Extracting Equation Group's malware from hard drives

Virilha cypherpunks at cheiraminhavirilha.com
Tue Feb 17 23:48:42 PST 2015


 From page 18 of paper  
(https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)

...
'The disk is targeted by a specific serial number and reprogrammed by  
a series of ATA commands.
For example, in the case of Seagate drives, we see a chain of  
commands: “FLUSH CACHE” (E7) →
“DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT”  
(3F). Depending on the reflashing request, there might be some unclear  
data manipulations written to the drive using “WRITE LOG EXT” (3F)'
...

This 3-letters-agency did it with software, mostly using undocumented  
ATA commands.

A software approach would reach a larger audience, assuming not  
everyone knows eletronics and/or can pull his/her HDD off.

Assuming no one knows the specifications for the ATA commands, or has  
the time/knowledge/samples to analyze and reverse engineer it, a  
request of such a tool for the Kaspersky guys seems the best approach.

-Virilha

----- Message from grarpamp <grarpamp at gmail.com> ---------
    Date: Tue, 17 Feb 2015 21:03:48 -0500
    From: grarpamp <grarpamp at gmail.com>
Subject: Re: Extracting Equation Group's malware from hard drives
      To: cpunks <cypherpunks at cpunks.org>
      Cc: Cryptography Mailing List <cryptography at metzdowd.com>


>> Does anyone know of any tools to extract the Equation Group's malware
>> from hard drive firmware?
>
> You can pull firmware and even get a shell on most
> drives with jtag and other pin headers. Search for it.


----- End message from grarpamp <grarpamp at gmail.com> -----







More information about the cypherpunks mailing list