Jump to content

Malware infecting hard disk firmware remained hidden for 15 years – but who’s responsible?


Batu69

Recommended Posts

It sometimes seems that whenever security researchers discover some new exploit or malware that allows the monitoring of remote computers, the finger is quickly pointed at the US intelligence agencies.

 

Security firm Kaspersky has recently revealed a complex malware developed by a group called Equation. Although its report made no mention of the US National Security Agency, subsequent news reports held it responsible anyway.

 

This seems to follow the logic that, as Equation’s malware uses techniques similar to Stuxnet, if Stuxnet was developed by the NSA then Equation’s must also have been developed by the NSA. But despite everything that’s been written about Stuxnet’s origins, there’s no conclusive proof tying it to the NSA, or anyone else.

Such breathless headlines unfortunately obscure how interesting this new suite of malware is – not least that it isn’t new, but dates back to 2001. That is eons in technological terms.

 

0JpYh8U.png

A family of malware evolving over more than a decade. Kaspersky Lab

 

Hard drive attack

What’s also interesting is the way the attackers hid the malware: by embedding the malicious code into the firmware (hard-coded software) built into hard disk drives found in practically every computer. Not just drives from one manufacturer, but almost all the mainstream brands – perhaps even the one that powers the computer on which you read this now. Why is this important? It means you could wipe the entire drive, reinstall your computer’s software from scratch – and still be infected.

 

The only more attractive hiding place for an attacker is the firmware that is required to start the computer, the BIOS, but viruses that attack the BIOS have been around for decades and hardware has been adapted in defence. On the other hand, looking at hard drive firmware and adopting defences against tampering with it just hasn’t been on the agenda, a fact that has allowed this malware to go undetected for so long.

An updated, evolving threat

And it’s not just that the attackers were able to work out how to embed their malware in the drives' firmware; they appear also to have been able to update it with improved versions. This would require updating (“flashing”) not just the malware but the original firmware code too, without which the drive wouldn’t function. This is considered technically advanced even today – yet someone seems to have developed the capability to do so more than 10 years ago. This is technically impressive.

 

So the fact that such an advanced technique was deployed so long ago prompts us to wonder what else is out there that we don’t know about? It’s not as if this is the first such discovery: Stuxnet, Flame, Regin and now Equation, all of which appear to have been active for many years. To paraphrase Oscar Wilde: to miss one piece of malware looks like misfortune, to miss four looks like trend.

Pointing the finger

It is easy, as we see from some of the headlines, to attribute blame based upon circumstantial evidence such as those who was attacked. However, this assumes that a state actor is responsible – and that only certain countries have the wherewithal to develop such a capability. Yet, as the video above demonstrates, one individual with skills and time was able to do much the same.

 

One of the extraordinary things about cyber warfare and cyber espionage is how it has levelled the playing field between adversaries who might be hugely unequal in other ways. With a relatively small team and modest budget anyone could potentially develop very clever software. Cyberspace is the ideal platform to wage asymmetric warfare.

 

Yzw6oy3.png

Pointing the finger of blame based on who was targeted is not conclusive. Kaspersky Lab

 

The reports of all these threats – Regin, Stuxnet, Flame, and others – carry the assumption that a government is responsible. It’s not an unreasonable assumption considering that the software’s primary function is espionage. But while nation states are the consumers of intelligence gathered in this way, it doesn’t mean that their agencies are responsible – there is an active market for such information, which means there is a commercial motivation for others to collect it.

 

Criminal hackers steal personal information to sell on the black market to those who would commit fraud. They might equally gather data of interest to governments and law enforcement and sell it to them. In many ways it is a classic market: with limitless demand there will always be those willing to supply.

 

In any event, it’s worth reading the full range of reports available and forming your own judgement. Like reading only a single newspaper, the likelihood is that the news is reported with a particular slant – such as blaming the NSA. And while you can be sure of very little when it comes to final attribution of these attacks, you can be sure that individual reports carry their own bias. If you are able, it is worth concentrating on the technical detail as that is where you’re more likely to find the truth.

 

And expect to hear more such stories in the future – after all, if malware can be hidden so succesfully 10 years ago imagine what’s possible today.

 

Article source

Link to comment
Share on other sites


  • Replies 5
  • Views 2k
  • Created
  • Last Reply
  • Administrator

I remember when I first discover updating the BIOS, I thought, in addition to updating the BIOS, there should be a way to update a HDD's bad firmware too.

 

Eitherway, this is a big problem if it is true and can be exploited in big numbers I think.

Link to comment
Share on other sites


22 minutes ago, DKT27 said:

I remember when I first discover updating the BIOS, I thought, in addition to updating the BIOS, there should be a way to update a HDD's bad firmware too.

 

Eitherway, this is a big problem if it is true and can be exploited in big numbers I think.

intel and seagate offer tools and firmware for their drives

Link to comment
Share on other sites


Isn't this news one year old?

Anyway this comment by joeflanks is pretty good ----

 

Quote

 

The only known prevention to this firmware attack is to boot from hardware RAID. HDD Firmware cannot read data from a RAID controller, especially if it is a RAID 0 arrangement where the data is split in half between 2 drives on RAID stripes which are non-standard sector sizes which all hardware RAID controllers use some form of striping. Also RAID controllers do not allow (process) non standard ATA calls. RAID hardware takes control of the Hard Disk Drives and the operating system no longer has direct access to to the HDD or the firmware and vice versa.

 

I got hit with some attack similar to this about 7 months ago. 3 boot drives were trashed and had to be replaced. Firmware on the computer was trashed and I had to replace the motherboard also.

 

This was an Apple computer I use for commercial web design. Non boot drives were not affected. Needless to say, I bought a bootable hardware RAID card and configured the boot drive(s) as RAID 0.

 

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...