{"id":4570,"date":"2015-02-17T13:11:34","date_gmt":"2015-02-17T18:11:34","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4570"},"modified":"2020-02-26T18:59:37","modified_gmt":"2020-02-26T14:59:37","slug":"equation-hdd-malware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/equation-hdd-malware\/4570\/","title":{"rendered":"Indestructible malware by Equation cyberspies is out there \u2013 but don&#8217;t panic (yet)"},"content":{"rendered":"<p>Kaspersky\u2019s GReAT team just published research on the\u00a0<a href=\"https:\/\/securelist.com\/blog\/research\/68750\/equation-the-death-star-of-malware-galaxy\/\" target=\"_blank\" rel=\"noopener\">Equation cyber-espionage group\u2019s activity<\/a>, and it revealed\u00a0quite a few technical marvels. This old and powerful hacker group has produced a very complex series of malicious \u201cimplants\u201d, but the most interesting finding is the malware\u2019s ability to reprogram the victim\u2019s hard drives, making their \u201cimplants\u201d invisible and almost indestructible.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet \u2013 <a href=\"http:\/\/t.co\/FsaH0Jzq5O\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/FsaH0Jzq5O<\/a><\/p>\n<p>\u2014 Kim Zetter (@KimZetter) <a href=\"https:\/\/twitter.com\/KimZetter\/status\/567400308045647872?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This is one of the long-anticipated <a href=\"https:\/\/www.kaspersky.com\/blog\/8-all-time-scariest-looking-viruses\/\" target=\"_blank\" rel=\"noopener nofollow\">scary stories in computer security<\/a>\u00a0\u2013 an incurable virus that persists in computer hardware forever was considered an urban legend for decades, but it seems people spend millions of dollars to make it happen. Some press reports on Equation\u2019s story go as far as saying this enables hackers \u201c<a href=\"http:\/\/www.reuters.com\/article\/2015\/02\/16\/us-usa-cyberspying-idUSKBN0LK1QV20150216\" target=\"_blank\" rel=\"noopener nofollow\">to eavesdrop on the majority of the world\u2019s computers<\/a>\u201c. However, we want to lower the level of drama. This ability will remain as rare as pandas walking across the street.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/02\/05111850\/The-Equation-Group-1024x767-1.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-7624\" src=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2015\/02\/The-Equation-Group-1024x767-1-1024x767.png\" alt=\"The-Equation-Group\" width=\"800\"><\/a><\/p>\n<p>Let\u2019s start with explaining what \u201chard drive firmware reprogramming\u201d means. A hard drive consists of two important components \u2013 a memory medium (magnetic discs for classic HDDs or flash memory chips for SSD) and a microchip, which actually controls reading and writing to the disk, as well as many service procedures, e.g. error detection and correction. These service procedures are numerous and complex, so a chip executes its own sophisticated program and, technically speaking, this is a small computer by itself. The chip\u2019s program is called a firmware and a hard drive vendor may want to update it, thus correcting discovered errors or improving performance.<\/p>\n<p>This mechanism got abused by the Equation group, which was able to download its own firmware to the hard drive of 12 different \u201ccategories\u201d (vendors\/variations). Functions of this modified firmware remain unknown, but malware on the computer obtains the ability to write and read data to\/from the dedicated hard drive area. We assume that this area becomes completely hidden from an operating system and even special forensic software. The data in this area may survive hard drive reformatting, plus firmware is theoretically able to reinfect hard drive\u2019s boot area, infecting a newly installed operating system from the very beginning. To complicate things further, firmware checks and reprogramming rely on firmware itself, so it\u2019s not possible to verify firmware integrity or reliably reupload firmware on a computer. In other words, once infected, hard drive firmware is indetectable and almost indestructible. It\u2019s easier and cheaper to ditch a suspect drive and buy a new one.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Normal malware: check. HDD firmware malware: check. Now we just need to worry about GPU, USB, FireWire, webcam, NIC, baseband, Bluetooth\u2026<\/p>\n<p>\u2014 Matthew Green (@matthew_d_green) <a href=\"https:\/\/twitter.com\/matthew_d_green\/status\/567473604347326466?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 17, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, don\u2019t rush to find your screwdriver \u2013 we don\u2019t expect this ultimate infection ability to become mainstream. Even the Equation group itself probably only used it a few times, as HDD infector module is extremely rare on victim\u2019s systems. For starters, hard drive reprogramming is much more complex than writing, let\u2019s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor\u2019s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment. That\u2019s why it\u2019s not feasible to use this kind of stealth technologies in criminal malware or even most targeted attacks. In addition, firmware development is obviously a boutique approach which can\u2019t be easily scaled. Many manufacturers release firmware for multiple drives each month, new models come out constantly, and hacking each one is something beyond the possibility (and need) for the Equation group \u2013 and anyone else.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\"..it would take a very skilled programmer many months or years to master\" reprogramming hard drives, says <a href=\"https:\/\/twitter.com\/vkamluk?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@vkamluk<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2015?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2015<\/a><\/p>\n<p>\u2014 Kelly Jackson Higgins (@kjhiggins) <a href=\"https:\/\/twitter.com\/kjhiggins\/status\/567654279897686016?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 17, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>So, the practical outcome of the story is \u2013 HDD-infecting malware is not a legend anymore, but the average individual isn\u2019t at risk. Don\u2019t slam your drives with a hammer, unless you work in Iran\u2019s nuclear industry. Pay more attention to less exciting, but more\u00a0probable, risks like being hacked because of <a href=\"https:\/\/www.kaspersky.com\/blog\/false-perception-of-it-security-passwords\/\" target=\"_blank\" rel=\"noopener nofollow\">bad passwords<\/a> or an outdated <a href=\"https:\/\/www.kaspersky.com\/advert\/free-trials\/multi-device-security?redef=1&amp;THRU&amp;reseller=blog_en-global\" target=\"_blank\" rel=\"noopener nofollow\">antivirus<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malware that cannot be wiped from the victim\u2019s hard drive does exist. However, it\u2019s so rare and expensive, that you probably won\u2019t ever encounter it.<\/p>\n","protected":false},"author":32,"featured_media":4571,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[697,78,934,935,36,928],"class_list":{"0":"post-4570","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-espionage","9":"tag-hackers","10":"tag-hard-drives","11":"tag-hdd","12":"tag-malware-2","13":"tag-thesas2015"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/equation-hdd-malware\/4570\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/equation-hdd-malware\/4621\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/equation-hdd-malware\/5143\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/equation-hdd-malware\/6886\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/equation-hdd-malware\/5632\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/equation-hdd-malware\/6984\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/equation-hdd-malware\/7623\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/equation-hdd-malware\/6897\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/equation-hdd-malware\/6984\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/equation-hdd-malware\/7623\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/equation-hdd-malware\/7623\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/espionage\/","name":"espionage"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4570"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4570\/revisions"}],"predecessor-version":[{"id":15983,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4570\/revisions\/15983"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4571"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}