Super hi-tech malware discovered by Kaspersky

[Olo401]

Wasn't sure if I should put this in the 'Look who got hacked today" thread or not.. Kaspersky Labs has uncovered some of the most sophisticated malware ever seen.

The seminar documentation itself stops short of naming who the Equation Group actually is, but several news outlets including the NY Times have named the NSA and/or US CyberCom.

From a technical view: This is some seriously interesting shit. Highly targetable, highly configurable. At its highest levels, it has the ability to infect hard drive firmware and hide on USB drives to infect/map airgap networks. If it infects someone who isn't of interest to the program's controllers, it self-destructs. Some of the tech seems to have filtered down into more widely known malware (Grok, Stuxnet).

From a socio-political view: It's hard not to think this isn't run by the NSA. You need serious funding and resources to run this, from hiring the best programmers, to write it to actively monitoring it with analysts, to running all the domains that the malware reports to. The list of victims (Pg. 20 in the Kaspersky doc @ Scribd) also says a lot about the focus of the group's attention. The most telling thing in my view tho is the fact that here in the US the infection rate is low, and even then it's focused on 'Islamic Scholars' and 'Other/Unknown'. It seems to have been targeted at terrorist-related activity and hostile foreign governments, sleeper groups in friendly nations, homegrown terrorism and splinter groups.

The last thing I believe this report reveals is that Snowden's leaks didn't reveal the whole picture. They confirmed the existence of Grok and Stuxnet, and alluded to a wider surveillance net, but his and Greenwald's accusations that this was some kind of NSA-is-spying-on-everybody thing were incorrect because he didn't have all the information. And that was deliberate; it's pretty clear that you didn't know about this thing unless you were directly involved. Yes, the capability to spy on anyone is there, but it was focused where it should have been. Sorry Eddie, you got it wrong.

[Restrat]

So because this one malware isn't spying on everybody, their other programs that Snowden was aware of aren't too?

[Byrthnoth]

The fewer places you use your super advanced malware, the harder it is to detect and capture. It makes absolute sense that they would use their most advanced tools sparingly.

That doesn't mean they weren't doing all the things that we already know about. though.

[GoggleHead]

Oh so it's not snooping on us yet, because somehow that makes everything ok. There's a lot of tech out there that we should not trust in the wrong hands, and it's important that we remember the government can fall into that category just as easily as anyone else.

[Quicklet]

Oh so it's not snooping on us yet, because somehow that makes everything ok. There's a lot of tech out there that we should not trust in the wrong hands, and it's important that we remember the government can fall into that category just as easily as anyone else.

I don't think the typical person really grasps just how deep the rabbit hole goes with this stuff. Your data is almost guaranteed to be monitored automatically if you use an unencrypted connection, and is even more likely to be stored permanently if you do anything that's "out of the ordinary" (including use of encryption). The potential for future abuse on top of what there is already evidence for is massive, but unfortunately there's not really enough pushback from the average person to do anything about it.

[Meresgi]

Wait, so this is badbios?

Yes, the capability to spy on anyone is there, but it was focused where it should have been. Sorry Eddie, you got it wrong.

yet to read entire report, but if you believe they are not harvesting ALL of your metadata then you're naive

Edit:

Just finished reading through, another good paper is : https://www.ibr.cs.tu-bs.de/users/ku...rs/acsac13.pdf

A lot of this stuff has come to light in the past 1-2 yrs. We have a lot of papers and write ups on modifying usbfirmware: BadUSB, Badbios which was proposed by dragosr back in 2014 or so: http://blog.trendmicro.com/badbios-s...ad-really-bad/

The ability to hide in sectors on the HDD isn't new, i'd be curious as to the code used to install the malware initially. I wonder if it uses some of the recent windows discoveries such as the scrollbar overflow.

The most interesting part to me is the air gapped stuff, there has been a lot of talk and PoC's out in the past month or show showing the ability to use android apps to monitor keyboards in a air gap lab, build your own USB charger that picks up wireless keyboard signals and sends SMS out with the stolen creds and using speakers+microphone to spread infections. Crazy and cool stuff.

But yeah, just because THIS suite was used to target those IP ranges, etc doesn't mean a modified version isn't being used elsewhere. They speak about the convention CD-ROMS being set up for infection after being intercepted before making their way to scientists. They also only stumbled upon this while looking into Regin on a system that's loaded with shit out the ass.

What I found fantastic/terrifying is that this was developed far back, whereas just now some people are tripping onto these same ideas/vectors.