Malware Alert: Is 'BadBIOS' Rootkit Jumping Air Gaps? 9 Android Apps To Improve Security,  advanced malware quietly infecting the BIOS  on targeted systems that aren't connected to the Internet,  then relaying stolen data to Internet-connected computers  using ultrasonic sound? That's the conclusion reached by Dragos Ruiu,  a respected security consultant who organizes the annual CanSecWest  conference in Vancouver.  He's lately been documenting his research into an advanced - - and persistent -- threat that appears to spread via USB drives,  and to infect the BIOS firmware that enables applications  and operating systems to interact with computer hardware. Ruiu said he first spotted evidence of the related malware  three years ago, when he found that a MacBook Air  on which he'd installed a fresh copy of OS X was updating a part of its  firmware tied to the startup routine, after which it refused  to let him boot the device from an external CD drive. Later, Ruiu found that data stored on a computer running  the free Open BSD operating system mysteriously disappeared.  Then, a few weeks ago, he noticed that a computer that didn't have  the next-generation Internet networking protocol IPv6  enabled was nevertheless transmitting packets using IPv6. [ Which Windows operating system has the biggest problem  with malware? Read Windows XP Malware: 6X As Bad As Windows 8. ] In addition, he also found machines transmitting small amounts of  encrypted network data, even when their Wi-Fi and Bluetooth  cards were removed, networking cables unplugged, and which  were running on battery power with their power cords unplugged,  thus eliminating the possibility of power-line networking connections.  Furthermore, the odd behavior affected not just Macs  but also Windows and Linux systems, and only ceased when  the microphone, external speaker, and speaker attached to the motherboard were removed. "So it turns out that annoying high frequency whine in my  sound system isn't crappy electrical noise that has been plaguing  my wiring for years," Ruiu said in an Oct. 16 blog post.  "It is actually high frequency ultrasonic transmissions that malware  has been using to communicate to airgapped computers." Ruiu surmised that malicious BIOS firmware - - which he dubbed "badBIOS" -- was being used to store a  "hypervisor" that was able to survive reboots, or even the  BIOS being reflashed. "Infected systems seem to reprogram the flash  controllers on USB sticks (and CD drives, more on that later)  to attack the system," he wrote recently. "The suspicion right now is there's some kind of buffer  overflow in the way the BIOS is reading the drive itself,  and they're reprogramming the flash controller to overflow the BIOS  and then adding a section to the BIOS table," Ruiu told Ars Technica last  week. But does Ruiu's analysis of the BIOS malware - - which has been described by some commentators  as being more advanced than Stuxnet or Flame -- hold water? "I'm not sure what to make of this. When I first read it,  I thought it was a hoax," said Bruce Schneier, chief security technology  officer of BT, in ablog post Monday. "But enough others are taking  it seriously that I think it's a real story. I don't know whether the facts  are real, and I haven't seen anything about what this malware actually  does." "The weirdest part is how it uses ultrasonic sound to jump air gaps, " he said. Other security researchers, meanwhile, have noted that everything  Ruiu has described is technically feasible. "Everything Dragos  describes is plausible. It's not the mainstream of 'hacking,'  but neither is it 'nation state' level hacking," said Robert  David Graham, CEO of penetration testing firm Errata Security,  in a blog post. "That it's all so plausible [lends] credence to the idea  that Dragos isn't imagining it." Indeed, technically speaking, writing malware that could interact  with USB flash drive controllers wouldn't be a big challenge.  "There are only like 10 different kinds of flash controllers used in all  the different brands of memory sticks and all of them  are reprogrammable, so writing a generic attack is totally  feasible," Ruiu recently posted online. "Coincidentally the only sites  I've found with flash controller reset software are .ru sites,  and seem to 404 on infected systems," referring to sites registered  using the top-level domain name for Russia (.ru). But with those bits of evidence hand, it's still not clear exactly  what Ruiu might have stumbled on, or who might have built it.  Accordingly, Ruiu, and other security researchers,  as well as detractors, continue to sift through  related clues and explanations. In the meantime, don't expect definitive answers anytime soon,  Graham said. "Dragos has only been analyzing this for a few weeks.  Presumably, he won't give us the full details for us  to check out until the next CanSecWest conference  [in March 2014]," he said. "Until then,  I guess we are all just blowing smoke about  whether this is 'real' or not."