Kaspersky Labs Says that the "Equation Group" Can Plant Undetectable Spyware

[wa_desert_rat]

In a Computerworld article, an investigation of hard drives from around the world by Kaspersky Labs has uncovered spyware that is undetectable and unremovable and represents the most amazing bit of coding they've ever seen. Whoever the "Equation" group is (and Kaspersky claims it's whoever wrote Stuxnet, which shares a couple of bits of code with the HD code (named "fanny").

 

The article shows a map of the countries targeted. Apparently the code is not planted on all hard drives but only hard drives destined for certain countries.

 

Stuxnet was widely thought to be a co-creation of Mossad (Israel) and NSA (US) but no one really knows. And because it's unlikely to have signed any code inserted into the micro-code of hard drives, there is really no evidence. And Kaspersky, you should remember, is a Russion company headed by a man who was trained in a school run by the KGB. So who knows what misinformation is being spread around here.

 

Here is the Computerworld article: http://www.computerworld.com/article/2884938/equation-cyberspies-use-unrivaled-nsa-style-techniques-to-hit-iran-russia.html

 

Frankly, if this story is true, I'd be proud of our coders. Hope they're behind it. And I hope they've advanced their efforts.

 

WDR

[bigjim]

Of course it makes you wonder how they know if it is undetectable. Who knows. Could be they suspect something and are fishing for reactions that might throw out a clue. (as long as I am speculating)

[skp51443]

Undetectable by a computer user, once you strip the component parts apart and put them in the lab a lot of stuff is detectable that is otherwise invisible. Snowden released a whole catalog of hardware nasties that could be installed on a system.

 

Reactions from other places seem to confirm what Kaspersky Labs is saying too.

[bigjim]

not good news

[skp51443]

Having NSA or one of their counterparts snooping isn't a worry for most folks, the snoops will get bored and snoop elsewhere fairly quickly. Where the problem lies is that the nasty details leak and then the crooks start snooping and they can and will cause a user a lot of grief.

[wa_desert_rat]

Having NSA or one of their counterparts snooping isn't a worry for most folks, the snoops will get bored and snoop elsewhere fairly quickly. Where the problem lies is that the nasty details leak and then the crooks start snooping and they can and will cause a user a lot of grief.

And besides, NSA and CIA already know about Stanley and me. But the rest of you.....

 

But back to a serious note, in this case a "snoop" pretty much needs physical access to the hard drives (which explains why the targets are limited in scope) as well as a technical prowess that's about as high as you can get. Plus access to inside information. NSA and CIA are not allowed to conduct operations inside the US so either the FBI managed to get all those details by turning someone inside every single HD manufacturer (unlikely) so either Equation is foreign (and therefore "allowed" to mount operations inside the US) or they've done it another way.

 

Linus Torvalds recently said that a small percentage of the Linux kernel is now coded by volunteers; most of it is by paid professionals. Since Linux isn't sold, that means that outfits like IBM, Solaris, and maybe even Microsoft are doing most of the open-source coding on the Linux kernel. His explanation for this is that kernel coders move from volunteer to professionals (with paying jobs) pretty quickly.

 

Maybe hard drive coders find good jobs with NSA.

 

WDR

[wa_desert_rat]

The reason it's so difficult to get a handle on all this is that HD controllers are not set up to be "readable" so you can't break the machine code into anything. They just work; what Kaspersky has done is watch for the results. Some people have said that all you have to do is wipe the drive or write the drive 7-times with random data or other ideas but that won't do it because the affected drives have sectors that are hidden from everything but the controller. Unless you can tell the controller to wipe those hidden sectors (which pretty much means you'd have to somehow get access to the source code of the controller) you can only wipe the sectors the "snoops" will let you wipe. Which probably means not the sectors they want to kee active.

 

If I were tasked to do this I would simply create a new HD controller chip with my specifications (as well as the OEM specs) and install that into every HD headed into a target country or facility. This, all by itself, limits the numbers.

 

If I were a bad guy, I'd try to buy all my hardware from US firms where, presumably, any US-based official snoop cannot interfere.

 

WDR

[skp51443]

Since many of the dirty tricks (see Snowden's catalog of hacks) are installed at the manufacturer, reseller or while the shipping company has the item you need to get off the NSA or other agencies radar. Have someone else not connected to you buy the system and pay for it and then you reimburse them in cash. Have it sent to an address not connected to you so it isn't found that way. Don't communicate by phone or e-mail either. They likely can't snoop everything so you need to avoid letting them discover your purchase early enough to do their tricks.

 

Once you have it home you need to worry about a midnight installer dropping by to add a bit or two so lock the system up to be as tamper-proof as possible.

 

Better yet, avoid things that will get you targeted in the first place.

[skp51443]

New article with maps of infected sites:

 

http://www.theregister.co.uk/2015/02/19/eu_ec_/