Security Experts Say Equation Malware Dead but Remains a Threat

By Wayne Rash  |  Posted 2015-02-21 Print this article Print
Equation Malware

Kamluk said he expects malware creators to adopt the ability to infect the flash memory on hard drives even if they don't copy the code. In addition, he believes they will move on to other firmware in attached devices, ranging from the computer's BIOS to such things as printers. Regardless, he said, it would be impossible to detect.

While it may be possible to correct a hardware infection by re-flashing the firmware, that requires that you know the firmware has been compromised and that's likely almost impossible. But on a more realistic note, while re-flashing a drive or a printer may be possible on an individual basis, doing so in a data center with thousands of hard drives is another problem entirely. It would probably be cheaper and faster simply to scrap everything and replace it.

There are some positive notes. First, this kind of malware is tightly controlled, and it's distributed to specifically targeted computers and individuals. It does not spread in the wild.

Second, it is possible to prevent infections by this sort of malware regardless of whether it's state-sponsored or sent out by criminals. Because this malware depends on zero-day exploits, usually of flaws in Windows, keeping your computers patched will prevent most of this malware from working even if it is installed on a system.

Third, even in the case of the hardware infections, the penetration takes place using some malware that's loaded onto the system in some way, and once it's there, a good anti-malware or antivirus package or appliance can detect the infection and neutralize it before it can follow through on the attack.

"The days of reactive protection are over," Kujawa said. "Having an active malware scanner, Web blocks and anti exploit-technology are critical." He added that people need to be more aware of social engineering.

"This is the same stuff we've been telling people for years," he said. "Keep doing it."

If everyone had been doing this all along, then the malware industry wouldn't be so profitable, he added.

In some ways, the spread of the Equation Group malware speaks to the pathetic state of security in many organizations. "There are a lot of copies of Windows in Asia and the Middle East that aren't patched," Kamluk said.

Security experts in general as well as the sources I spoke to for this article reiterate that proper training is critical. The Equation Group malware was spread using infected USB memory sticks that were left lying around where users could find them.

How can this still be happening? Probably the same way that users keep responding to phishing attacks. They simply don't know any better, and it's up to enterprise IT departments to train them.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel