Recently, a research for monitoring Equation cyber-espionage group’s activity was performed by Kaspersky’s team and revealed some technical marvels. This very old and powerful group has get updated and has created a mosaic series of distrustful “implants”. Several results has been obtained. But, the most interesting story is about its ability to reprogram sufferer’s hard drive making their insertion almost invisible.
Do you know what “hard drive firmware reprogramming” means? Lets have a look.
Actually, a hard drive poses two important components that is a memory medium (magnetic discs in case of classic HDDs or flash memory chips in case of SSD) and a microchip that mainly responsible for controlling reading, writing and many other services for instance error detection or correction to the disk which is quite complex and difficult process. So, chip executes its own programs or you can say, it’s acts as a small computer and that program is known as firmware. Any hard drive vendor may update it resolving discovered errors so as to enhance its performances. And this tool got violated by Equation group virus which do had tendency to download its own firmware to the hard drive. Although, these modified firmware functions is still unknown. This extremely destructive threat is well capable to read and write data to or from the infected hard drive area and which further becomes invisible for the operating system or even for any of the powerful security tool. According to their research, millions of PCs have been contaminated with a form of malware affecting BIOS built located into physical hardware.
It’s not like other malwares whose removal can be done, as this highly perilous and tricky program do have capability to get loaded before booting of operating system. It further generate hidden hard drive sector with the intension to store stolen data or any other new commands send by third party for taking control over the compromised computer. And the most harassing part is that, if anyhow you get success to detect hidden disk partition, then after this malware again recreates the partition when you reboot the PC.
It’s completely unremovable malware
However, it’s possible to upgrade or re-flashed hard drive BIOS, but some sectors still remain inaccessible to users so as to prevent them “bricking” their unit. It has been found that this threat often uses tenacious and unflashable part of BIOS that helps the malware from being deleted completely. And in that case, the one and only solution to get rid of this highly hazardous threat is replacement of whole drive.
The elegance and similarity of this threat to the Stuxnet virus has result many conclusion that Equation is financed or ruined by NSA (America’s National Security Agency).
Equation – it’s prevalence is a surprise
No doubt, Equation group virus is quite dramatic and no one of us want to after it after getting well familiar of it. It’s quite unreliable and destructive in nature specially because of its nature of stealing data. It has claimed by Kaspersky Labs that mostly Equation malware found on drives manufactured by Seagate, Toshiba, Western Digital, Samsung, IBM, and Hitachi. As, all of them use different BIOS technologies and safeguards to control their disks.
Viruses writing to firmware can be occurred only with two methods:
- Contamination can occur on the production line, with Equation code which is being introduced into the BIOS while assembling hard drive.
- By using some traditional ways like junk mails, inserting infected removable media, suspicious websites, etc, this threat may get traveled and can use proprietary methods to access BIOS storage.
How was it installed?
Equation group virus has been intentionally designed by some very intelligent hard drive engineers that smartly and automatically get installed into the PC right after getting installed. In order to get complete installation, there is requirement got gaining access to secure system that contains BIOS firmware. Further, it overwrite official code with its own readiness for the disk manufacturing process.
And to achieve this, they need
- break the secure network in order to access code stores directly.
- Uses various social engineering techniques to bring authorized user to compiling virus code so as to release BIOS.
Paying a user to do the same.
- Manufacturer securing assistance so as to install threat code – agreement that could only be secured by only government agencies.
All these techniques is quite feasible. After all these, there still a question that how protected firmware sectors were accessed. And this technique is not publicly available till yet and needs better knowledge from or within the manufacturer.
Equation members somehow manages with the intension to theft API details direct from each manufacturer and paid an inside source. Also, manufacturer were quite deceitful in sharing the information.
The most surprising part is the apparent age of the Equation. Even, some of it have existence since 1996. And by this, it has been estimated that Equation is not back footed and also getting updated and is using these these days so as to compromise hard drive security and theft data for nearly 20 years. AS, with the enhancement in technology and features, hard drive technology also get changed in order to deliver better performances and from this prospective, it would not be wrong to say that Equation have been working so hard so as to to stay on top listed for secret protocols covering hard drive BIOS firmware.