If you read Dragos' twitter and facebook posts, although USB was likely am initial infection vector (incidentally, perhaps modifying the flash controller/firmware on the mem stick along with an potential volume ID buffer overflow) , he subsequently found that airgapped machines seemed to be able to communicate over the internet, with the bridge apparently being HF audio.
It's not clear if HF audio ALONE is sufficient to be an infection vector or is simply a method to continue to communicate with C&C infrastructure and/or combat eradication/forensics attempts. Given that audio driver and/or FW infection seemed to be necessary on the receiving machine, it may imply both sender and receiver of the HF audio payloads would already need to have been compromised. -sc From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Lundy Sent: Friday, November 1, 2013 9:06 AM To: [email protected] Subject: Re: [NTSysADM] Fw: Scary stuff for Halloween...not a hoax either Maybe it is poor writing, but the article says the malware is transmitted via USB drives. Quite easy to jump an air gap with a thumb drive. On Fri, Nov 1, 2013 at 7:27 AM, Rankin, James R <[email protected]> wrote: Don't know whether any of you have read this... Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Rankin James <[email protected]> Date: Fri, 1 Nov 2013 11:25:53 +0000 To: '[email protected]'<[email protected]> Subject: Scary stuff for Halloween...not a hoax either http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac- and-pc-malware-that-jumps-airgaps/ James Rankin Citrix Infrastructure Specialist Hiscox ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. No one else is authorised to distribute, forward, print, copy or act upon any information contained in this email. If you have received this email in error, please notify the sender. Hiscox Syndicates Ltd and Hiscox Insurance Company Ltd are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Hiscox Underwriting Limited, Hiscox Europe Underwriting Limited and Hiscox ASM Limited are authorised and regulated by the Financial Conduct Authority. Hiscox plc is a company registered in England and Wales under company registration number 2837811 and registered office at 1 Great St Helen's, London EC3A 6HX.
