Extracting Equation Group's malware from hard drives
Virilha
cypherpunks at cheiraminhavirilha.com
Tue Feb 17 23:48:42 PST 2015
From page 18 of paper
(https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)
...
'The disk is targeted by a specific serial number and reprogrammed by
a series of ATA commands.
For example, in the case of Seagate drives, we see a chain of
commands: “FLUSH CACHE” (E7) →
“DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT”
(3F). Depending on the reflashing request, there might be some unclear
data manipulations written to the drive using “WRITE LOG EXT” (3F)'
...
This 3-letters-agency did it with software, mostly using undocumented
ATA commands.
A software approach would reach a larger audience, assuming not
everyone knows eletronics and/or can pull his/her HDD off.
Assuming no one knows the specifications for the ATA commands, or has
the time/knowledge/samples to analyze and reverse engineer it, a
request of such a tool for the Kaspersky guys seems the best approach.
-Virilha
----- Message from grarpamp <grarpamp at gmail.com> ---------
Date: Tue, 17 Feb 2015 21:03:48 -0500
From: grarpamp <grarpamp at gmail.com>
Subject: Re: Extracting Equation Group's malware from hard drives
To: cpunks <cypherpunks at cpunks.org>
Cc: Cryptography Mailing List <cryptography at metzdowd.com>
>> Does anyone know of any tools to extract the Equation Group's malware
>> from hard drive firmware?
>
> You can pull firmware and even get a shell on most
> drives with jtag and other pin headers. Search for it.
----- End message from grarpamp <grarpamp at gmail.com> -----
More information about the cypherpunks
mailing list