topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday October 8, 2024, 9:47 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Destroying your hard drive is the only way to stop this super-advanced malware  (Read 27310 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
This looks like some pretty nasty, nasty stuff.



http://www.pcworld.c...hit-iran-russia.html

A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia, utilizing a startlingly advanced form of malware that is impossible to remove once it's infected your PC.

Kaspersky Lab released a report Monday that said the tools were created by the “Equation” group, which it stopped short of linking to the U.S. National Security Agency.

The tools, exploits and malware used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.


Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

There was a security researcher a year or so ago that released details on this (but on mobile platforms) or something similar, but I forget who or where I saw it. Does anyone else remember?

It's pretty simple at a high level -- secret sectors are created, then hidden as bad sectors or something.

I'm not sure if this is basically the same thing or if it's different. It seems different, but my memory is a tad fuzzy. I think the other one was for Flash Nand memory only.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

vortext

  • Participant
  • Joined in 2015
  • *
  • default avatar
  • Posts: 3
    • View Profile
    • Donate to Member
This is very different. This is a weapons grade piece of malware. A real game changer for everyone. It is sophisticated enough that it smells of very high level government involvement. Many think it is the Unites States NSA working through a shady group that has eluded security researchers for many years. Researchers call them The Equation Group.

The article you want to read to learn more about this is on ArsTechnica:

http://arstechnica.c...-were-found-at-last/

It is very saddening news.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Fascinating reading.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
This is very different. This is a weapons grade piece of malware. A real game changer for everyone. It is sophisticated enough that it smells of very high level government involvement. Many think it is the Unites States NSA working through a shady group that has eluded security researchers for many years. Researchers call them The Equation Group.

The article you want to read to learn more about this is on ArsTechnica:

http://arstechnica.c...-were-found-at-last/

It is very saddening news.

After reading that... Just. Wow. That's beyond impressive.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
A government sponsored team of super hackers - what could possibly go wrong?
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.
« Last Edit: February 18, 2015, 06:18 AM by Vurbal »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
A government sponsored team of super hackers - what could possibly go wrong?

Hahaha! ;D

Yeah, pretty much exactly that.

Can anyone say "mission creep"? :)

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
On the "good" side, we may get to see our first real world Bond villains.  :o
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
On the "good" side, we may get to see our first real world Bond villains.  :o

But having Bond villains without Bond seems a tad bit counterproductive.  :tellme:

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
On the "good" side, we may get to see our first real world Bond villains.  :o

But having Bond villains without Bond seems a tad bit counterproductive.  :tellme:

You're just not thinking enough like a spook. And no, I can't believe I wrote that either.

Maybe the creation of a new superspy agency was their long game from the beginning.

Step 1: Create a team of top secret super hackers
Step 2: Wait for them to go rogue and start SMERSH
Step 3: Use it as an excuse to build a new army of super agents

That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Cast it into the fire!
Destroy it!

Microsoft!



Yeah I can see this going horribly wrong within a few years. Its like antibiotic resistance, suddenly the standard treatments for common problems no longer apply.

People are probably going to die because of this

Even if not directly, if extreme care is not taken in programming the payload selection it could disturbingly easily case serious damage to critical infrastructure and lead to widespread public utility failures and panic.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.

BWAHAHAHAHAAH~!

Yep. Pretty much! :D

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
That's convoluted and asinine enough to be believable. It does, however, have one major flaw. Nobody in the intelligence business thinks that far ahead. Technically, you could say we have no intelligence agencies - just counter intelligence, and only in the most literal sense.

BWAHAHAHAHAAH~!

Yep. Pretty much! :D



What renegade said.  And I bow to the master.  I mean... master of intelligence.  I mean... counter to the counter-intelligence.

 ;D :Thmbsup:

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
^ I resemble that remark.  :D
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

vortext

  • Participant
  • Joined in 2015
  • *
  • default avatar
  • Posts: 3
    • View Profile
    • Donate to Member
Yes. Mr. Bond and all. But will Americans still be making jokes about this five years from now ? Two years before when I arrived here for school I thought I would like to stay. I am less sure I want to now. What is done by some in your country good name is terrible. And most here wish to not know about this if they can. I have concerns about saying things like this since I am a guest here. I did not feel that way before. Your game has changed for all of you. And my self too.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
Yes. Mr. Bond and all. But will Americans still be making jokes about this five years from now ? Two years before when I arrived here for school I thought I would like to stay. I am less sure I want to now. What is done by some in your country good name is terrible. And most here wish to not know about this if they can. I have concerns about saying things like this since I am a guest here. I did not feel that way before. Your game has changed for all of you. And my self too.

Hello Mr. Vortext.  Let me introduce you to Mr Basement.  It's an unsavory place, but we discuss such concerns there over your favorite alcoholic beverage (to numb the pain).

I've found it's best only to visit... and not to stay (per the Read In in that section).  But it is useful for discussion, though some choose not to go there as this isn't the purpose they visit DC for (or other ... reasons).

You're always welcome, however- here and there.  ;D

(and as an aside, sometimes, humor is the only medicine for such truths)

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
(and as an aside, sometimes, humor is the only medicine for such truths)

Yeah...humor, whistling in the dark, and substance 'abuse' are pretty much the top 3 coping mechanisms available. :D

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
"It seems Uhuru was able to detect the new malwares from the Equation Group":

http://www.wildersse...373527/#post-2460507
"A refrigerator without beer is like a body without soul"

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,759
    • View Profile
    • Read more about this member.
    • Donate to Member
While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.

This may be due to my own ignorance on these matters, but I don't understand their claims about it being nearly impossible to be able to read the hard drive firmware and figure it out. People have hacked other "black boxes" by poking and prodding, reverse engineered them, and then written custom code to run on them. What makes hard drive firmwares so different from anything else?

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.

This may be due to my own ignorance on these matters, but I don't understand their claims about it being nearly impossible to be able to read the hard drive firmware and figure it out. People have hacked other "black boxes" by poking and prodding, reverse engineered them, and then written custom code to run on them. What makes hard drive firmwares so different from anything else?

Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.

It's not just that -- if the malware tampers with the HARD DRIVE FIRMWARE, it can essentially make the hard drive return fake data, etc.  Even with the lowest level access to the hard drive, the hard drive firmware can hide any changes.  The only way to fix would be to reflash the hard drive firmware -- and it may very well be that the firmware changes make reflashing impossible via software.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Is this the sort of thing UEFI can protect against?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Is this the sort of thing UEFI can protect against?

No.

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
There is no defense against this.

Its like a rootkit- that once it gets into your hard drive the only way out is to replace the drive controller with a known-good version and then very carefully salvage data without letting the virus be reactivated.

Hackers may have gone too far with this.

Fortunately its not something a casual hacker could do. You would have to use a special operating system or embedded system debugging tools to access the drive at the lowest possible levels to create the malware, and then have the task of delivering it to the target to infect the new hard drive without the OS noticing.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
the task of delivering it to the target to infect the new hard drive without the OS noticing

like... packaging it as a critical update from the drive manufacturer... which we regularly install on customer equipment...
vi vi vi - editor of the beast

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
"It seems Uhuru was able to detect the new malwares from the Equation Group"

At first this Uhuru sounds fine:

Uhuru anti-malware designed for companies or public entities is now available either through direct contact with Nov'IT or via the French UGAP catalog.
A free version designed for individuals will be offered in 2015

but then they add this paragraph:

For the release of Uhuru anti-malware, Nov'IT makes a special offer designed for compagnies or public entities.
The offer includes a life-time license (minor software updates, major software upgrades, current or future releases).
This is a special and unique offer.
Minimum order size: 50,000 licenses.

^ eh... the beginning is good, isn't it: "lifetime keys". Wow!
but then they go on, don't they: "purchase and install at least 50,000 copies of our unknown software"?

Didn't a lot of "creative" Russians move to France? I am not sure if I dare to trust this Uhuru!

Well, I know nothing. Uhuru may be fine and just what the Doctor ordered.