Sniffing Out Malware’s EM Emissions With A Raspberry Pi?

Well, And A $10,000 Oscilloscope

The idea of sniffing out infected kit by monitoring their EM emissions seems to be a bit beyond what we can achieve at this point, however it seems that this ability is something we may see in the near future thanks to some rather inventive researchers.  They hooked up a 1GHz Picoscope 6407 USB oscilloscope, a Langer PA-303 amplifier and a Langer RF-R H-Field probe to the BCM2837 processor found in a Raspberry Pi 2B and then purposefully infected the RasPi to monitor the EM emissions.

Their tests included such old favourites as bashlite, mirai, gonnacry, keysniffer, and maK_it; the activity of which they monitored and recorded.  They also recorded the EM emissions generated by apps such as mpg123, wget, tar, more, grep, and dmesg which would also produce fair sized emissions, to compare the difference in signalling.

Once they collected all the data, they cleaned up the spectrograms and fed them to a neural network built to classify the captured EM signatures.  After running through numerous iterations, they were indeed able to train the network to recognize not only the difference in emissions between a valid process and a malicious one, they could discern which malware was infecting the machine.  

The code is available on GitHub, linked to by Hackaday, however it was written for that $10,000 Picoscope 6407 so the hardware requirements may prove a challenge if you want to try this out yourself.   As this technique matures the hardware required will hopefully be extended to less expensive kit.  Hopefully the next step for the bad guys is not to develop a piece of malware that generates an EM field capable of reprogramming a neural net to ignore it.