1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Destroying your hard drive is the only way to stop this super-advanced malware

Discussion in 'Windows - Virus and spyware problems' started by ireland, Feb 20, 2015.

  1. ireland

    ireland Active member

    Nov 28, 2002
    Likes Received:
    Trophy Points:
    Destroying your hard drive is the only way to stop this super-advanced malware

    A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia, utilizing a startlingly advanced form of malware that is impossible to remove once it's infected your PC.

    Kaspersky Lab released a report Monday that said the tools were created by the “Equation” group, which it stopped short of linking to the U.S. National Security Agency.

    The tools, exploits and malware used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

    Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.

    nfirm firmware
    Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

    The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

    “Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

    Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation’s hard disk drive malware platforms, “Equationdrug” and “Grayfish.”

    The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.


  2. xboxdvl2

    xboxdvl2 Regular member

    Dec 21, 2005
    Likes Received:
    Trophy Points:
    i don't believe its impossible to get rid of , if hackers can reprogram the firm ware on your hard drive why cant you???
  3. Mez

    Mez Active member

    Aug 12, 2005
    Likes Received:
    Trophy Points:
    xbox, maybe you could if you knew how to do it. Maybe the firmware was made RO. Maybe the malware redirects your browser to a hacker version of the firmware site. This is the norm for router malware. You think you are downloading the latest and greatest but you are not.

    This is well beyond my expertise. I think your point is well taken. The HUGE problem is how is this type of malware going to be detected? As it is there are soooo many documented attacks that can't be stopped or detected by a home security system this doesn't even pose a bigger threat than the less sophisticated ones. Any computer connected to the internet probably has a wide variety of undetectable stealth botnets on their computer. What is one more? As you wisely stated before, don't do anything on the web a hacker can use against you. I think that is all we can do.

    I will try to look into this as a curiosity. This sounds very interesting.

    Thanks Ireland for bringing this up!

    I read the article "Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can’t be reformatted, he said." My question is if the firmware is persistent how come the hackers altered it? Are they so far ahead of the hard drive engineers? Xbox it would appear only some drives might not be fixable.

    Lastly, this exploit was only used on big ticket victims such as banks and governments. We are all safe from this one but there are plenty of nearly as bad malware out there. I was attacked by membroni twice. That rewrites your MBR of any attached drive so only an infected computer can read it. On the second attack, once the drive is infected it will infect any computer that tries to read the drive. The only way this can be stopped is to have a MOBO with a BIOS write protect jumper. Otherwise after the MBR is re-written the win login routine is overwritten. That overwrites some of the shell files. Your computer is taken over before the OS is up and running.
    Last edited: Apr 8, 2015

Share This Page