Tag Archives: Disk Drive Malware

Teenager Mimics NSA Malware On Zero Budget

In February, I wrote about some malware that lives inside the firmware of a disk drive.  As a result of where it lives, no anti-malware software can detect it. (Curious note:  The firmware of a disk drive can be written to in order to update it, but there is no command to read it back.  You have to un-solder the chips and put them in a chip reader to read it).  Well, a teenager has decided to mimic this and did it with basically no budget.  If he can do that, so can any well funded hacker, not to mention a nation state.

The original post is here;  the teenager’s web site is here.

On his web site, the 20 year old from the UK calls this a Super-Persistent  Boot Kit or SBK.  If you think about it, it really is not that hard.  The kid, who is obviously quite bright, has created a Powerpoint on his web site.  The Powerpoint talks about his methodology and is actually quite lucid, even readable without having to be a total nerd.

What he did required that he had physical access to the drive, but the hard part – figuring out how to modify the firmware is done.  Now all he needs is a delivery vehicle, perhaps a phishing email.

For him, secure boot is a problem because the boot process checks the integrity of the master boot record on boot, which his malware changes.  I am sure that, with a little time and money, you can bypass that too (assuming the NSA has not already done that – remember the Snowden revelations are from several years ago).

When disk drive controllers were first designed 20 years ago or more, no one thought about security.  We have never had a revolution in that arena.  For example, do you really need a programmable chip on the disk drive controller that can be software writable after it leaves the factory.  The disk drive makers want to do that so that if they boo-boo, they can issue a patch to drives in the field.  If they can do it, so can a hacker.

There is no simple solution;  it will take a lot of small, incremental. “out of the box” thinking to make headway.  But we have to start taking those baby steps.

But first, we need people to stop using 123456 as their password.  Sigh!

NSA Hacking Of Disk Drives Revealed

It’s not been a great year for the NSA.  First Snowden and all press they have gotten as a result of the leaked documents that seem to come out every month.

Now a Russian security researcher, Gene Kaspersky, that I wrote about recently (see post) revealed that they have detected malware in the firmware of disk drives from Seagate, Western Digital, Toshiba and other top manufacturers (see article).

Kaspersky found the malware in PCs in 30 countries including Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets, they say, include banks, energy companies, nuclear research, media and activists.

Whether some hackers are aware of and taking advantage of this malware also is unknown.

While Kaspersky did not name the U.S. as the source, they said it was closely related to Stuxnet and a former NSA employee confirmed to Reuters that Kaspersky was correct in his attribution.

Because this runs in the firmware of the disk drive, it is difficult to see, difficult to remove and likely could see whatever it wanted.  It would get loaded every time the computer boots, so defeating it would be impossible short of crushing the disk.  Depending on how the software works, it likely would defeat disk encryption.

Like some other spying programs, the NSA, assuming it actually was the NSA, used it judiciously – only activating it on high value targets.

Kaspersky said that it would have been almost impossible to engineer this malware without access to the source code, which all of the manufacturers claim they did not provide to the NSA.

All of the manufacturers said that they have really good security. Since the malware is there and has been there since around 2000, either the manufacturers are fooling themselves or ……, you decide.

Sometimes the government asks to review source code for products they plan to buy to look for security bugs.  If this happened, it is a very small step that this code got to the NSA.  Alternatively, they could get hired as a developer and steal the code.

These risks would be identified in an enterprise risk assessment engagement and then the company would need to make some decisions regarding mitigation.

Assuming this is all accurate, I am sure that the NSA is not very happy tonight, although the Russians, Chinese and others are likely very happy.

Here is likely another problem for U.S. Tech Vendors.  China is rapidly discarding all Cisco networking gear in the country because they fear U.S. spying.  Now countries will work to remove all U.S. Computers and disk drives for the same reason.  Between cloud services, network equipment and now PCs, this could potentially cost U.S. tech companies tens of billions of dollars a year.  Of course it would be foolish to think that other countries are not doing the same thing, which is why China, for example, is manufacturing it’s own network equipment to replace the Cisco gear it is throwing away.