Spyware inside HDD Firmware, How can it be?

[shahij]

http://redmondmag.com/articles/2015/02/ ... mware.aspx

http://www.reddit.com/r/news/comments/2 ... e_in_hard/

http://www.m-404tech.tk/2015/02/huge-sp ... idden.html

http://www.dailykos.com/story/2015/02/1 ... -Firmware#

[petabyte85]

This spyware can survive a hard disk wipe?

[Alexii]

This spyware can survive a hard disk wipe?

Apparently its in SA so yes.

[harddrivespecialist]

Must be some very advanced spyware

[Alexii]

Not just advanced , but different iterations of it for different models and families. IMHO was done with the helping hand of hdd manufacturers. I doubt reverse engineering was involved.

[petabyte85]

This spyware affect the SSDs too?

[Alexii]

The plugin supports two main functions: reprogramming the HDD firmware
with a custom payload from the EQUATION group, and providing an API into
a set of hidden sectors (or data storage) of the hard drive. This achieves several
important things:
• Extreme persistence that survives disk formatting and OS reinstall.
• An invisible, persistent storage hidden inside the hard drive.
The plugin version 3 has the ability to reprogram six drive “categories”:
• “Maxtor”, “Maxtor STM”
• “ST”, “Maxtor STM”, <Seagate Technology>
• “WDC WD”, <Western Digital Technologies, Inc>
• “SAMSUNG”, <SAMSUNG ELECTRONICS CO. LTD>
• “WDC WD”, <Western Digital Technologies, Inc> additional vendor specific
checks used (spawns two subclasses)
• <Seagate Technology>
The plugin version 4 is more complex and can reprogram 12 drive “categories”.

The classes supported are:
• “WDC WD”, <Western Digital Technologies Inc> additional vendor specific
checks used
• “ST”, “Maxtor STM”, “SEAGATE ST”, <Seagate Technology>
• “SAMSUNG”, <SAMSUNG ELECTRONICS CO., LTD.>
• “WDC WD”, <Western Digital Technologies, Inc.> additional vendor specific
checks used
• <HGST a Western Digital Company>, “IC”, “IBM”, “Hitachi”, “HTS”, “HTE”,
“HDS”, “HDT”, “ExcelStor”
• “Max”, “Maxtor STM”
• <MICRON TECHNOLOGY, INC.>, “C300”, “M4”
• <HGST a Western Digital Company>, <TOSHIBA CORPORATION>
• “OCZ”, “OWC”, “Corsair”, “Mushkin” additional vendor specific checks used
• <Samsung Electronics Co., Ltd., Storage System Division>, <Seagate
Technology>, <SAMSUNG ELECTRONICS CO., LTD.> +additional checks
• <TOSHIBA CORPORATION COMPUTER DIVISION>, “TOSHIBA M” +checks
• <Seagate Technology>, “ST”

[shahij]

The matter of question why Kaspersky lab inspected HDD SA for spyware detection?

Can it be Kaspersky policy to increase their sales?
Can it be a scene to withdraw HDD from market to be replaced by SSD?

[Sasha Sheremetov]

This is possible, but not that easy. You need not only to use VSC but replace driver as well, for every particular motherboard (controller), as standard ATA addresses are beyond VSC addresses.
But it works, so "hardware" HDD virus is not a myth (though is not very common issue yet). This FW breach was demonstarted about one year ago in Tokyo at Code Blue conference by one of the biggest expert on japanese data recovery market:
http://www.youtube.com/watch?v=LPXUtBfgLNk
Most interesting stuff between 35-42 min. After FW manipulation via custom built driver + VSC commands (hardware virus emulation), hard drive just stopped to work at all (overwritting of specific modules with CS recalc without any special hardware). Shall I tell more what's possible to do with HDD if it's possible to emulate physical issue? (drive clicks or/and spins down).

[HaQue]

The matter of question why Kaspersky lab inspected HDD SA for spyware detection?

Can it be Kaspersky policy to increase their sales?
Can it be a scene to withdraw HDD from market to be replaced by SSD?

They were reverse engineering the malware and found the HDD Firmware code.. not reverse engineering HDD's.

The last 2 questions.. well, no

[shahij]

The matter of question why Kaspersky lab inspected HDD SA for spyware detection?

Can it be Kaspersky policy to increase their sales?
Can it be a scene to withdraw HDD from market to be replaced by SSD?

SSD can be affected as well. They also have firmware.
As long as you know the vendor specific commands to access the firmware on the SSD you can do the same with it as a HDD (edit firmware).

Also if you install one of those "hacked" hdds and your system starts to look funny you might consider to investigate the drive.

Example, i run at completly "paranoic" system, with sandbox, VM, network intrusion detection, etc ...

Let's say that i plug one of those "hacked" drives on my system and from one moment to the other the computer starts to attempt to connect to the network, or on my router i can see connections to the NSA servers, etc ...

As much elaborated the "spyware" is, it can infect the machine where the drive is plugged but will not infect the routers and other machines on the LAN that are well protected. Those can "see" what is going on on the LAN and you can start looking what computer is connecting to the NSA.

Then you just format the thing, and re-install. Then you figure out that no mater what you do and re-install the computer still connects to NSA.

So you just start removing hardware to figure out what kind of hardware is doing the connection.

Remember THIS IS NOT NEW.

A DVD/CD-ROM drive can be modifyed in a way that when you plug it the firmware will infect your windows and act as a rootkit. The same for other hardware.

People used to plug devices on cyber cafees to log the key strokes of other users. They would simply plug a device on the keyboard plug and it would log the keys.

When you install a network card are you sure it will not allow NSA access or it will not phone NSA by sending packets to them ? And a firewall, are you sure it will not react to a specific tcp or udp packed and shut down when recieving that packet ?

SSD can be affected (if it was written earlier before releasing to the market, as well as same is applicable for HDD) but they didn't focus that SSD can be affected too. The end-user will stop buying HDD based on this news, they will try to replace by SSD as there were no news regarding SSDs are affected also. At the same time, end-user will improvise their thought that Kaspersky should be used for their protection! This is just my thought/assumption, it may not be correct, can be partially correct!

[petabyte85]

This spyware use the file nls_933w.dll, so they only affect Windows systems or not? And what about Linux, BSD and Mac? Or there are variants of this spyware for each OS?

[HaQue]

If you google "Equation group" and "Kaspersky" you will find the research paper and all the answers to your questions

[warnerr]

Amazing read @ Kaspersky! Terrifying capability's.

[HaQue]

gets you thinking..

Ok, so we have always thought they were out of control with regard to computer based capabilities..and we find out now for certain that it goes pretty much into sci-fi territory. with the ANT catalog, the Equation Group stuff, really there isn't anywhere left to go.

Now what if you relate the same kind of thing to other areas?

-What if the biological research/actual capability was paralleled to the computer stuff?
-what if the things like super soldiers, muscle enhancement, intelligence enhancement things we see on the screen is also more advanced that what we probably believe?
-what about the social engineering? what if the capabilities are far more advanced than what we think? we know they manipulate the media/public forums/certain social groups.

I think a big mistake is to look at just the HDD hacking for the Eqation group, similarly, a big mistake to just focus on the computer based stuff.

I find it all fascinating, like living inside a Sci-Fi novel. really what are we supposed to do about it, aside from sit back and "enjoy" th unfolding of the worlds most elaborate Sci-Fi series!

I think it was Jason from Grumpy Old Geeks that's said (to paraphrase) "when you read this stuff, you realise just how fucked we all are"

(sorry for the language)