Author Topic: Destroying your hard drive is the only way to stop this super-advanced malware (Read 27930 times)

Renegade · « **on:** February 17, 2015, 07:36 PM »

This looks like some pretty nasty, nasty stuff.

http://www.pcworld.c...hit-iran-russia.html

A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia, utilizing a startlingly advanced form of malware that is impossible to remove once it's infected your PC.

Kaspersky Lab released a report Monday that said the tools were created by the “Equation” group, which it stopped short of linking to the U.S. National Security Agency.

The tools, exploits and malware used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.

Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

There was a security researcher a year or so ago that released details on this (but on mobile platforms) or something similar, but I forget who or where I saw it. Does anyone else remember?

It's pretty simple at a high level -- secret sectors are created, then hidden as bad sectors or something.

I'm not sure if this is basically the same thing or if it's different. It seems different, but my memory is a tad fuzzy. I think the other one was for Flash Nand memory only.

vortext · « **Reply #1 on:** February 17, 2015, 09:25 PM »

This is very different. This is a weapons grade piece of malware. A real game changer for everyone. It is sophisticated enough that it smells of very high level government involvement. Many think it is the Unites States NSA working through a shady group that has eluded security researchers for many years. Researchers call them The Equation Group.

The article you want to read to learn more about this is on ArsTechnica:

http://arstechnica.c...-were-found-at-last/

It is very saddening news.

mouser · « **Reply #2 on:** February 17, 2015, 09:37 PM »

Fascinating reading.

Renegade · « **Reply #3 on:** February 17, 2015, 09:47 PM »

This is very different. This is a weapons grade piece of malware. A real game changer for everyone. It is sophisticated enough that it smells of very high level government involvement. Many think it is the Unites States NSA working through a shady group that has eluded security researchers for many years. Researchers call them The Equation Group.

The article you want to read to learn more about this is on ArsTechnica:

http://arstechnica.c...-were-found-at-last/

It is very saddening news.
-vortext (February 17, 2015, 09:25 PM)

After reading that... Just. Wow. That's beyond impressive.

Vurbal · « **Reply #4 on:** February 17, 2015, 10:06 PM »

A government sponsored team of super hackers - what could possibly go wrong?

Renegade · « **Reply #5 on:** February 18, 2015, 06:47 AM »

A government sponsored team of super hackers - what could possibly go wrong?
-Vurbal (February 17, 2015, 10:06 PM)

Hahaha!

Yeah, pretty much exactly that.

Can anyone say "mission creep"?

Vurbal · « **Reply #6 on:** February 18, 2015, 07:07 AM »

On the "good" side, we may get to see our first real world Bond villains.

wraith808 · « **Reply #7 on:** February 18, 2015, 07:21 AM »

On the "good" side, we may get to see our first real world Bond villains.
-Vurbal (February 18, 2015, 07:07 AM)

But having Bond villains without Bond seems a tad bit counterproductive.

Vurbal · « **Reply #8 on:** February 18, 2015, 07:36 AM »

On the "good" side, we may get to see our first real world Bond villains.
-Vurbal (February 18, 2015, 07:07 AM)

But having Bond villains without Bond seems a tad bit counterproductive.
-wraith808 (February 18, 2015, 07:21 AM)

You're just not thinking enough like a spook. And no, I can't believe I wrote that either.

Maybe the creation of a new superspy agency was their long game from the beginning.

Step 1: Create a team of top secret super hackers
Step 2: Wait for them to go rogue and start SMERSH
Step 3: Use it as an excuse to build a new army of super agents

That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.

SeraphimLabs · « **Reply #9 on:** February 18, 2015, 07:57 AM »

Cast it into the fire!
Destroy it!

Microsoft!

Yeah I can see this going horribly wrong within a few years. Its like antibiotic resistance, suddenly the standard treatments for common problems no longer apply.

People are probably going to die because of this

Even if not directly, if extreme care is not taken in programming the payload selection it could disturbingly easily case serious damage to critical infrastructure and lead to widespread public utility failures and panic.

Renegade · « **Reply #10 on:** February 18, 2015, 08:06 AM »

That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.
-Vurbal (February 18, 2015, 07:36 AM)

BWAHAHAHAHAAH~!

Yep. Pretty much!

wraith808 · « **Reply #11 on:** February 18, 2015, 08:43 AM »

That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.
-Vurbal (February 18, 2015, 07:36 AM)

BWAHAHAHAHAAH~!

Yep. Pretty much!

-Renegade (February 18, 2015, 08:06 AM)

What renegade said. And I bow to the master. I mean... master of intelligence. I mean... counter to the counter-intelligence.

Vurbal · « **Reply #12 on:** February 18, 2015, 08:54 AM »

^ I resemble that remark.

vortext · « **Reply #13 on:** February 18, 2015, 09:31 AM »

Yes. Mr. Bond and all. But will Americans still be making jokes about this five years from now ? Two years before when I arrived here for school I thought I would like to stay. I am less sure I want to now. What is done by some in your country good name is terrible. And most here wish to not know about this if they can. I have concerns about saying things like this since I am a guest here. I did not feel that way before. Your game has changed for all of you. And my self too.

wraith808 · « **Reply #14 on:** February 18, 2015, 10:45 AM »

Yes. Mr. Bond and all. But will Americans still be making jokes about this five years from now ? Two years before when I arrived here for school I thought I would like to stay. I am less sure I want to now. What is done by some in your country good name is terrible. And most here wish to not know about this if they can. I have concerns about saying things like this since I am a guest here. I did not feel that way before. Your game has changed for all of you. And my self too.
-vortext (February 18, 2015, 09:31 AM)

Hello Mr. Vortext. Let me introduce you to Mr Basement. It's an unsavory place, but we discuss such concerns there over your favorite alcoholic beverage (to numb the pain).

I've found it's best only to visit... and not to stay (per the Read In in that section). But it is useful for discussion, though some choose not to go there as this isn't the purpose they visit DC for (or other ... reasons).

You're always welcome, however- here and there.

(and as an aside, sometimes, humor is the only medicine for such truths)

Stoic Joker · « **Reply #15 on:** February 18, 2015, 11:21 AM »

(and as an aside, sometimes, humor is the only medicine for such truths)
-wraith808 (February 18, 2015, 10:45 AM)

Yeah...humor, whistling in the dark, and substance 'abuse' are pretty much the top 3 coping mechanisms available.

Giampy · « **Reply #16 on:** February 18, 2015, 02:26 PM »

"It seems Uhuru was able to detect the new malwares from the Equation Group":

http://www.wildersse...373527/#post-2460507

Deozaan · « **Reply #17 on:** February 18, 2015, 02:44 PM »

While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.
-http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

This may be due to my own ignorance on these matters, but I don't understand their claims about it being nearly impossible to be able to read the hard drive firmware and figure it out. People have hacked other "black boxes" by poking and prodding, reverse engineered them, and then written custom code to run on them. What makes hard drive firmwares so different from anything else?

Vurbal · « **Reply #18 on:** February 18, 2015, 02:46 PM »

While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.
-http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

This may be due to my own ignorance on these matters, but I don't understand their claims about it being nearly impossible to be able to read the hard drive firmware and figure it out. People have hacked other "black boxes" by poking and prodding, reverse engineered them, and then written custom code to run on them. What makes hard drive firmwares so different from anything else?
-Deozaan (February 18, 2015, 02:44 PM)

Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.

mouser · « **Reply #19 on:** February 18, 2015, 03:10 PM »

Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.

It's not just that -- if the malware tampers with the HARD DRIVE FIRMWARE, it can essentially make the hard drive return fake data, etc. Even with the lowest level access to the hard drive, the hard drive firmware can hide any changes. The only way to fix would be to reflash the hard drive firmware -- and it may very well be that the firmware changes make reflashing impossible via software.

superboyac · « **Reply #20 on:** February 18, 2015, 03:11 PM »

Is this the sort of thing UEFI can protect against?

Stoic Joker · « **Reply #21 on:** February 18, 2015, 03:25 PM »

Is this the sort of thing UEFI can protect against?
-superboyac (February 18, 2015, 03:11 PM)

No.

SeraphimLabs · « **Reply #22 on:** February 18, 2015, 03:33 PM »

There is no defense against this.

Its like a rootkit- that once it gets into your hard drive the only way out is to replace the drive controller with a known-good version and then very carefully salvage data without letting the virus be reactivated.

Hackers may have gone too far with this.

Fortunately its not something a casual hacker could do. You would have to use a special operating system or embedded system debugging tools to access the drive at the lowest possible levels to create the malware, and then have the task of delivering it to the target to infect the new hard drive without the OS noticing.

x16wda · « **Reply #23 on:** February 18, 2015, 08:10 PM »

the task of delivering it to the target to infect the new hard drive without the OS noticing
-SeraphimLabs (February 18, 2015, 03:33 PM)

like... packaging it as a critical update from the drive manufacturer... which we regularly install on customer equipment...

Curt · « **Reply #24 on:** February 19, 2015, 10:45 AM »

"It seems Uhuru was able to detect the new malwares from the Equation Group"
-Giampy (February 18, 2015, 02:26 PM)

At first this Uhuru sounds fine:

Uhuru anti-malware designed for companies or public entities is now available either through direct contact with Nov'IT or via the French UGAP catalog.
A free version designed for individuals will be offered in 2015

but then they add this paragraph:

For the release of Uhuru anti-malware, Nov'IT makes a special offer designed for compagnies or public entities.
The offer includes a life-time license (minor software updates, major software upgrades, current or future releases).
This is a special and unique offer.
Minimum order size: 50,000 licenses.

^ eh... the beginning is good, isn't it: "lifetime keys". Wow!
but then they go on, don't they: "purchase and install at least 50,000 copies of our unknown software"?

Didn't a lot of "creative" Russians move to France? I am not sure if I dare to trust this Uhuru!

Well, I know nothing. Uhuru may be fine and just what the Doctor ordered.