Could this be the end of traditional AV and Cloud AV?

[Nico@FMA]

The research acts as a proof-of-concept for claims made by security researcher Dragos Ruiu, who is believed to have discovered just such a virus in the wild. Ruiu claimed that the malware he had discovered, dubbed badBIOS, allowed infected machines to "whisper" to one another, and repair the malware while it was being removed.

Abstract—Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.

Hello guys,

We all are aware of traditional signature based AV and the newer Zero-Day and Cloud technologies.
However the Fraunhofer Institute for Communication, Information Processing, and Ergonomics,
has developed techniques to proof the above claims, if this is true (Which has been proven) then what implications would this have for the internet community as a whole, and what impact would it have towards, costumers, companies and government organisations.
Because according to the researchers there has been indirect evidence that some malware may be in the wild for some time now, that virtually cancels out ANY av solution because it operates according to a complete different routine.
On a personal level, i am aware of the new techniques due to my years of exp, but truth to be said when did read this article, i could not help the fact thinking that some of this must have been government sponsored, because even tho hackers do have the capability to role out new techniques, this level of sophistication is limited to a few only.
Given the general idea that AV vendors are practically always one or 2 steps behind, it would be a no brainer to assume that if any of this article is remotely true, that major security companies around the world, and security suppliers and vendors are bypassed for the time being, leaving costumers around the world within a fake security bubble.

So what do you think? Please share your constructive idea s.

 

[Exterminator]

I have read about this,very scary to think about.How long before someone can apply this I don't know,seems to me it is a bit above the skill level of most.I am sure there are those that work tirelessly on new ways of infecting as those that work tirelessly on new ways of preventing.Hopefully somebody somewhere is working on a way to prevent or at least detect such malware.It wouldn't surprise me if someday this is what we see,but I would like to think that this will take some time to be implemented,in a malicious way that is.Malware is pretty much the same as a disease or medical virus,there are many that are out there that haven't been discovered yet.

In fact I have a headache,some of those words have left me contemplating my own skill level.Below is more my level,and somehow reading one after the other helps

"Stairway to Heaven" is a song by the English rock band Led Zeppelin, released in late 1971. It was composed by guitarist Jimmy Page and vocalist Robert Plant for the band's untitled fourth studio album (often referred to as Led Zeppelin IV). It is often referred to as one of the greatest rock songs of all time.
The song, running eight minutes and two seconds, is composed of several sections which increase in tempo and volume as the song progresses. The song begins as a slow acoustic-based folk song accompanied by recorders before electric instrumentation is introduced. The final section is an uptempo hard rock section highlighted by an intricate guitar solo by Page and Plant's wailing vocals, ending with Plant's a cappella delivery of the final line: "And she's buying a Stairway to Heaven"
In a January 1982 television program on the Trinity Broadcasting Network hosted by Paul Crouch, it was alleged that hidden messages were contained in many popular rock songs through a technique called backward masking. One example of such hidden messages that was prominently cited was in "Stairway to Heaven."The alleged message, which occurs during the middle section of the song ("If there's a bustle in your hedgerow, don't be alarmed now...") when played backward, was purported to contain the Satanic references "Here's to my sweet Satan" and "I sing because I live with Satan.

 

[Deleted member 178]

Turn off your speakers ! malware down

Umbra Total Security ? Because i worth it !

More seriously, it is a original and nasty vector. I think that a simple implementation in a BB or Hips that monitors audio hardwares and devices will be enough to prevent it.

 

[Nico@FMA]

Turn off your speakers ! malware down

Umbra Total Security ? Because i worth it !

More seriously, it is a original and nasty vector. I think that a simple implementation in a BB or Hips that monitors audio hardwares and devices will be enough to prevent it.

Yeah i see what you are saying, problem is that for example the x86 infrastructure based boards will not support it, infact i doubt if any board would support such deep analyses within the very firmware of the hardware components.
So this would mean that the industry will have to add to each hardware part a module similar to bios protection, and allow upper level software to operate at root and lower levels..
That on its own is going to be a challenge.

 

[Deleted member 178]

Indeed the main barrier will be financial resources, will hardware industry will invest huge amount on research and development to protect against a kind of malware that will threaten few people for a short time?

(Based that malwares evolve permanently and are really damaging only to corporations)

I can hear their answer...

 

[Nico@FMA]

Indeed the main barrier will be financial resources, will hardware industry will invest huge amount on research and development to protect against a kind of malware that will threaten few people for a short time?

(Based that malwares evolve permanently and are really damaging only to corporations)

I can hear their answer...

So true, question is tho: Is it really their call to make.
Given the fact that such malware would leave them naked for all to see.
I mean your average datachip does not have a peggy18+ rating lol

 

[Deleted member 178]

Industries will be protected, common users won't

 

[Gnosis]

I believe that cloud AV's will have a good run, but traditional AV's are going to disappear.

 

[Nico@FMA]

I believe that cloud AV's will have a good run, but traditional AV's are going to disappear.

Right now the X86 infrastructure to my knowledge does not support any AV technique that could stop this kind of malware.
And that is the main issue as the researchers pointed out, right now its technically impossible to achieve a reliable security towards this type of malware technique.
Obviously let me repeat that to my knowledge there is no such thing, and based upon the research it seems to validate that.
However neither me or anyone else not directly related to the development and research of this type of malware would be able to proof this right or wrong.
So far its just research and a conclusion based upon the findings right now.

 

[Gnosis]

In light of this new malware, how would it do against a BB, HIPS, Sandboxie, and Comodo Firewall?
Sig based AV's have not impressed me much as far as long-term prognosis goes.

 

[NZRADAR]

Hi n.nvt , Interesting research, while a real brain workout for me. I think the implications of how far this vector of attack can go is disturbing on many levels both for Industry and Home users. While I don't quite know to articulate my thoughts on this may I attempt to add questions and off the wall thoughts to this new malware. so I 'll just put my early thoughts to it in no particular order.
Question: am I right in assuming some form of electro magnetic induction is an absolute necessity for this to work if so how could you shield a target in those frequency ranges.

Thought: since ultrasound is I think narrow band and highly directional if a speaker or microphone were designed to deflect or scatter those frequency ranges could that be feasible idea, and also if a microphone could be only activated based on voice recognition of the user instead of just on/off state would this provide an enhancement in security.

Thought: since its is a transmitted form of attack could there be employed in future hardware a built in transceiver that scans for incoming and directional sources of external emf noise and if so detected would act like a radar and possibly calculate distance /signal strength or proximity based on surrounding echo patterns; and then possibly beam back like signal jamming /or further yet expose the attack machine.

Thought: if reception of a signal correctly relies on a device being tuned to that wave length is there possibly a way that a potential target machine can change its own reception attributes /much like changing an aerial length to fit the mhz band and in so doing mitigate reliable
absorption of the transmitted frequency. Thinking outside the box like how malware botnets cc employ fast fluxing at a dns level to evade detection/ could a electronic device under a detected attack change its own internal reception /echo response signature capability at a software coding level or hardware level . thinking in terms of how stealth aircraft have a extremely small echo for there size.

Thought: is it to simpler a term to employ the word acoustic shielding. thinking in terms of military grade equipment that have some form of emp protection etc

These are my own thoughts and I'm not very knowledgeable about this but just like to add to the discussion

 

[ZeroDay]

It will be the large companies such as Kaspersky,Symantec, Sophos, Bitdefender. Who will invest heavily in researching a solution to this. And then ultimately, if they're successful they'll gain even more market share.

Thank for the share n.nvt.

 

[Gnosis]

I think I am going to put a bit of compressed air through a dog whistle and let it run for the rest of my days, thus hopefully scrambling the malware signals. LOL

 

[Nico@FMA]

Hi n.nvt , Interesting research, while a real brain workout for me. I think the implications of how far this vector of attack can go is disturbing on many levels both for Industry and Home users. While I don't quite know to articulate my thoughts on this may I attempt to add questions and off the wall thoughts to this new malware. so I 'll just put my early thoughts to it in no particular order.
Question: am I right in assuming some form of electro magnetic induction is an absolute necessity for this to work if so how could you shield a target in those frequency ranges.

Thought: since ultrasound is I think narrow band and highly directional if a speaker or microphone were designed to deflect or scatter those frequency ranges could that be feasible idea, and also if a microphone could be only activated based on voice recognition of the user instead of just on/off state would this provide an enhancement in security.

Thought: since its is a transmitted form of attack could there be employed in future hardware a built in transceiver that scans for incoming and directional sources of external emf noise and if so detected would act like a radar and possibly calculate distance /signal strength or proximity based on surrounding echo patterns; and then possibly beam back like signal jamming /or further yet expose the attack machine.

Thought: if reception of a signal correctly relies on a device being tuned to that wave length is there possibly a way that a potential target machine can change its own reception attributes /much like changing an aerial length to fit the mhz band and in so doing mitigate reliable
absorption of the transmitted frequency. Thinking outside the box like how malware botnets cc employ fast fluxing at a dns level to evade detection/ could a electronic device under a detected attack change its own internal reception /echo response signature capability at a software coding level or hardware level . thinking in terms of how stealth aircraft have a extremely small echo for there size.

Thought: is it to simpler a term to employ the word acoustic shielding. thinking in terms of military grade equipment that have some form of emp protection etc

These are my own thoughts and I'm not very knowledgeable about this but just like to add to the discussion

Those are some legit idea's i will not be able right now to reply in full as iam on a small tablet visiting my parents in law for new years eve and the party that follows, Obvouisly when i get back home i will reply in full.
However i got a question for you to think about, how can you shield your hardware from this if the very electricity from the pc is radiating some freqency itself.
That would be enough to use as a data carrier, as the report says your pc does not even be on...just plugged in.
cheers

 

[Deleted member 178]

just to say the problem is not the electro-magnetic signals or electricity frequencies that matters but the interface decoding those potentials malicious frequencies; if the decoding hardware has no kind of filters , then you will be in danger.

just as router in old times had no integrated firewalls (making the need of Zone Alarm Free mandatory) unlike now.

 

[Nico@FMA]

just to say the problem is not the electro-magnetic signals or electricity frequencies that matters but the interface decoding those potentials malicious frequencies; if the decoding hardware has no kind of filters , then you will be in danger.

just as router in old times had no integrated firewalls (making the need of Zone Alarm Free mandatory) unlike now.

Well yes, thats exactly the point, and any engineer can tell you that shielding each data chip from this by adding filters would require a complete overhaul of the internal infrastructure of the chip itself , there is a Dutch, UK company called Eads or Thales and they have been making chips with those filter for the dutch navy, (hyper modern radar tower on dutch lcf frigates) obviously the reason behind those filters where not malware, but sound based jamming hardening, my pointis that there is not a single computer factory that has the skill and technology to produce them, on top of that its effectiveness is not yet proven, sure it works in trails and such but other then that its still a big iff.
Same goes for a bunker you are going to find out if you are save when you survived the blast lol.
anyway thing is that if groups can manufacture such malwares or malicious signals then one could say that security is cosmetic at best because this would put tjem light years ahead of any security developer.
or am i wrong here?
anyway m8 i totally agree.....nice reply!

 

[Gnosis]

How near each other do PC's need to be to be at risk for this type of malware distribution?

 

[Deleted member 178]

@Gnosis : around 20m

@n.nvt : im intimately sure that those kind of malwares are military-created so they are surely already shielded.

I think that adding a chip on the motherboard that will analyze the data streams behaviors by virtualizing them before letting them into the OS is not impossible or too expensive to do

 

[NZRADAR]

Still thinking, but have more questions , is it possible for the potential carrier frequency to be made so unreliable or inconsistent that it cannot be exploited easily, also a question but I think its not a factor at the moment what part of the equipment under attack is producing the carrier since its only plugged in, is the pc in sleep mode ? sorry about my simple questions but hopefully not simplistic.

Thought: since attack is happening at bios level do i assume the attacker must have knowledge of target bios ? , could it be possible for equipment to have multiple bios signature and instead of like a dual bios backup in case one becomes corrupted. the equipment when turned on fully randomizes out of a pool of compatible bios/ firmware or even looks to load or verify bios image from an encrypted usb stick?.

Do or will computers always have to be made in such a way that they only look to and only function with 1 bios image before they proceed initializing? what if they were made to rely on multiple bios image parts and one or more of those were offline and the offline device when paired up made a completion of the image and continually verified itself and all memory relating to its integrity. Sort of like a solid state mini device that was essential to the equipments start-up procedure.

What do you think? any valid ideas here or off beam completely

If off beam what do you think is the area of thought and focus just to explore this further.
Kind regards and Happy New Year
NZRADAR

 

[Nico@FMA]

@Gnosis : around 20m

@n.nvt : im intimately sure that those kind of malwares are military-created so they are surely already shielded.

I think that addingobviously ip on the motherboard that will analyze the data streams behaviors by virtualizing them before letting them into the OS is not impossible or too expensive to do

I will not deny that i got a very strong feeling about the fact that this could be military created, how ever the research report strongly indicates that the tested streams where not from military origin, so i cannot say yes or no because i obviously do not know, in regards to the 20m range any cell phone or satallite could activate a signal even a modem can, so that makes the range of the signal virtually unlimited.
please do realize that there are lots of questions, and perhaps even more what iffs fact is tho that after this report lots of nasty questions are going to be asked because presently from a military pov non of the systems is even remotly capable of dealing with this, so its save to say that the brass and company brass, is going to feel uneasy. Which is totally understandable.
short said i do not have all the info, i can only use common sense and work from there, but as i mentioned before the implications of this are huge...even if there would be a security that could deal with this.
needles to say i think its obvious that there will be some questions in the industry and it remains to be seen if there is a fitting reply.