Extracting Equation Group's malware from hard drives
Hi lists, Does anyone know of any tools to extract the Equation Group's malware from hard drive firmware? Also, are there any public registries online to report and view infections? Alfie -- Alfie John alfiej@fastmail.fm
From page 18 of paper (https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd...) ... 'The disk is targeted by a specific serial number and reprogrammed by a series of ATA commands. For example, in the case of Seagate drives, we see a chain of commands: “FLUSH CACHE” (E7) → “DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT” (3F). Depending on the reflashing request, there might be some unclear data manipulations written to the drive using “WRITE LOG EXT” (3F)' ... This 3-letters-agency did it with software, mostly using undocumented ATA commands. A software approach would reach a larger audience, assuming not everyone knows eletronics and/or can pull his/her HDD off. Assuming no one knows the specifications for the ATA commands, or has the time/knowledge/samples to analyze and reverse engineer it, a request of such a tool for the Kaspersky guys seems the best approach. -Virilha ----- Message from grarpamp <grarpamp@gmail.com> --------- Date: Tue, 17 Feb 2015 21:03:48 -0500 From: grarpamp <grarpamp@gmail.com> Subject: Re: Extracting Equation Group's malware from hard drives To: cpunks <cypherpunks@cpunks.org> Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Does anyone know of any tools to extract the Equation Group's malware from hard drive firmware?
You can pull firmware and even get a shell on most drives with jtag and other pin headers. Search for it.
----- End message from grarpamp <grarpamp@gmail.com> -----
On Wed, Feb 18, 2015 at 2:48 AM, Virilha <cypherpunks@cheiraminhavirilha.com> wrote:
This 3-letters-agency did it with software, mostly using undocumented ATA commands.
Assuming no one knows the specifications for the ATA commands
All the non vendor specific command specs are documented at t10, t13, serialata ... https://ata.wiki.kernel.org/index.php/Developer_Resources Which you can bitbash for fun from userland with the likes of ... http://www.freebsd.org/cgi/man.cgi?query=camcontrol
On 02/17/2015 04:56 PM, Alfie John wrote:
Hi lists,
Does anyone know of any tools to extract the Equation Group's malware from hard drive firmware?
FlashROM should be able to help. Does anyone know if these are BIOS-era OptionROM- based, or UEFI-based drivers? If they are UEFI drivers, the UEFI Dev Kit (UDK) tools can help.
Also, are there any public registries online to report and view infections?
RANT: This recent event is an example of why OEMs/IHVs/IBVs need to treat firmware more like software and not like silicon. We *NEED* SCAP OVAL definitions SCAP CVEs, ChangeLogs/ReadMes with feature/bug deltas. These days, there is no excuse, CoreBoot and UEFI(TianoCore.org) are open source projects, not the ancient monolithic BIOS codebase with ancient OpROM blobs. All existing blobs that OEMs/IHVs release should be signs, and have a CRL/OSCP URL for updates. There needs to be a public registry of these BIOS OpROM blobs and UEFI binaries. We need a vendor neutral logo that lists detalis about firmware, not rely on MSFT to drive Windows OEMs to only do what MSFT wants; and we need Consumer Reports to track this data about systems. Most importantly, OEMs need to build systems which enable users to install their own firmware, like users do today with OS software.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/17/2015 04:56 PM, Alfie John wrote:
Does anyone know of any tools to extract the Equation Group's malware from hard drive firmware?
- From talking with some folks who've dumped and reverse engineered other kinds of firmware, the JTAG interface (http://www.corelis.com/education/JTAG_Tutorial.htm) seems like it'd be a good place to start. That, and digging up the datasheets on as many of the integrated circuits on the boards in question.
Also, are there any public registries online to report and view infections?
Not offhand. I'd be curious, too. - -- The Doctor [412/724/301/703/415] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Covalent bonding: Sharing is caring! -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU5N3NAAoJED1np1pUQ8RkQzsP/2gApXEcFml+SX+9P5CVpAhT MAhnQHxtJ53Pk44WL+/bt2+QcejfyK+PjNmcFHtAXOyr86vnqCv6OsHVcnTEuJZ9 6HvR3n06bEDy1g/OzuO8RlmYsmkNaHrLb1keou26rtthFBBvqD5VRJQQyD7xi+mu 89466rdtdDqPEcBxivqmJp8Rx4NU/V9vXXQ1pE76t13CfbFUMPRIZwQs6SVlvS2+ Jc16k9JSO+rbj9ciHn4nBq3eq6p4ZMK95m235Okn4SkuKc9vJGNWHrOme9tP9qXa 3EpABQsL7bbT+kL0lFNB0jQj0Bb44KIuMCje89k9GO7LbOr/775p12q/v6G4oE1X EQ5KIQmZLNUx2P+QChAW3AYuNoVqIkLMKOd7M/bqu9KnQrrpWtQ5G+eskMOvRToA 2guj8nyIrqniVCqr4dQVZKF2f75CGd1tw46t4NCV5xHJRK5gBuJIGSnZ06WYQVRB 0L87/fLw4faZNLPlJ0mMg98Q0sZYlnQUREPkStVX+ZB2hw22h3x2lPsMppPTolkA tvv7oEtZsBRGT+bhrEO5Apz3Aa7JMkVjn7j2i8K7IrQBUTPOVLiSAgAMen2IKj/G ks+drxLjPKSamMHlP5ycAdOBgiz4/9PI7WiKsU0BrI4b98OrxPmlnCghKOyCMHFc qJIEby0Ch6YPvAbvBmGC =LN8k -----END PGP SIGNATURE-----
participants (5)
-
Alfie John -
Blibbet -
grarpamp -
The Doctor -
Virilha