He has posted files he said were infected. All of these files were clean files from a Windows 8/8.1 install, signed by MS, unmodified.

Of course, no recording of HF audio communication channels, no USB drive "ROM" dump, no hard drive controller ROM dump, no BIOS dump, no PCI card BIOS dump, no USB analyzer data, no really infected file. The excuse he uses is "the files become clean when I put them on a CD!".

Hard to take him seriously.

Also read https://news.ycombinator.com/item?id=6647467 for a second opinion.

Indeed, while not technically impossible (and given stuxnet is out there, not even highly improbable), this description sounds like the guy has paranoid and/or schizophrenic delusions.

Recurring themes among those are "they've replaced my possessions/tools/utensils/cloths with ones that look identical but allows them to control/monitor me, and they change them back when I try to show anyone". And to them, it all makes perfect sense.

Again, not saying such malware does not exist - I suspect something similar does (though maybe not as widely cross platform). However, I think that this is an account of a serious PEBKAC problem, rather than malware.

The confirmation of the USB vector also makes the title of the article redundant. Any malware spread by USB will "jump airgaps".

The possibility that compromised machines communicate via audio is interesting in its own right, but the wording of the title, combined with the opening few paragraphs, allows for the suspicion that the malware is spread to uncompromised hosts via audio, which is of course not happening.

The article as a whole is unsatisfying. It makes the research into this malware seem completely inadequate.

I think the point is that USB vectors allow the malware to jump the airgap but not reliably, maybe it puts some data on a USB stick and jumps it back but for the most part once it is behind the airgap it will only do what it's programmed to do.

Being able to communicate via ultrasound means that if you have an infection on two computers either side of an airgap in close proximity the theoretically isolated computer can be sent instructions from a C&C server and can send data back at-will.

I'm not commenting on the legitimacy of the story, but either technique in isolation is of limited use, combined however they can be a lot more effective.

Pretty sure it won't just be the mass storage device contents that are causing the problems. More like the USB driver supplied by the stick when plugged in does the infecting. And you don't see that when you download the stick's contents.

USB devices don't provide their own drivers. Your methods for infection are either filesystem exploits, or changing the firmware of the drive to send invalid/exploitative USB traffic.

Not so fast - many "exotic" devices (3G/LTE modems, some HID controllers, older U3 USB sticks, even some medical devices!) ship "virtual" USB CD-ROM drives with software and drivers.

... None of these auto install on macosx or Linux, and even not on windows since win7sp1 if I am not mistaken. So, no, this cannot be the reason for the symptoms listed by dragos

I don't think windows has ever automatically installed drivers. It would automatically run a program as the current user, but again that's only for CD drives, virtual or not, and nothing stops you from supplying your own drivers for the hardware.

But you can always additionally simulate a keyboard. I've heard unconfirmed statements about some devices actually going that route to install their driver and/or associated crapware.

Wow. And still worse, the device can, due to timing attacks or just plain characteristics in the device requests also determine the likely platform of the host (BIOS, Linux, Windows, Mac OS X,...) and thus react on the content.

And if you don't exactly hit the conditions the malware is supposed to expose itself, you have no way to read out the EEPROM inside the flash controller. The data chips maybe, but the controller chip of a USB stick is an entirely different thing.

The driver is not provided by the stick. That's just not how things work.

But the USB device gives a descriptor list stating the endpoints etc. to the host. Using buffer overflows in the USB stack was how the PlayStation got breached, after all.

And we all know that USB sticks (or, rather their flash chips) can be reprogrammed at will. USBest, I'm looking at you. (See also flashboot.ru, the stuff you can do with these tools is amazing.)

If this malware is actually real then exploiting a large variety of different USB stacks (whether it's done via the the BIOS or OS stack) seems implausible. Maybe the flashed usb stick either:

1) Hides a bootloader on the devive that runs at reboot (assuming the BIOS allows it).

2) Pretends to be some kind of device (that most OS's have stock drivers for) that allows it to access main memory. Maybe it pretends to be a USB to firewire bridge (or something similar that gives it DMA).

Oh, it's just three or four USB stacks you have to mess up: 1) Windows (hey, they've found bugs exploitable in every Windows from 95/98 up to 7!), 2) Linux, 3/4) Phoenix/Award BIOS.

Assuming a government is the adversary (and we ALL know that the NSA sits on a very comprehensive list of exploits!), then this part is actually the easiest.

It's not just four stacks (or more, because the article also mentions Apple Macs and BSD) that you have to "mess up". You also have to mess them up in such a way that you can exploit them without a disk even being mounted. That four/five/six stacks are all exploitable to this extent because of buffer overruns (or similar) seems implausible.

If that's the suspision, then use an exotic platform to dump whatever the drive is doing. I know a guy who got usb mass storage devices working from a Zilog z80 based calculator. I doubt an arbitrary usb malware is going to be clever enough to effectively subvert an arbitrary homemade USB stack on a (these days) obscure arch.

Compromised drivers and even chips and components that are triggered with rather simple code or sequences, i.e., secret knock.

There are similar claims here http://www.stopthespy.com/