From page 18 of paper (https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd...) ... 'The disk is targeted by a specific serial number and reprogrammed by a series of ATA commands. For example, in the case of Seagate drives, we see a chain of commands: “FLUSH CACHE” (E7) → “DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT” (3F). Depending on the reflashing request, there might be some unclear data manipulations written to the drive using “WRITE LOG EXT” (3F)' ... This 3-letters-agency did it with software, mostly using undocumented ATA commands. A software approach would reach a larger audience, assuming not everyone knows eletronics and/or can pull his/her HDD off. Assuming no one knows the specifications for the ATA commands, or has the time/knowledge/samples to analyze and reverse engineer it, a request of such a tool for the Kaspersky guys seems the best approach. -Virilha ----- Message from grarpamp <grarpamp@gmail.com> --------- Date: Tue, 17 Feb 2015 21:03:48 -0500 From: grarpamp <grarpamp@gmail.com> Subject: Re: Extracting Equation Group's malware from hard drives To: cpunks <cypherpunks@cpunks.org> Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Does anyone know of any tools to extract the Equation Group's malware from hard drive firmware?
You can pull firmware and even get a shell on most drives with jtag and other pin headers. Search for it.
----- End message from grarpamp <grarpamp@gmail.com> -----