Shared publicly  - 
 
So it turns out that annoying high frequency whine in my soundsystem isn't crappy electrical noise that has been plaguing my wiring for years. It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers... one "ghost" located at least. And now we know how the "hypervisor" functions, its probably stored in the realtek firmware, and thats one of the ways it survives reinstalls and BIOS reflashing. Off to find tools to dump the RealTek audio chips, and to try to find clean firmware to compare it to. Haven't ruled out video firmware yet, either.
32
22
Ali-Reza Anghaie's profile photoDavid Elkins's profile photoPaul Harrington's profile photoMarcus Urruh's profile photo
21 comments
 
holly crap, this sounds like the plot of a SciFi novel, yet this is actually a thing.  
 
You have got to be kidding me. I didn't know Oct 15th Fool's Day was a thing.
 
Horysheetbro. 
are you for real?
I wants to see a good dissection on this particular malware, it sounds... profesional. (as in, not your typical fake AV scam)

If it's hidden in the firmware, then a typical 'nuke and pave' OS reinstall wouldn't even clear it. 
there's no way it could propagate this way, but it could update already infected hardware using this. 
 
Any ideas on where you may have picked this interesting piece of malware up?
 
Have you tried to connect the oscilloscope to the speakers to see if anything suspicious is actually transmitted?
 
good idea +Jarek Kielas  though how easy would it be to identify what the signal is? if it's interference from a nearby cellphone for example it would I expect look like a comms signal. would you be able to tell the difference between such a signal and a malicious one?
 
The best would be to use something like a Faraday cage or go to some lonely place without the phone. The signal should resemble something like an old acoustic modems. http://en.wikipedia.org/wiki/Modem # Acoustic_couplers
 
Acoustic coupling in an unknown environment is going to have a seriously low bit rate.

Say you want the sound to be barely noticeable to humans.   That means you probably need to use frequencies between 15kHz and 20kHz.

You're going to have lots of background noise, and probably quantization noise in the receiver due to low signal levels, so say an SNR of -20dB.

The Shannon-Hartley theorem says C = B log_2(1+SNR), so you get C = 9 bytes per second.

It's going to be really tough, but not impossible to make malware that can automatically locate useful data on a many terabyte network drive and extract the most useful bits to be sent over an 9 bytes/sec connection to the outside world.
 
Also, many laptops make random barely audible squeaks and noises normally.

These are caused by electrical noise in the power supply to the audio circuitry, which is usually caused by activity in other devices within the laptop.

Users usually notice it when the GPU is performing work, since the GPU usually synchronises it's work to the frame rate, so it is common to hear very quiet high pitch clicks at 60Hz when moving the mouse.  The clicks get louder when dragging a window around because the GPU is doing more work in each frame.   Anything animating on the screen will cause similar clicks.   You can get an even bigger impact from CPU use, although there aren't as many bits of CPU activity that are quite so predictable in time.


I think what you're thinking of as NSA-level spying is in fact simply this.


Now of course, a super smart NSA spy virus would use this effect to it's advantage...
 
Well, I was watching their Trojan/rat on he laptop with monitoring tools, and slowly ripping out cards (wan, wifi, Bluetooth).... What I was really concerned about was even more sci-if.... Software defined radio functionality from the CPU... I was a little relieved when the remote access was defeated finally by disconnecting the microphone and speakers.
 
That bitrate sounds about right Olliver, their signalling was slow and laggy.
 
Also it's easy to go way above 20khz on the speakers and mics, just because you can't hear it doesn't mean computers can't. 
 
I've recorded some 96k wav files of the output... Still pending analysis if we can extract a signal from those.
 
I wonder if other network attached devices could be used in this high frequency audio schema as well. Cell phones, switches, routers, etc.
 
 
Had a hackintosh and audio was noisy. Now I have real Mac and it's noisy as well!  How about deleting audio driver files (extensions), or injecting some fake audio drivers there (if it dont start up wihout)?
 
You could use a spectrum analyser to "see" the signal: if it's frequency and/or amplitude modulated you should be able to detect it.

I must say, there is a lot of skepticism around me about this #badBIOS  story.
 
+Dragos Ruiu put the output wave file through something like audacity. might find something interesting that way just by looking at the waveform.
 
Holy cow. I'll be following this one closely.
Add a comment...