Saturday, February 21, 2015

"The Only Way You Can Delete This NSA Malware Is to Smash Your Hard Drive to Bits"

A significant report by security vendor Kaspersky Labs reveals a range of highly sophisticated cyberwar tools likely deployed over the last decade by American intel agencies.

Most interesting of all is NLS_933W.DLL, which -- in my view -- represents the "Holy Grail" of malware.

The names called out like beacons from the screen: Samsung; Seagate; Western Digital; Hitachi; Maxtor. Hardware makers were in the crosshairs of the Equation APT group and it was perhaps the worst possible scenario imagined by researchers looking at the frightening and extensive storehouse of capabilities within the attack platform.

By extending its reach into hard drive firmware, for example, this espionage gang had perpetual persistence on compromised machines. No matter of clean-up efforts could scrub module nls_933w.dll from hardware. None.

“This is an ultimate persistence mechanism, and it has the ultimate resilience to removal. This is a next level of persistence never seen before,” said Vitaly Kamluk, principal security researcher with Kaspersky Lab’s Global Research and Analysis Team...

Matthew Braga offers some additional detail:

...Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before," the company’s researchers wrote in a new re​p​ort...

...These modules can target practically every hard drive manufacturer and brand on the market, including Seagate, Western Digital, Samsung, Toshiba, Corsair, Hitachi and more. Such attacks have traditionally been difficult to pull off, given the risk in modifying hard drive software, which may explain why Kaspersky could only identify a handful of very specific targets against which the attack was used, where the risk was worth the reward...

This particular brand of malware may have been reported in France in 2008, but was apparently never tracked down at that time.

One other (tangential) point: back in the 90's I used to argue that Microsoft's design of the "Registry" for machine configuration was a flawed and dangerous approach. My reasoning was manifold: the file format was proprietary; it was extremely fragile; backups and restores of individual configuration settings were difficult at best; and it was hard to detect malicious or ill-intentioned use.

What's the matter with discrete, text configuration files, like those Linux uses (e.g., httpd.conf for Apache)?

The Equation Group leveraged the Registry's flaws across the board. They stuffed malicious files into multiple branches of an infected machine's Registry, which made the infection "impossible to detect using antivirus software".

I rest my circa-1995 case.

Hat tip: BadBlue Tech News


Freedom Re-Founders said...

May I suggest going to either or and downloading a few "Live" Linux CDs. The OS will run from the CD without installing or making any changes to your computer. Search a few out until you find one you are comfy with before installing. I suggest, Ubuntu, PCLinuxOS, OpenSUSE or Mint for beginners to try. For even more secureity right "out of the box", there's one called "Tails". Although all the others can be enhanced to be just as secure from the repositories.

Doom said...

And people wonder why the media and politicians are all on their knees, completely ignoring the electorate, to a degree on both sides of the aisle, if the left was always willing to sell out, for they had no notion of morality, ethics, or the rest. Just as long as they get a cushy job. Supreme Court as well.

It's a rigged game. As with Stalin, it's not who you know, it's what you know about them.

Anonymous said...

"The only way to remove nls_933w.dll"

Meh, Thermite works pretty well too.

Anonymous said...

Oh and I will vouch for Linux Mint for an OS as well.

I like Linux and have been using various distributions since I tried SuSE in the late-nineties, but a lot of the distro's are run by the guys in love with the command prompt(terminal). The newer Mint versions were the first I'd feel comfortable installing on a non-computer person's computer.

Use a mouse? To configure the OS? In the 21st century? What a concept!