badBIOS rootkit uses ultrasonic communication using mics + speakers

Security researcher Dragos Ruiu discovered a rootkit that seems to come straight out of a science fiction movie. If Ruiu wasn't a well known name in the security scene his story would probably have met even greater scepticism, because badBIOS, the malware he's been tracking for three years is a rootkit unlike any I've ever heard about.

This mysterious piece of malware is reportedly capable of infecting a wide range of operating systems, including Windows, Mac OS X, multiple variants of Linux and even Open BSD. badBIOS is transmitted through USB drives, Ruiu speculates the virus exploits some kind of buffer overflow bug in the way the BIOS is reading a USB drive to automatically infect any PC it comes in contact with. Besides being capable of infecting the lowest levels of computer hardware, it can also attack a wide variety of platforms, escape common forms of detection, and survive most attempts to delete it thanks to advanced self-healing capabilities.

The most peculiar part about the story is that the rootkit is still capable of transmitting small amounts of network data with other infected machines even when power cords and Ethernet cables are unplugged and WiFi and Bluetooth cards are unplugged. After countless hours of investigation, Ruiu discovered that the virus uses ultrasonic-based networking to communicate with other infected machines. Only when he removed the internal speaker and microphone connected to an airgapped machine, the packet transfers suddenly stopped.

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," he explained.

He still doesn't know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen.

Who is behind this highly advanced rootkit and why Ruiu is the only one that has discovered it so far remains a mystery. Further details can be read at ARS Technica.