Is your computer infected with Equation Group malware?

[christarp]

Oh I forgot, its on the internet therefore must be true....

BTW you can't infect the firmware on a drive without running an executable on the machine it is attached to...

But don't worry, "its just physics".

Take a read at the article linked. If this really is the NSA (and a lot of evidence points to it) they have a nearly unlimited budget. The stuff that equation group has managed to pull off is truly mind blowing. Chaining multiple attacks together and even breaching air gaps. These guys know what they're doing. I wouldn't doubt they could gain root privilege, run kernel level code, rewrite hard drive firmware, and control the entire booting process and handling from there on out completely silently.

The only thing is I'm most likely not worth their time, and it looks like they're actively trying to limit their attacks to their specific targets.

 

[simonsi]

Take a read at the article linked. If this really is the NSA (and a lot of evidence points to it) they have a nearly unlimited budget. The stuff that equation group has managed to pull off is truly mind blowing. Chaining multiple attacks together and even breaching air gaps. These guys know what they're doing. I wouldn't doubt they could gain root privilege, run kernel level code, rewrite hard drive firmware, and control the entire booting process and handling from there on out completely silently.

The only thing is I'm most likely not worth their time, and it looks like they're actively trying to limit their attacks to their specific targets.

I did, I read it end to end. Still to infect drive firmware that is mounted on a Mac, you need an executable to run on that Mac and there is no evidence such exists or that Macs are being targeted.

Sure they can breach air-gaps, but they aren't going to breach my air-gap because they aren't going to try, because I'm not a target.

OP's logic is that because the US military has guns, they are pointing a gun at every single person's head and therefore anyone can get shot. That isn't and hasn't been demonstrated or has any evidence to support it.

Such malware will be highly targeted, as with all things military, advertising your existence is counter-productive to the task in hand, the wider they indiscriminately "target" the more chance of discovery and countermeasures before the task is completed.

 

[christarp]

I did, I read it end to end. Still to infect drive firmware that is mounted on a Mac, you need an executable to run on that Mac and there is no evidence such exists or that Macs are being targeted.

Sure they can breach air-gaps, but they aren't going to breach my air-gap because they aren't going to try, because I'm not a target.

OP's logic is that because the US military has guns, they are pointing a gun at every single person's head and therefore anyone can get shot. That isn't and hasn't been demonstrated or has any evidence to support it.

Such malware will be highly targeted, as with all things military, advertising your existence is counter-productive to the task in hand, the wider they indiscriminately "target" the more chance of discovery and countermeasures before the task is completed.

Fair enough, I see what you're saying, and yeah I'm not really worried about it either, but it is an interesting situation. The fact that they could is pretty "scary"

 

[simonsi]

Fair enough, I see what you're saying, and yeah I'm not really worried about it either, but it is an interesting situation. The fact that they could is pretty "scary"

Much more scary is that one of the means to breach an air gap is the logistics/supply chain...

To be honest though, I'm not too concerned if my HDD firmware periodically checks whether I have a nuclear-science centrifuge attached.... (the Stuxnet targets)

 

[dyt1983]

edit: To remove personally identifying info not relevant to the conversation.

 

[yjchua95]

Whoever started this is the nouveau-apple (look at his posts in the iPhone area) of the Mac area.

 

[alex0002]

It can affect iPhones and Macs. Page 22

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

All the malware we have collected so far is designed to work on Microsoft’s
Windows operating system. However, there are signs that non-Windows malware
does exist. For instance, one of the sinkholed C&C domains is currently receiving
connections from a large pool of victims in China that appear to be Mac OS X
computers (based on the user-agent).

Changing the user agent of the browser is trivial.
What user agent would you like today?

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

That is not to say that it's impossible, but the browser user agent is not a reliable indicator.

 

[Zxxv]

on my iPad when i surf for porn in private mode the other day I opened a link and then tabs kept opening one after the other fast as heck. I had to force close safari. Open again. Then close them all.

This only happens surfing for porn so I'd say most of the problems in this world are created for people who surf porn or illegal software, illegal videos, illegal music etc

I only surf for porn... occasionally. Honest its only occasionally

 

[alex0002]

I've been wondering if they've also infected SSD hard drives. Knowin the NSA, I'd say most likely. From what I've been reading in Kaspersky Lab's report it only mentions Windows so far, but again....NSA.

From the arstechnica.com article:

One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.

I'm pretty sure Micron never made a spinner, but they've made plenty of O.E.M. SSDs and of course their consumer SSDs are branded with the Crucial name.

 

[Giev]

[*]Fourth, there is absolutely zero evidence that iOS or OS X devices are i

If you have sinkholded traffic originating from OSX, there is your evidence.

if the average user should be concerend not is another question:

.Should he be concerend about NSA? probably not. Should he be concerend about Cyber criminals exploting the same vulnerabilities (HDD firmwares in this case)? ABSOLUTELY!

 

[GGJstudios]

If you have sinkholded traffic originating from OSX, there is your evidence.

As already pointed out, the suggestion that OS X machines are affected is based solely on user agent information presented by computers that connected to the server. That is extremely unreliable information. For example, here is my user agent information presented to http://whatsmyuseragent.com

Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Based on that, you'd expect I'm using Firefox as my browser on a Windows computer, when I'm really running Safari on OS X. It's takes one simple menu selection to change that:

​

 

[Giev]

As already pointed out, the suggestion that OS X machines are affected is based solely on user agent information presented by computers that connected to the server. That is extremely unreliable information. For example, here is my user agent information presented to http://whatsmyuseragent.com

Based on that, you'd expect I'm using Firefox as my browser on a Windows computer, when I'm really running Safari on OS X. It's takes one simple menu selection to change that:

View attachment 530445​

1) based solely on user agent information != zero evidence

We are not talking about court evidence here, when you are reverse engineering or doing forensics works (especially on an evasisve code like this) thats more than enough to make such assumption, especially in large numbers

2) How many users would actually change the UA? How many even know what a UA is, let alone changing it? I think you need to respect the researchers to know how to filter out noise from the statistics. They have to see it common enough to raise it.

Which version do you find more likely? A) A large number of Windows users setting their UA to OSX, or B) A large number of OSX UA coming from actual OSX clients?

3) Whats makes you think that they don't have acess to the firmware code used in Apple devices like they did with other manufacturers?

 

[GGJstudios]

1) based solely on user agent information != zero evidence

There has been no evidence presented that any OS X computers are infected. The only evidence is that some computers with the user agent showing OS X connected with servers. That doesn't prove those computers were running OS X and it certainly doesn't prove they connected as a result of any malware infection. It's all guesswork on the part of Kapersky, with not enough information to even make an intelligent guess.

2) How many users would actually change the UA? How many even know what a UA is, let alone changing it?

How many connections were from computers whose user agent showed OS X?

Which version do you find more likely? A) A large number of Windows users setting their UA to OSX, or B) A large number of OSX UA coming from actual OSX clients?

Unlike Kapersky, I don't make wild assumptions based on such unsubstantiated and nonspecific data. Kapersky doesn't even specify the numbers involved. The point is that their assumptions are based on information that is completely unreliable.

3) Whats makes you think that they don't have acess to the firmware code used in Apple devices like they did with other manufacturers?

There is no evidence to support that theory.