EvilZone
Hacking and Security => Hacking and Security => : Polyphony February 18, 2015, 10:23:53 PM
-
I don't think I could add much to the pdf so I'll just post the link here (https://docs.google.com/viewer?url=https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf).
I'd love to write software that deals with persistence, but reading the methods that some of the modules use to remain persistant is insane.
-
Damn. This is indeed very interesting to read - it's insane they are operating for so long without getting caught!
This reminds me of Uplink and gives me the chills lol.
-
Holy shit, thx for the share.. I was tired but now I'm back awake :P. Whoever this is they fucking on the place.
I love how some of their malware can survive even a hdd format, while everybody always told me that was impossible.
-
It's just some group in the NSA isn't it?
That's what I heard anyway.
Interesting that they are getting exposed.
-
Quoting page 16&17.
There is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware. This achieves several important things:
• Extreme persistence that survives disk formatting and OS reinstall.
• An invisible, persistent storage hidden inside the hard drive.
Unquote.
This is scary and highly sophisticated.
-
I was particularly interested in the insane methods of persistence described in chapter 17 (page 31). In that paper they describe how the malware creates a virtual file system in the windows registry in which it stores all of its encrypted data/modules. This makes it very difficult to detect (especially for antivirus).
I'll be the first to tell you, I don't know anything about the windows registry, so somebody with more knowledge about that could probably comment on what kind of effort it would take if only to get a basic implimentation up and running haha.
As for the HDD firmware hacks, I remember reading a long time ago about this exact situation (hacking hdd firmware in order to compromise the security of the drive). I'll see if I can find a post I made about it, but I can't remember if I made one or not. Here (https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf) is a whitepaper on HDD implants and how they can interact without OS intervention, courtesy of /u/ranok. (http://www.reddit.com/r/netsec/comments/2w4klx/pdf_by_kaspersky_lab_equation_group_questions_and/cooauyy) That paper is a pretty dense read.
-
derpa merp
Is this it? http://spritesmods.com/?art=hddhack I've read this some time ago, really cool hacks.
-
I think that's the one Kulver! Good find lol.
In that article, the author provides a link to a pdf (https://docs.google.com/viewer?url=http://www.recover.co.il/SA-cover/SA-cover.pdf) which then provides PoC code for hiding data in the "service" segments of the HDD. I've added the source file (around 1200 lines) as an attachment to the bottom of this post. The code is a pretty down and dirty implimentation for Western-Digital 250GB Hawk hard drives only (as I said above, vendor specific commands being issued here).
-
Thanks for the link to that report, Polyphony. I had glanced over the news about this earlier in the week but haven't had time to read up on it much, and I just read the report.
Pretty fucking insane. With the technological links to stuxnet, and this appearing to be the precursor to stuxnet, as well as the GROK keylogger as mentioned here,
http://www.itnews.com.au/News/374987,nsa-spreads-malware-on-an-industrial-scale.aspx
It's obviously the NSA. Perhaps also in partnership with the GCHQ.
What's interesting is on page 25 of the report in discussing the PHP vbulletin exploit, it states that visitors from Jordan, Turkey, and Egypt were not infected. However, if you look at page 20 of the report, the United States is listed as being a country where victims were exploited. How nice of the NSA to extend a courtesy to people within the borders of Jordan, Turkey, and Egypt that they didn't extend to people within the United States.
This is yet another example of how truly pervasive the exploitation and surveillance is that the NSA and its nation state partners is doing. They need to be severely defunded, but that will never happen.
I wonder what sorts of data would signal an infectee as interesting?
Finally, what a great job by Kaspersky, not only in uncovering this, but actually heuristically blocking a nation state infection. I think I'm going to give them some money right now and buy their product.