Detect Malware on Hard Drive's Firmware?

[petabyte85]

How can I extract my hard drive's firmware or compare with other hard drive's firmware the same model and brand and see if has any modification or a malware?

[fzabkar]

Do you have any particular brand/model in mind?

[HaQue]

do you have any experience in embedded firmware sourcecode or reverse engineering? how are you going to know the difference between a malware code and regular hard disk code? the malware could be as small as 20 bytes, such as a simple compare to test some state/data and if found jump to a function written in regular data on the disk. IMHO, if you need to ask how to do it, you don't have the experience to recognise it. This is simply me explaining my opinion, nothing as a personal attack.

How would you verify what you are comparing against? Not going to be easy, but any special reason you think you would be a target? The threat actor isn't going to waste something like that on just anyone, if you were a target for this sort of thing, you would (should?) know it.

[fzabkar]

I would think that the OP could compare the firmware against other firmware dumps such as those in the HDD Guru file section. They may not be easy to find, though. At the very least, one could take a snapshot of one's existing firmware, especially when the drive is new, and compare it against future dumps. The data modules may change over time, but the code modules should remain the same.

[Doomer]

There is no public record of such a malware. I mean there are indications that it could exist(found by Kaspersky) but no actual firmware has been found or published.
So you can't compare it, because you wouldn't be able to find it.

[HaQue]

Kaspersky only found it by examining windows based malware modules containing the code to infect the different models of HDD's, not by examining any hard drives. I agree with Doomer in that There has not been any found in the wild, but it is assumed there has been infections. IIRC, They did find evidence of infections from that malware at certain high profile locations. I cant remember if they were able to attribute it to the HDD infector modules though.

[einstein9]

Was used on PLC`s for specific reason.

[HaQue]

Was used on PLC`s for specific reason.

No, that was Stuxnet. and Duqu I think.

We are talking about the Equation group malware and GreyFish. This malware was designed to stay Waaaaay low and avoid detection. It is commonly believed to be the NSA's kit.

https://blog.kaspersky.com/equation-hdd-malware/7623/

Technical write-ups:

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ and click "Download “Equation group: questions and answers” PDF" - a very cool read.

If you are into the cybers, go look at the write-up by Phineas Fisher on how he/she supposedly hacked Hacking Team. Very detailed, very cool. The ASCII Art pissing on HT is gold people!
https://nakedsecurity.sophos.com/2016/04/19/how-hacking-team-got-hacked/
checkout the original writ-up at http://pastebin.com/raw/0SNSvyjJ

[einstein9]

Was used on PLC`s for specific reason.

No, that was Stuxnet. and Duqu I think.

We are talking about the Equation group malware and GreyFish. This malware was designed to stay Waaaaay low and avoid detection. It is commonly believed to be the NSA's kit.

https://blog.kaspersky.com/equation-hdd-malware/7623/

Technical write-ups:

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ and click "Download “Equation group: questions and answers” PDF" - a very cool read.

If you are into the cybers, go look at the write-up by Phineas Fisher on how he/she supposedly hacked Hacking Team. Very detailed, very cool. The ASCII Art pissing on HT is gold people!
https://nakedsecurity.sophos.com/2016/04/19/how-hacking-team-got-hacked/
checkout the original writ-up at http://pastebin.com/raw/0SNSvyjJ

Well, take this piece of info. which you already know.

IF they want you, they KNOW exactly how to reach you. no matter what you do
they don`t need to implement something to get to anyone. (on this SMALL MOBILE WORLD)

who is THEY? is the question here.

[HaQue]

Agree 100%. And I don't have a problem with "They" getting all up in your business if there is reason. If you are a criminal, terrorist or whatever, then They, following the law as well, should be able to get you.

Even intelligence on your countries gathered through whatever means is kind of fair game.. but to a point. And don't get caught spying on other world delegates at a Summit is kind of an asshole move for example.
Industrial secrets thievery though is not fair game.

The big problems arise when:

- "They" collect everything on everyone just in case they need it one day
- Break the law getting the info, and then concoct a lie to suit giving to a judge
- The criminals themselves get a hold of the tactics and tools "They" use
- "they" lie about what they are doing, then get caught out.. (NSA)


I have a problem with how much dam money is thrown around on this stuff. If you look at that NSA tools doc that was around, it is ridiculous amount of money. For all the good these purchases do, try explain to the guy that works for a WHOLE YEAR and his taxable income would buy just a cheap toy from the ANT catalogue.

I will say one thing, I have saved a crap load of money on buying books about cyber shenanigans.. I just have to read the news and blogs

[fzabkar]

I don't understand why people are so fixated on finding samples of actual Equation malware or the like. That's irrelevant to the OP's question. AIUI the OP simply wants to compare the patient HDD's firmware against known good firmware. By way of analogy, it would be like comparing one's own COMMAND.COM against Microsoft's COMMAND.COM, not against BlackHat's COMMAND.COM.

[petabyte85]

I had a problem with my HD and sent to a data recovery company, they were able to recover my files and asked me to bring a other HD to copy or clone my data.

I wanted to have a sample code or image of my hard disk firmware before send it, may be paranoia on my part, but what if someone wants to install some malware in firmware of my hard drive?

There's a way to exctrac the original image and compare after?

[HaQue]

Maybe paranoia, maybe not. If you work in Government, some engineering industries, some educational/research role, are a terrorist/activist etc, then maybe you might be a target. But the general hacker, or criminal is not going to create/infiltrate a Data Recovery company to install malware on your hard disk. There are MUCH easier ways to do this.

I have more opinions on why 98% of the population shouldn't worry about this until of course it starts getting included in exploit kits.. but that's off topic

[Doomer]

I wanted to have a sample code or image of my hard disk firmware before send it, may be paranoia on my part, but what if someone wants to install some malware in firmware of my hard drive?

I wouldn't go at all if I were you, who knows maybe it's a trap and they want to lure you in and sell you to aliens.
I'm sure they read all your messages, so you can't go now, it's definitely a trap.

[HaQue]

This is the obvious action, any threat actor worth his salt would already have planned for this and would have infected the firmware tools to return the expected result to the user. I am predicting the next thread.. "Anyone know how to make sure the WDMarvel software hasn't been tampered with?"

Paranoia is a slippery slope. Problem is I guess is that some paranoid people ARE being targeted...

[jermy]

I am predicting the next thread.. "Anyone know how to make sure the WDMarvel software hasn't been tampered with?"

Problem is I guess is that some paranoid people ARE being targeted...

[guru]

@OP maybe check your motherboard BIOS first... Mooohahahaaaaaaa....

[HaQue]

All jokes aside, who here would not find it super interesting to find an infected HDD?!

[Doomer]

All jokes aside, who here would not find it super interesting to find an infected HDD?!

Gotta make one now

[jermy]

@HaQue you are right but we are all (too) busy at work Etc. and don't have the time to be paranoid and to put effort to search and find them