Ruiu said he arrived at the theory about badBIOS's high-frequency networking
capability after observing encrypted data packets being sent to and from an
infected machine that had no obvious network connection with -- but was in
close proximity to -- another badBIOS-infected computer. The packets were
transmitted even when one of the machines had its Wi-Fi and Bluetooth cards
removed. Ruiu also disconnected the machine's power cord to rule out the
possibility it was receiving signals over the electrical connection. Even
then, forensic tools showed the packets continued to flow over the airgapped
machine. Then, when Ruiu removed internal speaker and microphone connected to
the airgapped machine, the packets suddenly stopped.
With the speakers and mic intact, Ruiu said, the isolated computer seemed to
be using the high-frequency connection to maintain the integrity of the
badBIOS infection as he worked to dismantle software components the malware
relied on.
"The airgapped machine is acting like it's connected to the Internet," he
said. "Most of the problems we were having is we were slightly disabling bits
of the components of the system. It would not let us disable some things.
Things kept getting fixed automatically as soon as we tried to break them. It
was weird."
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
