Tuesday, February 17, 2015

Do you want to get rid of this malware? Destroy your disk

We all know about the Flame malware attacking middle east countries. It's one of the most complex and effective pieces of malware ever made and, according to certain sources, it was developed by the infamous NSA. Well, it looks like they're back on the game.

On a report recently released by Russian security company Kaspersky (download the full report here), we can read about a new group called the 'Equation Group' has been developing and distributing extremely complex malware. I'm not kidding, these are the exact words used there to describe the group en its software:

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

The following is a list of the arsenal owned by the Equation group. They work together, depending on each other for certain actions, and some are "upgraded versions":
  • EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.
  • DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.
  • EQUESTRE – Same as EQUATIONDRUG.
  • TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.
  • GRAYFISH – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a bootkit to gain execution at OS startup.
  • FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.
  • EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.
But this is not the most impressive achievement of the Ecuation group. I quote the report:

Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware.

What does it mean? Basically, if you get infected, formatting the disk won't help you to get rid of the malware, nor re-installing the OS. Also, this malware is impossible to detect. There are some specific brands of affected hard drives, including Samsung, Maxtor and Toshiba.

But what is the reach of the infection? Here's a map provided in the document:
Although this is a huge hacking operation, you shouldn't be worried if you are an average citizen, but if you work anywhere and if you have a computer at work, chances are that you have been infected, and you'll never know it.

0 comentarios:

Post a Comment