All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Vendor-specific ATA commands used by NSA malware
PostPosted: November 15th, 2021, 10:54 
Offline
User avatar

Joined: November 15th, 2021, 7:57
Posts: 6
Location: United States
The NSA used a malware module, codenamed IRATEMONK, to reprogram drive firmware making their malware unremovable from a computer. I have a sample of this IRATEMONK installer module (nls_933w.dll) for the NSA malware UNITEDRAKE, compiled 2010, and have extracted the ATA commands it uses. Some of these I've been able to identify, but most I can't, I thought some of you could find this interesting and maybe even identify some of the mystery ones. The module supports WD, Seagate, Samsung, and Maxtor drives, so all commands should relate to these vendors.

All ATA commands here are a list of ATA registers 1-7, where for example the last (#7) is the command code.

For WD ROYL drives it uses the well known commands to read/write firmware modules, firstly with the "VSC enable" command (0x45 0xb 0x0 0x44 0x57 0xa0 0x80), and then SCT (Smart Command Transport) commands through vendor-specific command log 0xbe (0xd6 0x1 0xbe 0x4f 0xc2 0xa0 0xb0) and data log 0xbf (0xd6 0x1 0xbf 0x4f 0xc2 0xa0 0xb0).

For Seagate F3 drives it uses vendor-specific SCT to send SDBP (Seagate Diagnostic Bridge Protocol) commands to log 0xbe sector 0x2459 with WRITE LOG EXT (0x0 0x0 0xbe 0x2459 0x0 0xe0 0x3f), and reads resulting data from log 0xbf sector 0x2459 with READ LOG EXT (0x0 0x0 0xbf 0x2459 0x0 0xe0 0x2f). All of the SDBP commands it seems to use are DITS (Diagnostic Internal Test Service), which I can't really understand what they do because unlike the DETS (Diagnostic External Test Service) commands I can't find any documentation or information on them.

Here are the ATA commands I haven't identified:
Code:
0x0 0x0 0x0 0x0 0x0 0xe0 0xfc
0x0 0x55 0x46 0x4e 0x55 0xe0 0xf7
0x0 0x0 0x0 0x0 0x0 0xa0 0x80
0x0 0x0 0x0 0x0 0x0 0xa0 0x82
0x23 0x0 0x0 0x0 0x0 0xa0 0x9a
0x22 0x0 0x0 0x0 0x0 0xa0 0x9a
0x22 0x80 0x0 0x0 0x0 0xa0 0xc0
0x1 0x0 0x0 0x0 0x0 0xe0 0xf7
0x2 0x0 0x0 0x0 0x0 0xe0 0xf7
0x2a 0x0 0x0 0x1 0x0 0xa0 0x8f
0x57 0x44 0x43 0x0 0x0 0xa0 0x8a
0xd5 0x1 0xbb 0x4f 0xc2 0xa0 0xb0
0x0 0x0 0xdb 0x97 0x20 0xe0 0xc1
0x0 0x0 0x1 0x0 0x0 0xe0 0xc0
0xd6 0xf1 0x91 0x4f 0xc2 0xe0 0xb0
0xd5 0xf1 0x91 0x4f 0xc2 0xe0 0xb0
0x0 0x4 0x0 0xff 0xff 0xa0 0xc1
0x0 0x4 0x0 0xff 0xff 0xa0 0xc0
0x24 0x3 0x1 0x0 0x0 0xa0 0x9a
0x0 0x1 0x0 0x0 0x0 0xe0 0x9a
0x17 0x0 0x0 0x0 0x0 0xa0 0x92
0x20 0x0 0x0 0x0 0x0 0xa0 0x92


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 15th, 2021, 17:57 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
On a first glance I see WD, Maxtor, and Samsung

Update: and VERY old Seagate

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 15th, 2021, 18:53 
Offline
User avatar

Joined: November 15th, 2021, 7:57
Posts: 6
Location: United States
Doomer wrote:
On a first glance I see WD, Maxtor, and Samsung

Update: and VERY old Seagate


Thank you friend, I believe the NSA started developing this around 2007, so some of the drives supported will probably be very old today. Out of interest how old is "VERY old Seagate" here though, 90s-era?

Also here is the sample and some more info if anyone is interested.

ATA commands are stored in this as an array of register data structures: 4 zero bytes (padding?) 1 byte (register number) 1 byte (register value), for example the identify device command (0xec) is these bytes at file offset 0x28f0c:
Code:
0x00 0x00 0x00 0x00
0x06 0x00
0x00 0x00 0x00 0x00
0x07 0xec


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 16th, 2021, 9:14 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
hellofriends wrote:
Thank you friend, I believe the NSA started developing this around 2007, so some of the drives supported will probably be very old today. Out of interest how old is "VERY old Seagate" here though, 90s-era?

Image
2001
it's a 20 years old drive

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 16th, 2021, 9:28 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
hellofriends wrote:
I have a sample of this IRATEMONK installer module (nls_933w.dll) for the NSA malware UNITEDRAKE, compiled 2010

yet, you uploaded a file from 2018

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 16th, 2021, 9:46 
Offline
User avatar

Joined: November 15th, 2021, 7:57
Posts: 6
Location: United States
Doomer wrote:
hellofriends wrote:
I have a sample of this IRATEMONK installer module (nls_933w.dll) for the NSA malware UNITEDRAKE, compiled 2010

yet, you uploaded a file from 2018


Yes the file timestamp is 2018 but DLL files actually also have an internal timestamp of when it was compiled, this has the timestamp Tue Jun 15 12:23:37 2010 UTC-5. The NSA often forged their malware compilation timestamps but I this one seems probably real and matches other known information.

I believe the NSA stopped developing this around late-2013 when the Snowden leaks exposed it and made it attributable, Kaspersky reported they have a later 2013-dated version for the NSA's STRAITBIZARRE malware that supports far mode drives including SSDs, unfortunately I don't have it though.

The reason basically all drives after 2015 enforce firmware-signing is actually because of Kaspersky's 2015 "Equation Group" report on this, which made all the major vendors lock down their drive security.


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 16th, 2021, 13:08 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
Looks like the idea is to replace boot sector (LBA 0) with a special boot code and store it in drive's firmware. On a cold boot the drive would replace actual LBA 0 with the one that is stored inside drive's FW and theoretically boot whatever it needs.
This would require changing drive's code that handles LBA reading.

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: Vendor-specific ATA commands used by NSA malware
PostPosted: November 18th, 2021, 1:29 
Offline
User avatar

Joined: November 15th, 2021, 7:57
Posts: 6
Location: United States
Here are the SDBP DITS commands it sends to Seagate F3 drives:

Code:
01 00 01 00 08 00 00 00 ff ff 01 00 9a 32 4f 03
01 00 01 00 10 00 00 00 49 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 01 00 0c 00 00 00 32 01 01 00 00 00 00 00 00 00 00 00
01 00 01 00 f8 01 00 00 35 01 01 00 00 00 00 00 00 00 00 00
01 00 01 00 f8 01 00 2f 36 01 01 00 00 00 00 00 00 80 17 00


I would really appreciate any help understanding what these do, I have read some old posts here of users implying they have access to Seagate DITS command documentation


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group