February 17, 2015

Indestructible malware by Equation cyberspies is out there – but don’t panic (yet)

News Security

Kaspersky’s GReAT team just published research on the Equation cyber-espionage group’s activity, and it revealed quite a few technical marvels. This old and powerful hacker group has produced a very complex series of malicious “implants”, but the most interesting finding is the malware’s ability to reprogram the victim’s hard drives, making their “implants” invisible and almost indestructible.

This is one of the long-anticipated scary stories in computer security – an incurable virus that persists in computer hardware forever was considered an urban legend for decades, but it seems people spend millions of dollars to make it happen. Some press reports on Equation’s story go as far as saying this enables hackers “to eavesdrop on the majority of the world’s computers“. However, we want to lower the level of drama. This ability will remain as rare as pandas walking across the street.


Let’s start with explaining what “hard drive firmware reprogramming” means. A hard drive consists of two important components – a memory medium (magnetic discs for classic HDDs or flash memory chips for SSD) and a microchip, which actually controls reading and writing to the disk, as well as many service procedures, e.g. error detection and correction. These service procedures are numerous and complex, so a chip executes its own sophisticated program and, technically speaking, this is a small computer by itself. The chip’s program is called a firmware and a hard drive vendor may want to update it, thus correcting discovered errors or improving performance.

This mechanism got abused by the Equation group, which was able to download its own firmware to the hard drive of 12 different “categories” (vendors/variations). Functions of this modified firmware remain unknown, but malware on the computer obtains the ability to write and read data to/from the dedicated hard drive area. We assume that this area becomes completely hidden from an operating system and even special forensic software. The data in this area may survive hard drive reformatting, plus firmware is theoretically able to reinfect hard drive’s boot area, infecting a newly installed operating system from the very beginning. To complicate things further, firmware checks and reprogramming rely on firmware itself, so it’s not possible to verify firmware integrity or reliably reupload firmware on a computer. In other words, once infected, hard drive firmware is indetectable and almost indestructible. It’s easier and cheaper to ditch a suspect drive and buy a new one.

However, don’t rush to find your screwdriver – we don’t expect this ultimate infection ability to become mainstream. Even the Equation group itself probably only used it a few times, as HDD infector module is extremely rare on victim’s systems. For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment. That’s why it’s not feasible to use this kind of stealth technologies in criminal malware or even most targeted attacks. In addition, firmware development is obviously a boutique approach which can’t be easily scaled. Many manufacturers release firmware for multiple drives each month, new models come out constantly, and hacking each one is something beyond the possibility (and need) for the Equation group – and anyone else.

So, the practical outcome of the story is – HDD-infecting malware is not a legend anymore, but the average individual isn’t at risk. Don’t slam your drives with a hammer, unless you work in Iran’s nuclear industry. Pay more attention to less exciting, but more probable, risks like being hacked because of bad passwords or an outdated antivirus.