If you’re worried about the malware revealed by Kaspersky Lab a few days ago and attributed to the shadowy “Equation Group” the latest word is that it’s probably no longer active and any spyware that was put into place on hard drives and elsewhere is likely sending its reports uselessly into the ether. Unfortunately, that’s not necessarily very good news.
“Now that this malware has been spoken about by Kaspersky, in great detail, those who were using it previously are no longer using it and it’s very likely that it hasn’t been in use for a while,” said Adam Kujawa, head of malware intelligence for Malwarebytes.
“I say this because folks like these generally know when they have been made, and it’s usually just a few commands to completely shut down the operation and erase its existence.”
Vitaly Kamluk, principal security researcher at Kaspersky Lab, agrees. “Typically, when there is some exposure, the actor behind the attacks will take down the structure,” he said. Kamluk is one of the team at Kaspersky who found and analyzed the Equation group’s malware and its associated spyware. “This is several years old,” he added.
So if the malware is old, no longer being actively distributed and likely is being ignored, why all the interest? Partly, it’s due to the fact that about 500 infestations of the malware are still out there.
Even though it’s not currently doing much, that doesn’t mean it can’t. In addition, the fact remains that this malware was able to be fielded and used for years without anyone noticing, and some parts of it are so effectively hidden that they may be impossible to find.
But there’s another reason that’s much more sinister. Once the Equation group learned that its spyware campaign was unmasked, they almost certainly sent out a new version of malware that is as yet undiscovered.
In addition, some components of the Equation Group malware are still out there causing problems, notably a component called “fanny.exe.” The Fanny malware is the component that allows a USB stick to infect a computer simply by inserting it. It was a component of Stuxnet and has been part of the related malware that followed.
Unfortunately, the fallout from the Equation group’s malware is significant. While the original malware is probably not doing anything, what happened next is that cyber-criminals discovered what was possible and certainly have begun working on something similar.
In addition, now that Kaspersky has published the actual code, it can be taken apart and analyzed, meaning that a malware creator can either copy the process or use what’s in the code to create new and better, but potent malware.
Security Experts Say Equation Malware Dead but Remains a Threat
Kamluk said he expects malware creators to adopt the ability to infect the flash memory on hard drives even if they don’t copy the code. In addition, he believes they will move on to other firmware in attached devices, ranging from the computer’s BIOS to such things as printers. Regardless, he said, it would be impossible to detect.
While it may be possible to correct a hardware infection by re-flashing the firmware, that requires that you know the firmware has been compromised and that’s likely almost impossible. But on a more realistic note, while re-flashing a drive or a printer may be possible on an individual basis, doing so in a data center with thousands of hard drives is another problem entirely. It would probably be cheaper and faster simply to scrap everything and replace it.
There are some positive notes. First, this kind of malware is tightly controlled, and it’s distributed to specifically targeted computers and individuals. It does not spread in the wild.
Second, it is possible to prevent infections by this sort of malware regardless of whether it’s state-sponsored or sent out by criminals. Because this malware depends on zero-day exploits, usually of flaws in Windows, keeping your computers patched will prevent most of this malware from working even if it is installed on a system.
Third, even in the case of the hardware infections, the penetration takes place using some malware that’s loaded onto the system in some way, and once it’s there, a good anti-malware or antivirus package or appliance can detect the infection and neutralize it before it can follow through on the attack.
“The days of reactive protection are over,” Kujawa said. “Having an active malware scanner, Web blocks and anti exploit-technology are critical.” He added that people need to be more aware of social engineering.
“This is the same stuff we’ve been telling people for years,” he said. “Keep doing it.”
If everyone had been doing this all along, then the malware industry wouldn’t be so profitable, he added.
In some ways, the spread of the Equation Group malware speaks to the pathetic state of security in many organizations. “There are a lot of copies of Windows in Asia and the Middle East that aren’t patched,” Kamluk said.
Security experts in general as well as the sources I spoke to for this article reiterate that proper training is critical. The Equation Group malware was spread using infected USB memory sticks that were left lying around where users could find them.
How can this still be happening? Probably the same way that users keep responding to phishing attacks. They simply don’t know any better, and it’s up to enterprise IT departments to train them.