FWIW, here is another point of view on it http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/ Not that I know enough about it comment
...Tim From: [email protected] [mailto:[email protected]] On Behalf Of Steven M. Caesare Sent: Friday, November 01, 2013 11:48 AM To: [email protected] Subject: RE: [NTSysADM] Fw: Scary stuff for Halloween...not a hoax either It will be interesting to see how it plays out... including what the payload may end up being. The fact that he's a reasonably well regarded sec dude with a bit of a reputation on the line makes me think there's at least an even chance he knows what he's talking about, and isn't just trolling... -sc From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jim Majorowicz Sent: Friday, November 1, 2013 1:17 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Fw: Scary stuff for Halloween...not a hoax either I read that yesterday. I'm skeptically optimistic that he might actually be wrong. It is a truly scary read for Halloween, not that the date had anything to do with the article. The facts are those attack vectors are real, at least in theory. The fact that this may prove those theories are horrifying. On Fri, Nov 1, 2013 at 6:29 AM, Steven M. Caesare <[email protected]<mailto:[email protected]>> wrote: If you read Dragos' twitter and facebook posts, although USB was likely am initial infection vector (incidentally, perhaps modifying the flash controller/firmware on the mem stick along with an potential volume ID buffer overflow) , he subsequently found that airgapped machines seemed to be able to communicate over the internet, with the bridge apparently being HF audio. It's not clear if HF audio ALONE is sufficient to be an infection vector or is simply a method to continue to communicate with C&C infrastructure and/or combat eradication/forensics attempts. Given that audio driver and/or FW infection seemed to be necessary on the receiving machine, it may imply both sender and receiver of the HF audio payloads would already need to have been compromised. -sc From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kevin Lundy Sent: Friday, November 1, 2013 9:06 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Fw: Scary stuff for Halloween...not a hoax either Maybe it is poor writing, but the article says the malware is transmitted via USB drives. Quite easy to jump an air gap with a thumb drive. On Fri, Nov 1, 2013 at 7:27 AM, Rankin, James R <[email protected]<mailto:[email protected]>> wrote: Don't know whether any of you have read this... Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Rankin James <[email protected]<mailto:[email protected]>> Date: Fri, 1 Nov 2013 11:25:53 +0000 To: '[email protected]<mailto:[email protected]>'<[email protected]<mailto:[email protected]>> Subject: Scary stuff for Halloween...not a hoax either http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ James Rankin Citrix Infrastructure Specialist Hiscox ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. No one else is authorised to distribute, forward, print, copy or act upon any information contained in this email. If you have received this email in error, please notify the sender. Hiscox Syndicates Ltd and Hiscox Insurance Company Ltd are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Hiscox Underwriting Limited, Hiscox Europe Underwriting Limited and Hiscox ASM Limited are authorised and regulated by the Financial Conduct Authority. Hiscox plc is a company registered in England and Wales under company registration number 2837811 and registered office at 1 Great St Helen's, London EC3A 6HX.
