Monday, 16 February 2015

Espionage Group Reprograms Firmware Drives


Researchers have identified a group of highly sophisticated cyber spies discovered active as possible for 20 years and the same zero-day vulnerabilities used that eventually were used by the creators of the Stuxnetworm. Also developed this super spies malware to reprogram the firmware from popular brands hard drives, which the researchers have never seen before.

The spies by the Russian anti-virus firm Kaspersky Lab called the "Equation Group". The first domains which date the group used to control infected computers in 2001, while the first malware copies were made ​​in 2002. Other areas that the group used to control the infected computers were already registered in 1996. This could possibly mean that the spies are active for almost two decades.

Equation Group developed several malware platforms that are more advanced than the last year revealed Regin malware.Thus, among other things, developed a computer worm that gathered all kinds of information about targets in Asia and the Middle East in 2008. This worm, named "Fanny", used two zero-day vulnerabilities. Vulnerabilities that were eventually used for Stuxnet. According to Kaspersky, this means that the Equation Group also developed Stuxnet or worked with the developers of the worm.

The Fanny worm probably had as goal to bring networks card that were not connected to the Internet. The malware was distributed through USB sticks. On infected USB sticks Fanny made a hidden storage area to which the information about infected systems preserved. Also intercepted the group of physical goods and replaced by versions with Trojans.

One example involved the participants in a scientific conference in Houston to return some of the participants had received a copy of the conference proceedings on CD-ROM, which was then used to install the Double Fantasy implant of the group on the machine the target. The exact manner in which these CDs were intercepted is unknown.


In addition to USB sticks and CDs espionage group also used a web-based exploits. Thus, among other leaks in Java and Internet Explorer to infect victims. There were also unknown exploits, possibly zero days, against the Firefox 17 version of Tor Browser deployed. Tor Browser uses a custom Firefox version that was attacked by the Equation Group.

Since 2001, the cyber spies would have infected thousands of computers in a variety of sectors including government, telecommunications, energy, nanotechnology, financial institutions, oil and gas and aviation. Most victims are in Iran and Russia. In total, Kaspersky Lab counted 500 victims, but the real number is probably much higher, because the malware has a self-destruct mechanism. It is therefore possible that there may be tens of thousands of computers were infected.

What really makes the group stand out is the ability to reprogram the firmware of all branded hard drives. The researchers were able to secure two modules that were used to reprogram the firmware. Through this method, the attackers could install it again and survive reformatting of the hard drive. In addition, could be created an invisible storage on the hard disk. However, the module would be used on a very limited scale, probably at the most valuable targets.

"Another dangerous consequence is that it is impossible to scan the firmware when the hard disk is once infected with this malicious payload simply:. For most hard disks, there are functions to write the firmware portion of the hardware, but there No functions to read it back. This means that we are virtually blind and can not detect hard drives that have been infected with this malware, "warns Costin Raiu, research director at Kaspersky Lab.

The ability to create an invisible and persistent area in the hard disk is used to store collected information that can be later retrieved by the attackers. In some cases it may also help to crack the encryption of the group: "Given the fact that their Gray Fish implant is activated immediately from the startup of the system, they have the ability to intercept the encryption password and store it in secret area, "explains Raiu.


Although all detected malware worked for Windows, there are also found traces indicating Mac OS X malware. One of the domains, which was used for the control of the infected computers received a variety of compounds of Chinese Mac OS X computers. Therefore, it is assumed that there is at least one of the platforms is also a malware-Mac version. It would also have the group the ability to infect iPhones.

Despite the level of the malware writers have they still left their mark. So were encountered several keywords in the studied modules, such DESERT WINTER, STRAIT SHOOTER and GROK. This last term appeared in NSA documents published by Der Spiegel. Kaspersky Lab discovered the Equation Group during the investigation into the Regin malware. This malware was the NSA by the virus fighter attributed . Additionally, labels the group malware as "implants", a term earlier in the NSA documents appeared Snowden. In addition, the development of Stuxnet is attributed to the NSA.

The next few days will be the Russian anti-virus company publish more details about the group and applied method.Meanwhile, there is already a document published online ( pdf ) with directions and details so that researchers and administrators can check machinery in place within their organization or environment. "The more we investigate this kind of cyber-espionage operations, the more we realize how little we know about it. Together we can uncover these practices and safer (cyber) world works," said the researchers.

Below are the MD5 with Sample Names & VT Checked:

_SD_IP_CF_dll\866f94f30d9865995494a0f7228329c26149eef2960500b2177c736c5c846035

Disk from Houston\868eb363f32beacd8bcdc7a114e020d4cfe67913a15275f4e7493d87db643ff2 

DoubleFantasy\1e55abb94951cedc548fd8d67bd1b50476808f1d0ae72f9842181761ff92f83f 

EquationDrug\1b0eb1a1591140175d1ac111a98c89472b196599baf13ef67ee7f63d0052b00e 

EquationLaser\9412a66bc81f51a1fa916ac47c77e02ac1a7c9dff543233e
d70aa265ef6a1e76 

Fanny\003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9 

GrayFish\df4bbd02dcd8b8b9e1374c6f71f2e2da8518d39337b35983874266e8fff055e1 
9B1CA66AAB784DC5F1DFE635D8F8A904
GROK\441f2a6775621af8c5d1ead7082e9573ad878bc90675ed55f86abfc8a9e8cc6f 

nls_933w_dll\83d14ce2dcfc852791d20cd78066ba5a2b39eb503e12e33f2ef0b1a46c68de73

TripleFantasy\112d70111fef5e5e072b17e0d5d9312a0826cb85304a17bb51330d9800936c4a 

TripleFantasy\24b7e7553b1aa241997e28775d3952c4cb885056c4606cbed9b450320b601255 

No comments:

Post a Comment