Saturday, February 21, 2015

"The Only Way You Can Delete This NSA Malware Is to Smash Your Hard Drive to Bits"

2/21/2015

A sigificant report by security vendor Kaspersky Labs reveals a range of highly sophisticated cyberwar tools likely deployed over the last decade by American intel agencies.

Most interesting of all is NLS_933W.DLL, which -- in my view -- represents the "Holy Grail" of malware.
  
The names called out like beacons from the screen: Samsung; Seagate; Western Digital; Hitachi; Maxtor. Hardware makers were in the crosshairs of the Equation APT group and it was perhaps the worst possible scenario imagined by researchers looking at the frightening and extensive storehouse of capabilities within the attack platform.

By extending its reach into hard drive firmware, for example, this espionage gang had perpetual persistence on compromised machines. No matter of clean-up efforts could scrub module nls_933w.dll from hardware. None.

“This is an ultimate persistence mechanism, and it has the ultimate resilience to removal. This is a next level of persistence never seen before,” said Vitaly Kamluk, principal security researcher with Kaspersky Lab’s Global Research and Analysis Team...

Matthew Braga offers some additional detail:

...Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before," the company’s researchers wrote in a new re​p​ort...

...These modules can target practically every hard drive manufacturer and brand on the market, including Seagate, Western Digital, Samsung, Toshiba, Corsair, Hitachi and more. Such attacks have traditionally been difficult to pull off, given the risk in modifying hard drive software, which may explain why Kaspersky could only identify a handful of very specific targets against which the attack was used, where the risk was worth the reward...

This particular brand of malware may have been reported in France in 2008, but was apparently never tracked down at that time.

One other (tangential) point: back in the 90's I used to argue that Microsoft's design of the "Registry" for machine configuration was a flawed and dangerous approach. My reasoning was manifold: the file format was proprietary; it was extremely fragile; backups and restores of individual configuration settings were difficult at best; and it was hard to detect malicious or ill-intentioned use.

What's the matter with discrete, text configuration files, like those Linux uses (e.g., httpd.conf for Apache)?

The Equation Group leveraged the Registry's flaws across the board. They stuffed malicious files into multiple branches of an infected machine's Registry, which made the infection "impossible to detect using antivirus software".

I rest my circa-199
5 case.

source

No comments: