Know Your Enemy
Destroying your hard drive is the only way to stop this super-advanced malware
Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.
Infirm firmware
Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.
The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.
“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.
Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation’s hard disk drive malware platforms, “Equationdrug” and “Grayfish.”
The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.
Equation knows sets of unique ATA commands used by hard drive vendors to format their products. Most ATA commands are public, as they comprise a standard that ensures a hard drive is compatible with just about any kind of computer.
But there are undocumented ATA commands used by vendors for functions such as internal storage and error correction, Raiu said. “In essence, they are a closed operating system,” he said.
Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.
The ability to reprogram the firmware of just one kind of drive would be “incredibly complex,” Raiu. Being able to do that for many kinds of drives from many brands is “close to impossible,” he said.
“To be honest, I don’t think there’s any other group in the world that has this capability,” Raiu said.
It appears Equation has been far, far ahead of the security industry. It’s almost impossible to detect this kind of tampering, Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can’t be reformatted, he said.
Given the high value of this exploitation technique, Equation very selectively deployed it.
“During our research, we’ve only identified a few victims who were targeted by this,” Kaspersky’s report said. “This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances.”
Fanny worm
Another of Kaspersky’s intriguing findings is Fanny, a computer worm created in 2008 that was used against targets in the Middle East and Asia.
To infect computers, Fanny used two zero-day exploits—the term for a software attack that uses an unknown software vulnerability—that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was used to sabotage Iran’s uranium enrichment operations. It is thought to be a joint project between the U.S. and Israel.
It’s unlikely the use of the same zero-days was a coincidence. Kaspersky wrote that the similar use of the vulnerabilities means that the Equation group and the Stuxnet developers are “either the same or working closely together.”
“They are definitely connected,” Raiu said.
Both Stuxnet and Fanny were designed to penetrate “air-gapped” networks, or those isolated from the Internet, Kaspersky said.
Man in the middle
The Equation group also used “interdiction” techniques similar to those used by the NSA in order to deliver malicious software to targets.
Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of materials. The CD contained two zero-day exploits and a rarely-seen malware doorstop nicknamed “Doublefantasy.”
It is unknown how the CDs were tampered with or replaced. “We do not believe the conference organizers did this on purpose,” Kaspersky said. But such a combination of exploits and malware “don’t end up on a CD by accident,” it said.
The NSA’s Office of Tailored Access Operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2013, citing a top secret document.
The German publication was one of several that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward Snowden.
Kaspersky uncovered the trail of the Equation group after investigating a computer belonging to a research institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.
Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples on it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigation lead to the extensive command-and-control infrastructure used by Equation.
Kaspersky analysts found more than 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were due to expire, so Kaspersky registered around 20 of them, Raiu said.
Most of the domain names aren’t used by Equation anymore, he said. But three are still active. The activity, however, doesn’t lend much of a clue as to what Equation is up to these days, as the group changed its tactics in late 2013.
“Those three [domains] are very interesting,” Raiu said. “We just don’t know what malware is being used.”
5 words: Back Up Your Shit Daily.
Good programmers (system engineers – not coders) are hard to find and harder to keep!
MA
I’ve saved every hard drive I’ve ever had. I recently disassembled all of them and made a wind chime out of the platters. What used to be recognized as the faint “ting” sound of death from a hard drive gone bad is now a pleasant jingle on a breezy day.
RES!
Republicans Disagree on How to Fund the Dept. of Homeland Security
Laurence M. Vance
But they all agree that it should be funded, including the TSA.
“Republican leaders in the House and Senate are at odds over how to avoid shutting down the Department of Homeland Security as part of an immigration fight with the Obama administration.” The Department’s funding runs out on Feb. 27.
Republicans under George W. Bush created this monstrosity of a department. Is there even one Republican in Congress who says the DHS should be abolished? After all, we do have a Department of Defense.
9:00 am on February 20, 2015 Email Laurence M. Vance
“We Messed Up Badly” Lenovo Admits Putting Tracking Software On Your PC
Submitted by Simon Black via Sovereign Man blog,
File this under ‘you can’t make this stuff up.’
Lenovo Group, the largest computer manufacturer in the world, has made a rather stunning admission that they have been pre-installing tracking software on their PCs.
The tracking software is made by a company called Superfish, which apparently paid some “very minor compensation” to Lenovo for putting the software on people’s computers.
The Superfish program is a total disaster.
It has image recognition algorithms which essentially monitor what a user is looking at… then suggests relevant ads based on what it thinks you might like.
This is not only REALLY high up on the creepy scale, it also completely destroys Internet security.
Whether you’re buying something online or accessing Internet banking, the Superfish program essentially cuts the secure link between you and sensitive websites that you’re trying to access.
According to the first user who found the vulnerability a few weeks ago, “[Superfish] will hijack ALL your secure web connections (SSL/TLS) by using self-signed root certificate authority, making it look legitimate to the browser.”
This means that the tracking software basically fools a web browser into believing that a connection is secure when it’s not… all for the purpose of pushing more ads in your face.
This scheme is so powerful that even if users uninstall the Superfish software, the security breach still remains.
This is so flagrant I have to imagine that even the NSA is shocked.
After its initial approach of being completely unapologetic and dismissal, Lenovo is now groveling for forgiveness.
The company’s Chief Technology Officer now says, “We messed up badly here,” and “We made a mistake.”
Duh. But untold amounts of consumers out there have been totally violated.
There are a few interesting points to make here–
1) Privacy isn’t dead. But it’s extremely difficult to maintain. There are so many forces out there trying to pry whatever little privacy remains from us, one has to fight tooth and nail to preserve it.
2) There’s no transparency in the system; we never really know what’s going on behind the scenes with big institutions.
Governments and politicians will lie to our faces. They’ll tell us to be excited and that everything is fine; then behind the scenes they’ll plan for capital controls and huge tax increases.
No one has any idea what kind of toxic crap banks have on their balance sheets. They’ll post record profits and tell us how successful they are. But internally they know that it’s only a matter of time before they collapse (as we saw in 2008).
Even major tech brands are betraying the public in the dark of night with crazy spyware or selling us all out to government agencies.
There are very few, if any, big institutions out there that we can trust anymore.
And maybe that’s how it should be.
It’s a shark-filled world with bad people who do bad things. Perhaps it’s all the better that a trusted brand becomes the poster child for betrayal.
Because if Lenovo is doing this, are we supposed to be so naïve to presume that Google, Apple, AT&T, etc. are not?
Question everything.
Well, you know there are terrorist everywhere. Basically everyone who disagrees with our police state.
With no term limits,how is anything going to change.
As if anyone gives a shit.
For cripe’s sake, the new smart tvs and many video game console’s have listening/recording devices that run 24/7.
It is ACKNOWLEDGED that the NSA is keeping EVERY THING collected via digital, including the conversations and people sitting in people’s homes being tracked by tvs, games and alarm systems.
You cannot fix stupid and stupid outnumbers the sane by a wide margin.
File this under only getting worse.
In 20 years you will commit a crime you didn’t even know was a crime and the state will dredge up your postings, conversations, purchases and travels from today.
Then they will use it all against you as more and more and more of our behavior is criminalized.
Feel safer yet?
@TE: Absolutely nail on the head correct! And that’s a good counter-argument to those numbskulls who say “I don’t care, I’m not doing anything wrong”. Yes you are, in oh so many ways if viewed with just the right “spin”.
Also, Admin isn’t the Lenovo group the company that bought out IBM’s PC division several years ago? I thought they were a Chinese company.