Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Different Kind of Equation SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Different Kind of Equation

Both the mainstream media and our security media is abuzz with Kasperksy's disclosure of their research on the "Equation" group and the associated malware.  You can find the original blog post here: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

But if you want some real detail, check out the Q&A document that goes with this post; http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Way more detail, and much more sobering to see that this group of malware goes all the way back to 2001, and includes code to map disconnected networks (using USB key C&C like Stuxnet did), as well as the disk firmware facet that's everyone's headline today.

Some Indicators of Compromise, something we can use to identify if our organizations or clients are affected - are included in the PDF.  The DNS IoC's included are especially easy to use, either as checks against logs or as black-hole entries.

===============
Rob VandenBrink
Metafore

 Rob VandenBrink

561 Posts
ISC Handler
Feb 17th 2015
Thread locked Subscribe Feb 17th 2015
6 years ago
According to the report, regarding the infecting of hard drive firmware, "...custom payload from the EQUATION group, and providing an API into a set of hidden sectors (or data storage) of the hard drive..."

I have to wonder if they are using HPA or DCO??? I can achieve both features Kaspersky mentions with either, namely,
"...Extreme persistence that survives disk formatting and OS reinstall; An invisible, persistent storage hidden inside the hard drive..."

To date, I've only encountered either in the wild twice, and a few motherboards use this hard drive feature to store backup (?) copies of their bios.
 R

40 Posts
Quote Feb 18th 2015
6 years ago
The referenced .pdf directly from Kaspersky will be opened by security researchers, government officials and journalists all around the planet.

I wonder if it may contain any unexpected gifts.... an interesting ISC challenge.
 GordonM

14 Posts
Quote Feb 18th 2015
6 years ago
You can FUD up nearly any security conversation but virustotal detects nothing and Kaspersky is not the NSA.
 Derperson

2 Posts
Quote Feb 20th 2015
6 years ago

Sign Up for Free or Log In to start participating in the conversation!