Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Security Researchers Find Unexpected Weakness in Equation Malware

    By
    Wayne Rash
    -
    March 13, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Equation Spyware

      An analysis of the Equation Group malware that Kaspersky Lab revealed earlier this year may be the most advanced malware the company has ever seen, according to one of the lab’s top security technology experts.

      The expert, Costin Raiu, Director of Kaspersky’s Global Research and Analysis team, said that the analysis also confirms suspicions that the group that created it is state-sponsored.

      The telltale signs include date stamps that show that major development steps, such as compiling the code, took place between 9 a.m. and 5 p.m. Eastern Standard Time, and that those steps were only carried out on weekdays, something typical of government employees.

      He also said that the level of sophistication, including the ability to use plug-ins, indicates capabilities far beyond those of cyber-criminals. Raiu said that his team kept track of the exact days that those steps took place, but that his team didn’t check to see if they avoided public holidays.

      But there were a few new insights that the Kaspersky team found that show that there’s still a lot to learn about the Equation malware that’s sometimes called “EquationDrug.”

      One is that the team has identified 35 plug-in modules for the malware so far, but the numbering scheme for each malware plug-in indicates that at least 101 plug-ins have been created. Raiu also said that the malware’s unique ability to infect the firmware of hard disk drives works with most brands and types of hard disks currently in the market, as well as with solid state drives.

      However, there are limits to what the Equation malware can do. Raiu said that it does not appear that the malware can infect virtual storage or virtualized drives and it does not appear to be able to infect drives that are part of a RAID array. He added that this makes it appear that servers, and thus data centers, are not the target of the Equation malware. Instead, he said that it appears to be aimed at stand-alone computers or laptops.

      Raiu also noted that the Equation malware may have bumped up against new technology. “Most modern hard drives from top brands around the world have some additional security measures and they check to see if the firmware is original,” he said. “If it’s not, they don’t allow the firmware to work.”

      Additional research on the Equation malware by Symantec describes exactly how the malware functions. According to a statement in the company’s Security Response blog, an attack by the Equation malware takes place in stages.

      Security Researchers Find Unexpected Weakness in Equation Malware

      First, the targeted computer is invaded by the GrayFish Trojan, either through phishing or an infected USB memory drive. Once it’s in the computer, it takes over the Windows boot process. Once it’s there, GrayFish uses an encrypted virtual file system that Symantec says is hidden inside the Windows registry.

      The Symantec report goes on to say that the Equation malware uses a number of specialized worms for propagation, including one that’s designed to attack “air gapped” networks, meaning networks with no connection to the outside world.

      Either way, the first operational stage of the Equation malware is surveillance. Once resident on the targeted machine, the malware looks for indications that the computer contains information that would justify a more thorough examination.

      If the attackers decide that a computer’s information is worth a look, the malware may either exfiltrate data via the network of through a USB stick. However, it’s also possible that important data will be quietly stockpiled in small amounts on the infected device until a transmission is requested.

      The Kaspersky team said that one critical difference between the Equation malware and malware written by cyber-criminals is the way it selects information. One primary difference is that the nation state attackers only take the minimum amount of data necessary as a way to avoid attracting attention.

      “It may seem unusual that a cyber-espionage platform as powerful as EquationDrug doesn’t provide all-stealing capability as standard in its malware core,” Raiu said in a prepared statement.

      “The answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future.”

      If there’s a ray of good news about the Equation malware, it’s that it may not be something that cyber-criminals can adopt. Raiu said that he thinks it’s beyond to ability of most cyber-criminals to reverse engineer the code, even though it’s available.

      He did, however, say that a cyber-criminal could create a crude payload for the Equation malware that could effectively corrupt the hard disks of attacked computers, making them useless. In that case, the only goal of the attack would be to cause destruction.

      Raiu said that his group is going to publish the details of the firmware infecting hard disks in the near future, along with a list of computers that include the ability to check their own firmware.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×