Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NSA malware found hiding in hard drives for almost 20 years


  • Please log in to reply
75 replies to this topic

#1 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,564 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 17 February 2015 - 05:46 PM

 

Bad news, geeks. Someone out there figured out how how to hide persistent, invisible espionage malware inside the firmware of your hard drives. Now it’s been discovered that they’ve been using it to spy on targets for nearly 20 years.

 

This particular piece of malware is delivered via modified hard drive firmware, and Kaspersky says that it’s compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung, you name it. Once it’s there, it’s nearly impossible to get rid of or even detect. Since it’s not taking up space on the hard drive’s platters, it can easily re-infect a system even after a drive has been fully formatted.

 

NSA malware found hiding in hard drives for almost 20 years
Equation Group: The Crown Creator of Cyber-Espionage


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#2 YeahBleeping

YeahBleeping

  • Members
  • 1,258 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 17 February 2015 - 06:37 PM

When I read Tom Clancy's threat Vector, I knew then that we would be seeing a very real world indication of this.  I am gonna miss Tom Clancy's books.

 

I do believe that we as consumers should feel violated and there should be a wide range of tools to detect and remove this kind of intrusion.

 

Come on all you white hatz .. give us the tools we need !



#3 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 50,564 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 PM

Posted 17 February 2015 - 06:40 PM

I don't think you need to worry just yet.

...Malware this advanced isn’t meant for computers like yours and mine (at least that’s what we’re hoping, right?). Kaspersky’s list of targets won’t surprise you: government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, media outlets, Islamic groups...


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 RolandJS

RolandJS

  • Members
  • 4,427 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:08:30 PM

Posted 17 February 2015 - 07:38 PM

  Would detekt.exe [from https://resistsurveillance.org/] be able to spot it?  Where to go from there, I don't know.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

"I heard Spock finally got colander!"  "I believe the word is Kolinahr."  "Oh."


#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:30 PM

Posted 17 February 2015 - 08:32 PM

I don't think you need to worry just yet.


...Malware this advanced isnt meant for computers like yours and mine (at least thats what were hoping, right?). Kasperskys list of targets wont surprise you: government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, media outlets, Islamic groups...

The level of NSA, and other government spy agencies, infiltration CAN NOT BE QUANTIFIED. Is it just coincident, that Adobe Flash, over the years have had numerous vulnerabilities?
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:09:30 PM

Posted 17 February 2015 - 09:29 PM

Roland, Detekt is one useless piece of software. I tested it myself and it couldn't detect many RAT stubs I had in my VM, most of which where said to be detected by it. I can link you the video if you wish. Also, what quietman quoted is what's important. You have to keep in mind that malware this advanced aren't "in the wild", they have been created for specific purposes: which is to infect high value, high level targets in order to gain something way more important than a couple bank account information or your Runescape account. Yes, these threats are now real, but it's not tomorrow that you'll see them being distributed via malicious ads on popular websites.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:01:00 PM

Posted 18 February 2015 - 01:50 AM

Im going to give you the scariest story you ever seen about hard drives. Here it is:

(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
 
That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.
 
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

 
Quoted from
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
 
Mod edit: Always quote non original content and give it's source for copywrite and credit to author ~~boopme

Edited to comply with fair use rules. ~ OB

Edited by Orange Blossom, 28 February 2015 - 01:49 AM.
Moved from Win 7 to General Security - Hamluis.

Robert James Crawley Klopp


#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:30 AM

Posted 18 February 2015 - 02:23 AM

Kaspersky Labs' article

#9 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:01:00 PM

Posted 18 February 2015 - 04:39 AM

Id wonder though that such any program can exist so that you can get into the firmware and reverse engineered it


Robert James Crawley Klopp


#10 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 18 February 2015 - 05:16 AM

Kind of reminds you of the days of CIH virus. If anyone has ever seen that destructive virus in action. There is lots of hardware that has firmware chips that can be flashed or store malicious code. Bios, video cards, nic cards, network hardware, variety of PCI type controller cards, HD's, cd-rom, even a monitor can be affected.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 AM

Posted 18 February 2015 - 02:29 PM

At the OHM2013 conference in The Netherlands (summer 2013), I saw a talk on hacking the firmware of WD harddisks.
The guy had no access to the source code.
http://spritesmods.com/?art=hddhack

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:30 AM

Posted 18 February 2015 - 02:45 PM

Two threads on this matter by the looks of it...


Is it yet known whether these attacks only work on windows machines or can they attack anything, what about mac or linux machines.

If a computer with this type of infection was booted from an alternate operating system would the malware stil be able to perform actions against the user and monitor their activities?

What if an infected computer had it's hard drive removed and was then used by booting from a live operating system on a USB drive?

Now that the world knows about this it will only be a matter of time before others manage to get hold of and reverse enginner a copy, then the entire criminal community might start deploying attacks using some of the principles here.

As far as the spreading methods are concerned it seems two methods were used, drive-by style exploits and compromised removable storage hardware. Would normal steps against drive-bys (Noscript (or equivalents), disabling plugins, up to date browsers) and against compromised USB or cd discs (disabling autoplay/autorun, scanning the devices with antivirus and antimalware before opening any files on them, avoiding running any exe files on them)be enough to prevent these?

"Come on all you white hatz .. give us the tools we need !" with any luck there will be many good people out there doing just that, but no-one can act instantly, it will be quite a while before solutions to this type of threat become available. With something like this discovering it's existence is only half the battle.

Edited by rp88, 18 February 2015 - 02:45 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:30 PM

Posted 18 February 2015 - 02:47 PM

Roland, Detekt is one useless piece of software. I tested it myself and it couldn't detect many RAT stubs I had in my VM, most of which where said to be detected by it. I can link you the video if you wish. Also, what quietman quoted is what's important. You have to keep in mind that malware this advanced aren't "in the wild", they have been created for specific purposes: which is to infect high value, high level targets in order to gain something way more important than a couple bank account information or your Runescape account. Yes, these threats are now real, but it's not tomorrow that you'll see them being distributed via malicious ads on popular websites.


See http://www.bleepingcomputer.com/forums/t/567181/petsistent-malware-hackers/#entry3632161
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:09:30 PM

Posted 18 February 2015 - 02:51 PM

Crazy, you have to be realistic here, do you really think that normal users like you and me will be infected with a piece of malware created to steal government secrets? I really, really doubt. Like I said, these malware are either PoC or found in high value targets system and hardware, so not common users. Yes the threat exists, but standard users don't really have to worry about it, at least for now.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:30 PM

Posted 18 February 2015 - 02:53 PM

The spyware MD5 hashes (2011) have been posted here, https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ or https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Create a MD5 list of all your files on the C drive, and search the list for the spyware MD5 hashes.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users