, known and respected information security researcher Dragos Ruiu began tweeting about something he called #badBIOS - a malware agent of some kind that he says jacks the BIOS of a machine and sets itself up as a hypervisor-cum-backdoor beneath the operating system. He's gathered got some evidence that instances of the beastie communicate via near-ultrasound by directly manipulating the soundcard without interacting with the OS' drivers. Whether or not he's actually right, some of the NSA's older existing tools aside - it was surprising how fast corroborating details started popping up around the Net.

In December of 2013 a small group of scientists at the Fraunhofer Institute for Communication, Information Processing, and Ergonomics in Germany published a research paper called On Covert Acoustical Mesh Networks in Air, in which they developed and implemented an experimental piece of malware which directly accesses the sound chipsets of infected systems so that they can relay traffic for one another by sending and receiving near-ultrasound. Infected machines within range of one another set up a low bandwidth mesh network to permit the exfiltration of data when most of the machines are physically isolated from the rest of the Net.

Then Kate Murphy's project on Github called Quietnet started making the rounds in certain circles. In a nutshell, it's a pair of utilities written in Python that implement... dramatic pause... node-to-node text-based chat. Using near-ultrasound generated and decoded by the sound cards of the machines her code is running on. Its dependencies are minimal and the utilities are simple to set up. One of my cow-orkers and I were playing around with it at the office earlier this week and sure as death and taxes we were nattering back and forth with one another using our laptops from a distance of about ten feet. It's not a perfect communications technique; depending on how loud the background noise is, how busy the exhaust fans are, and probably how sensitive (read: not crappy) the microphones and speakers in our laptops are, we were exchanging text with varying degrees of accuracy. I think it might be possible to modify Quietnet to transfer data instead of text, something along the lines of SLiRP but ultimately I don't think it would be worth the effort. The concept is more than proven, there are better overt techniques for connecting computers, but if you're serious about covert data exfiltration chances are you're willing to be patient (on a scale of days or weeks) to get the goods you're after.