Got Malware? New Threat Can't Be Removed Without Breaking Hard Drive

Fanghawk

New member
Feb 17, 2011
3,861
0
0
Got Malware? New Threat Can't Be Removed Without Breaking Hard Drive

If Kaspersky Lab is right about the Equation Group, this sophisticated threat actor has developed the most highly advanced malware to date.

Last year was hugely significant for cyber security, thanks to <a href=http://www.escapistmagazine.com/news/view/139129-The-Interview-Dropped-By-Five-Theaters-Following-Sony-Pictures-Hack>Sony's security breach that may or may not <a href=http://www.escapistmagazine.com/news/view/139338-FBI-James-Comey-Sony-Pictures-Hack-North-Korea>have been tied to North Korea. Believe it or not, that was an isolated event that most people don't need to worry about - but the security group <a href=http://www.escapistmagazine.com/news/view/130581-Hackers-Ramp-Up-Attacks-Against-Xbox-One-PS4>Kaspersky Lab may have found a far more concerning threat. In a report released Monday, Kaspersky presented evidence that a highly sophisticated unit actor called "The Equation Group" has been exploiting computer networks as far back as 1996. If true, the Equation group has been targeting countries like Iran and Russia with remarkably advanced malware platforms - many of which are seemingly impossible to remove without physically destroying the hard drive.

"The Equation group uses multiple malware platforms, some of which surpass the well-known <a href=http://en.wikipedia.org/wiki/Regin_%28malware%29>"Regin" threat in complexity and sophistication," the report reads. "The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen."

Kaspersky Lab has called this actor Equation for "their love of encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations". The only reason Kaspersky was able to connect these malware platforms was through specific use of the RC5 encryption algorithm in their malware, although more recent modules use RC6, RC4, and AES as well. Unlike malware that <a href=http://www.escapistmagazine.com/news/view/122819-Researcher-Maps-Internet-Using-Illegal-Botnet-Study>just spreads across the globe, Equation's malware has a far more limited scope with very specific targets. In fact, the malware even has a "self-destruct mechanism" that wipes out the infection when instructed - which also prevents Kaspersky from knowing the full scope of Equation's past operations.

But let's say you're a key institution in one of these countries and want to get rid of Equation's malware. Good luck with that - the malware's most striking feature is that it infects the hard drive's firmware, making it impossible to remove even once the drive is formatted. "Theoretically, we were aware of this possibility," director of Kaspersky Lab Costin Raiu explained, "but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability."

Perhaps the strangest part is that Equation goes well beyond web-based exploits - it can intercept and replace physical media that will be installed on computers. In one case, participants of a scientific conference in Houston were mailed a CD-ROM of the conference proceedings. All copies of this disc itself were compromised, seemingly without the knowledge of conference organizers, and delivered malware to the participants computers.

The group has targeted key institutions in multiple countries, the most frequent being Iran, Russia, Pakistan, Afghanistan, India, China, Syria, and Mali. Meanwhile, countries like the United States, Great Britain, and France have been targeted with lower infection rates. Breached institutions tend to include government and diplomatic bodies, telecommunications, military, aerospace, energy, transportation, cryptographic research, and even Islamic scholars and activists.

Equation's malware bears some resemblance to <a href=http://en.wikipedia.org/wiki/Regin_%28malware%29>the Regin malware discovered in 2012, but Kaspersky doesn't believe them to be connected. Some computers contained instances of both Regin and Equation's malware, leaving them to believe they were developed by two different groups. The full report contains more details, but it certainly makes a strong case that - for once - the Equation group might be the supervillain wizards Hollywood keeps assuming hackers are.

Source: <a href=http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf>Kaspersky Lab, via <a href=http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html>PC World

Permalink
 

Michael Tabbut

New member
May 22, 2013
350
0
0
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.
 

small

New member
Aug 5, 2014
469
0
0
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.
short of common cyberware we are already there
 

Naqel

New member
Nov 21, 2009
345
0
0
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.
Pretty much this. Whoever deployed this is not interested in your porn, and probably just self-destructs your copy in a gentlemanly fashion.
 

A_Parked_Car

New member
Oct 30, 2009
627
0
0
cjbos81 said:
NSA, CIA, or the Illuminati.
NSA is SIGINT, CIA is HUMINT. Therefore it is the NSA (or some other nation's equivalent), some really advanced third party (unlikely), or the Illuminati. :p
 

wrightguy0

New member
Dec 8, 2010
296
0
0
Naqel said:
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.
Pretty much this. Whoever deployed this is not interested in your porn, and probably just self-destructs your copy in a gentlemanly fashion.
and their high value targets are not in north america/europe so we have less to worry about from them, plus the aforementioned kill switch in their software which disables and destroys all traces of the malware.
 

Fanghawk

New member
Feb 17, 2011
3,861
0
0
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.
Unless they already got what they needed from you....

More seriously: Yes casual users likely don't need to worry about this one. BUT the implication of one group quietly churning out several highly advanced malware programs over the course of two decades is pretty chilling. Especially given how the computers were infected, and that "Islamic scholars" were considered targets.
 

47_Ronin

New member
Jul 30, 2012
161
0
0
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.
 

Adam Jensen_v1legacy

I never asked for this
Sep 8, 2011
6,651
0
0
Fanghawk said:
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.
Unless they already got what they needed from you....

More seriously: Yes casual users likely don't need to worry about this one. BUT the implication of one group quietly churning out several highly advanced malware programs over the course of two decades is pretty chilling. Especially given how the computers were infected, and that "Islamic scholars" were considered targets.
The group is probably affiliated with certain government agencies.
 

P-89 Scorpion

New member
Sep 25, 2014
466
0
0
Michael Tabbut said:
So what I've gotten from this is that this Malware is that it seems to be only deployed on high-profile/government targets and not the average person's computer.

Sorta off topic but how close are we entering the potential cyberpunk future? Seriously I'm starting to think that is happening within the next decade or so.
No there inserting it in all HDD's as they come off the production line just in case and then 'supposedly' only activating it when in use by business's or those who have worked directly for their governments.
 

vxicepickxv

Slayer of Bothan Spies
Sep 28, 2008
3,126
0
0
Pretty much the only way around it is to build your own firmware, or go back to using FAT32 and hope nobody downgrades their malware to match you.
 

truckspond

New member
Oct 26, 2013
403
0
0
47_Ronin said:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
That doesn't remove the malware as this one actually puts itself into the software built into the HDD that controls what it does and when.
 

insanelich

Reportable Offender
Sep 3, 2008
443
0
0
47_Ronin said:
Destroy the HDD? That's drastic. Haven't they tried to plug off/plug in first?
On a more serious note: Linux everybody? I know it's stupid, but the psychological effect on my safety since I installed cinnamon on my old laptop has been massive.
This thing will infect Linux with the same - or even more - ease than Windows.
 

EHKOS

Madness to my Methods
Feb 28, 2010
4,815
0
0
This sounds like a Liam Nesson movie I would watch. But there's always a patch/ new threat from both sides.
 

Redlin5_v1legacy

Better Red than Dead
Aug 5, 2009
48,837
0
0
Hmmmm... Time to consider the contingency plan I've had stored in the back of my head for a while in case this malware nonsense makes life too friggen difficult. Something that can't be nuked with a drive wipe? I don't like that.
 

dalek sec

Leader of the Cult of Skaro
Jul 20, 2008
10,237
0
0
Liam Steel said:
Thanks, I didn't want to sleep tonight anyway.
Pretty much this in a nut shell. I know the odds of it happening to one of us is so damn tiny but jesus, this is why I hate hackers.
 

ender1200

New member
Nov 25, 2013
11
0
0
The target list sounds a lot like the usual targets for spying by a western country, with middle easten and eastern block countries and suspected islamists being on the top priority.

There aren't many bodies that are capable of producing such melware, and most of them are on the infected list.
Also from the report: "As an interesting note, some of the ?patients zero? of Stuxnet seem to have been
infected by the EQUATION group. It is quite possible that the EQUATION group
malware was used to deliver the STUXNET payload"