Got Malware? New Threat Can't Be Removed Without Breaking Hard Drive

Got Malware? New Threat Can't Be Removed Without Breaking Hard Drive

If Kaspersky Lab is right about the Equation Group, this sophisticated threat actor has developed the most highly advanced malware to date.

Last year was hugely significant for cyber security, thanks to Sony's security breach that may or may not have been tied to North Korea. Believe it or not, that was an isolated event that most people don't need to worry about - but the security group Kaspersky Lab may have found a far more concerning threat. In a report released Monday, Kaspersky presented evidence that a highly sophisticated unit actor called "The Equation Group" has been exploiting computer networks as far back as 1996. If true, the Equation group has been targeting countries like Iran and Russia with remarkably advanced malware platforms - many of which are seemingly impossible to remove without physically destroying the hard drive.

"The Equation group uses multiple malware platforms, some of which surpass the well-known "Regin" threat in complexity and sophistication," the report reads. "The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen."

Kaspersky Lab has called this actor Equation for "their love of encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations". The only reason Kaspersky was able to connect these malware platforms was through specific use of the RC5 encryption algorithm in their malware, although more recent modules use RC6, RC4, and AES as well. Unlike malware that just spreads across the globe, Equation's malware has a far more limited scope with very specific targets. In fact, the malware even has a "self-destruct mechanism" that wipes out the infection when instructed - which also prevents Kaspersky from knowing the full scope of Equation's past operations.

But let's say you're a key institution in one of these countries and want to get rid of Equation's malware. Good luck with that - the malware's most striking feature is that it infects the hard drive's firmware, making it impossible to remove even once the drive is formatted. "Theoretically, we were aware of this possibility," director of Kaspersky Lab Costin Raiu explained, "but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability."

Perhaps the strangest part is that Equation goes well beyond web-based exploits - it can intercept and replace physical media that will be installed on computers. In one case, participants of a scientific conference in Houston were mailed a CD-ROM of the conference proceedings. All copies of this disc itself were compromised, seemingly without the knowledge of conference organizers, and delivered malware to the participants computers.

The group has targeted key institutions in multiple countries, the most frequent being Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali. Meanwhile, countries like the United States, Great Britain, and France have been targeted with lower infection rates. Breached institutions tend to include government and diplomatic bodies, telecommunications, military, aerospace, energy, transportation, cryptographic research, and even Islamic scholars and activists.

Equation's malware bears some resemblance to the Regin malware discovered in 2012, but Kaspersky doesn't believe them to be connected. Some computers contained instances of both Regin and Equation's malware, leaving them to believe they were developed by two different groups. The full report contains more details, but it certainly makes a strong case that - for once - the Equation group might be the supervillain wizards Hollywood keeps assuming hackers are.

Source: Kaspersky Lab, via PC World

Permalink

So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.

short of common cyberware we are already there

NSA, CIA, or the Illuminati.

Sigh, time to update my decking skill again.

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Pretty much this. Whoever deployed this is not interested in your porn, and probably just self-destructs your copy in a gentlemanly fashion.

cjbos81:
NSA, CIA, or the Illuminati.

NSA is SIGINT, CIA is HUMINT. Therefore it is the NSA (or some other nation's equivalent), some really advanced third party (unlikely), or the Illuminati. :P

Naqel:

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Pretty much this. Whoever deployed this is not interested in your porn, and probably just self-destructs your copy in a gentlemanly fashion.

and their high value targets are not in north america/europe so we have less to worry about from them, plus the aforementioned kill switch in their software which disables and destroys all traces of the malware.

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Unless they already got what they needed from you....

More seriously: Yes casual users likely don't need to worry about this one. BUT the implication of one group quietly churning out several highly advanced malware programs over the course of two decades is pretty chilling. Especially given how the computers were infected, and that "Islamic scholars" were considered targets.

Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.

Fanghawk:

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Unless they already got what they needed from you....

More seriously: Yes casual users likely don't need to worry about this one. BUT the implication of one group quietly churning out several highly advanced malware programs over the course of two decades is pretty chilling. Especially given how the computers were infected, and that "Islamic scholars" were considered targets.

The group is probably affiliated with certain government agencies.

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.

No there inserting it in all HDD's as they come off the production line just in case and then 'supposedly' only activating it when in use by business's or those who have worked directly for their governments.

Pretty much the only way around it is to build your own firmware, or go back to using FAT32 and hope nobody downgrades their malware to match you.

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?

That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.

This thing will infect Linux with the same - or even more - ease than Windows.

Thanks, I didn't want to sleep tonight anyway.

This sounds like a Liam Nesson movie I would watch. But there's always a patch/ new threat from both sides.

Hmmmm... Time to consider the contingency plan I've had stored in the back of my head for a while in case this malware nonsense makes life too friggen difficult. Something that can't be nuked with a drive wipe? I don't like that.

Liam Steel:
Thanks, I didn't want to sleep tonight anyway.

Pretty much this in a nut shell. I know the odds of it happening to one of us is so damn tiny but jesus, this is why I hate hackers.

The target list sounds a lot like the usual targets for spying by a western country, with middle easten and eastern block countries and suspected islamists being on the top priority.

There aren't many bodies that are capable of producing such melware, and most of them are on the infected list.
Also from the report: "As an interesting note, some of the "patients zero" of Stuxnet seem to have been
infected by the EQUATION group. It is quite possible that the EQUATION group
malware was used to deliver the STUXNET payload"

truckspond:

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?

That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.

I wasn't being serious...

insanelich:

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.

This thing will infect Linux with the same - or even more - ease than Windows.

Aaaaaaand there goes that boost of confidence I needed to get through the week.

Michael Tabbut:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.

Not likely, to be honest your typical Cyberpunk scenario from decades to go is positively utopian compared to where we are going. Most Cyberpunk fiction was based on the idea that businesses would become so powerful that they would wind up replacing or otherwise directly subverting all the global governments. A lot of it was based on the "Japanacorp" takeovers of the 1980s, which is why so many of the classic works have a heavy involvement of the Japanese and cultural trappings. That said typically this gets into concepts like how corporations would convince governments to allow citizens to sell their votes, meaning the corporations would wind up buying your vote in exchange for corporate welfare or as a requirement of employment with the corporation. This means the corporations, not political parties, would be what determined who held power, with whatever corporation has the most money and benefits to hand out to serfs being able to cast the most votes and thus control nations. Typically these ideas involve Japan starting the fire by subverting the US government, but US and European companies fighting back and then doing the same thing to Asian countries, and the forced democratization of China and Russia ultimately forcing them into the same basic game. In some Cyberpunk concepts you have a "Corporate Council" that acts as a sort of UN to prevent territorial disputes from getting out of control. The "punk" aspects of this kind of thing usually come about from people caught in the cracks of the system rebelling 1980s style, in some cases there being very big cracks when the powers that be conspire to limit citizenships so they can fix the power structure by not having new votes coming into the system, or risking that increasingly larger generations of people might not sell their votes and could potentially organize and present a threat. Of course this is just one basic type of ideas, there are many.

I think on a lot of levels this kind of speculative fiction made enough people aware of the basic idea (turning corps into stock villains in record time) that most of the pitfalls have been averted. The problem is that this has left us with a regular structure of nations balanced over a powder keg, and a world where very little can be done by anyone. See in a Cyberpunk concept things are actually pretty decent for most of humanity oddly enough, as your average "prole" lives in a corporate enclave and has corporations advancing science while finding new and innovative ways to keep their serfs happy and passive. It mostly sucks if your one of the people rebelling against that system or who fell through the cracks without citizenship or whatever. Your typical protagonist or PC in an RPG being someone who usually jumps into the cracks intentionally to sell their services as a highly paid mercenary and then gets into crap in the various shadow wars people usually don't see. In the current environment governments seem mostly concerned about suppressing technology as much as they can, and generally don't give a crap about anyone, in Cyberpunk the Corporations had to buy your votes to wield power, in reality it doesn't work that directly and you don't generally ever see any benefit from anything you do.

We lack, and will probably never have the way things work now, any kind of consumer neural interface technology for computers. Something like augementive cyberware is something the governments would never even consider allowing on the market. Heck most places won't even let you have a primitive jet pack or personal Gyrocopter. As amusing as hackers might be, at the end of the day the internet is primitive enough where the most they can do is harass people and slow them down when it comes to the big issues. To resolve anything you actually need to put boots on the ground and actually do something, and given the reluctance to do that, it means that no matter what hackers do, nations that are intent on say developing WMD are probably going to succeed.

All sarcasm aside, at the end of the day I think we will neither wind up doomed like "1984" or "Cyberpunk Fiction" but rather wind up in a miserable dystopia far worse than any of them, without even the creativity those visions showed.

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.

Enjoy your false sense of security. Linux security is basicly security through obscurity which really isn't security at all, just a reflection of the fact that the majority of people writing dubious code can't be bothered to target you.

Anyway, I'm surprised it's possible to get at the firmware of a hard drive. Not unless you have access to the manufacturing facilities.

I've researched data recovery a little (pretty hard to do, because the people that know anything about it are very secretive), and as far as I can tell, you typically can't just access the firmware of a hard drive directly.
With at least some models to mess with it at all you have to connect through a data bus seperate from the primary data bus which doesn't usually have anything connected to it while the drive is in regular use.

That said, this special interface can do very low level alterations to the drive logic, but... Still...

The USB hack scares me more though. That was demonstrated as a working model by 'white hat' hackers, but even so, it's existence is truly terrifying.

Similar to this issue, they demonstrated that's it's possible to infect the USB plug and play firmware. Once a usb device of any kind is infected, it automatically infects the firmware of any computer it's plugged into through the plug and play code that is essential to the core functioning of USB.

An infected computer then rewrites the firmware of every USB device connected to it, and so on...
And you can't do anything about this, because although you could 'fix' the firmware on infected computers, the nature of the exploit means you cannot prevent re-infection. There is no way of rewriting the firmware in a way that would prevent this issue, because it would cripple a basic function of USB...
Leaving all USB devices permanently vulnerable to this exploit...

No examples in the wild, but...

Anyway, security flaws can be pretty scary if you think about them...

How/Why is this a new thing?
If I know anything about IT related stuff, everything is easy but there is just a fuckton of easy stuff you need to know if you want to understand anything. Why has nobody bothered making malware hook into the firmware before? Surely if its possible at all it can't be that hard.

On another note. When is the movie coming out? I expect abandoned buildings, car chases, explosions, attractive 20-25 year old vigilante hackers being endlessly pursued by a pair of attractive male and female cops that have a chemistry not seen since breaking bad all ending in a final showdown of the last remaining hacker about to blow up every bit of networked hardware in existence against a cop with a broken leg crawling to her gun in order to avenge her critically wounded partner.
And it will be called "Gun Code"

There's a lot of blogspam and midding-level articles about this, but if you'd like one of the better researched ones that don't require an in-depth knowledge of info-sec technology, then check out Ars Technica's: http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Its pretty much exactly what you think: This is almost certainly the work of the NSA's TAO division, likely acting in concert with Israeli agents on some operations (ie Flame, Stuxnet etc.. ). The Snowden revelations provide confirmation of som codenames for particular tools observed by Kaspersky, such as IRATEMONK which describes the firmware-resident backdoor nearly exactly: https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html

Trippy Turtle:
How/Why is this a new thing?
If I know anything about IT related stuff, everything is easy but there is just a fuckton of easy stuff you need to know if you want to understand anything. Why has nobody bothered making malware hook into the firmware before? Surely if its possible at all it can't be that hard.

On another note. When is the movie coming out? I expect abandoned buildings, car chases, explosions, attractive 20-25 year old vigilante hackers being endlessly pursued by a pair of attractive male and female cops that have a chemistry not seen since breaking bad all ending in a final showdown of the last remaining hacker about to blow up every bit of networked hardware in existence against a cop with a broken leg crawling to her gun in order to avenge her critically wounded partner.
And it will be called "Gun Code"

This is anything but easy.

This is the kind of stuff that requires access to secret source code, which basically requires you to either have actual physical spies infiltrating the manufacturing facilities or secret courts ordering you receive that code and issuing a gag order to the companies who have to hand it over.

Long story short, doing something like this requires a significant chunk of money.

truckspond:

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?

That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.

That is the only way how such thing could work
But wasn't such software supposed to be hard coded?
At least I assumed that basic hardware controlling software was hard coded into said hardware.

Because only other alternative is that it is hardware issue.
And then we have REAL problem.

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.

You cant be serious. The linux kernel has more security holes than a Swiss cheese.

http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html

Only reason this isnt a bigger consumer problem is because nobody uses linux to begin with.

blackrave:

truckspond:

47_Ronin:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?

That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.

That is the only way how such thing could work
But wasn't such software supposed to be hard coded?
At least I assumed that basic hardware controlling software was hard coded into said hardware.

Because only other alternative is that it is hardware issue.
And then we have REAL problem.

What do you mean with hardcoded?

TomWiley:

blackrave:

truckspond:

That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.

That is the only way how such thing could work
But wasn't such software supposed to be hard coded?
At least I assumed that basic hardware controlling software was hard coded into said hardware.

Because only other alternative is that it is hardware issue.
And then we have REAL problem.

What do you mean with hardcoded?

Probably meaning that the firmware for the disk drive should be "read only". But you run into problems with that if the hardware ends up with a problem that can only be solved by a firmware update- which happened to a certain line of Seagate drives in 2009.

Huh, I wondered what happened to Starforce after they went out of the gaming industry.

Well it looks like Steve Gibson will have a new project when he finishes SpinRite 7 (6 is still the best, most effective, and wallet friendly data recovery tool on the planet.) It could be that he might just make the removal of the malware a function of SpinRite in the future, since it works at the most basic levels of the HDD/SSD. But things like this remind me of the need to back on GRC and start listening to the Security Now! podcast on a regular basis.

I'm rather confident that this isn't from a Government, or the Illuminati(a conspiracy theorist favorite.) Independent hacker sources are so much more advanced than Governments tend to be and a lot of hackers like these work in the software industry. The fact that we just discovered these makes me wonder how many more like them there are like these people? How many more malware sources like these have we not discovered?

CrystalShadow:
Enjoy your false sense of security. Linux security is basicly security through obscurity which really isn't security at all, just a reflection of the fact that the majority of people writing dubious code can't be bothered to target you.

You're only partly correct. The other side is that Linux is constantly worked on by people all over the place, mostly volunteers, who constantly update the security features, and plug back doors.

CrystalShadow:
Anyway, I'm surprised it's possible to get at the firmware of a hard drive. Not unless you have access to the manufacturing facilities.

The thing is that firmware can be flashed with updates and such. You can go and flash your Bios firmware today if there is an update available for it.

CrystalShadow:
I've researched data recovery a little (pretty hard to do, because the people that know anything about it are very secretive), and as far as I can tell, you typically can't just access the firmware of a hard drive directly.
With at least some models to mess with it at all you have to connect through a data bus seperate from the primary data bus which doesn't usually have anything connected to it while the drive is in regular use.

That said, this special interface can do very low level alterations to the drive logic, but... Still...

Most of the people who say they know anything about data recovery are generally full of it. Since even a good deal of professional recovery places use SpinRite. That being said you can access firmware generally fairly easily if you know what you're doing.

The low level can actually be surprisingly dangerous, even tiny amounts of code can make surprisingly massive changes.

CrystalShadow:
The USB hack scares me more though. That was demonstrated as a working model by 'white hat' hackers, but even so, it's existence is truly terrifying.

Similar to this issue, they demonstrated that's it's possible to infect the USB plug and play firmware. Once a usb device of any kind is infected, it automatically infects the firmware of any computer it's plugged into through the plug and play code that is essential to the core functioning of USB.

An infected computer then rewrites the firmware of every USB device connected to it, and so on...
And you can't do anything about this, because although you could 'fix' the firmware on infected computers, the nature of the exploit means you cannot prevent re-infection. There is no way of rewriting the firmware in a way that would prevent this issue, because it would cripple a basic function of USB...
Leaving all USB devices permanently vulnerable to this exploit...

No examples in the wild, but...

Anyway, security flaws can be pretty scary if you think about them...

They can be, but knowing basic ways to keep your self secure can really help. One of which is blocking java script, not trying to incur mod wrath here, just stating a security fact.

Considering how good these guys are and the main targets...

I'm going to go out on a limb here and guess "CIA" or "Whoever the Israeli government gives Cyber attack jobs to" is the mastermind.

I know this was supposed to scare me, but I'm pretty sure they won't give a shit about me, so I don't have to worry. If this was a troll group, I might have been scared, but they seem to only target things reported in the news as an international threat.

Now if 4chan somehow figured that shit out, I would be piss scared.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here