Anti-virus researchers at Kaspersky Labs have uncovered evidence of what they claim is the most sophisticated malware operation in history, carried out by the Equation Group, including modules which have the ability to reprogram and infect the firmware of storage devices.

The Global Research and Analysis Team (GReAT) of anti-virus specialist Kaspersky Labs has released a report into a team of malware writers it calls the Equation Group, including evidence that the group operates under the auspice of the US government likely as a branch of the National Security Agency. The most surprising of the group's claims: that the malware created by the Equation Group has the ability to overwrite and infect the firmware of storage devices, taking control of the system at the start of the boot process - preventing any operating system from ever detecting that there is malware running.

Kaspersky was first alerted to the Equation Group and its malware in 2009, when an anonymous scientist identified only under the pseudonym Grzegorz Brzęczyszczykiewicz received a CD-ROM containing a slideshow of an event he had attended - a CD-ROM which infected his system with what the company describes as the creation of 'an almost omnipotent cyberespionage organization that had just infected his computer through the use of three exploits, two of them being zero-days..' The company's analysis of the group's creations has taken several years, finding evidence of its handiwork stretching back to 1996. Its most notable creations are a series of Trojan horses identified under somewhat questionable codenames: EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Grayfish, and Fanny.

Of these, Grayfish and EquationDrug are the most notable for containing modules which reprogram the firmware of a hard drive or flash storage device connected to the target system, hiding the malware directly within the device itself. 'The plugin supports two main functions,' Kaspersky's detailed report (PDF warning) claims. 'Reprogramming the HDD firmware with a custom payload from the Equation group, and providing an API into a set of hidden sectors (or data storage) of the hard drive.' The claimed result: a malware infection which survives even a secure erase of the hard drive and operating system reinstall, coupled with a hidden block of persistent storage on the drive itself which cannot be accessed by the host operating system but can be read from and written to at will by the malware infection.

The modules uncovered by Kaspersky include references to a number of high-profile storage vendors: Maxtor, Seagate, Western Digital and Samsung are supported by the earliest version of the malware, while an upgraded version adds support for HGST, IBM, Hitachi, ExcelStor, Micron, Toshiba, OCZ, OWC, Corsair and Mushkin solid-state devices. 'The Equation Group's HDD firmware reprogramming module is extremely rare,' Kaspersky's report notes. 'During our research, we've only identified a few victims who were targeted by this module. This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances.'

Kaspersky's discovery appears to be linked to National Security Agency document, published by Der Spiegel (PDF warning), which advertised for an intern to work at the agency creating 'a covert storage product that is enabled from a hard drive firmware modification.' Where the job posting, dated 2006, suggests that this technology would be used to conceal half the capacity of the drive for covert storage, its similarity to the techniques used by the Equation Group for malware infection suggests the NSA's involvement.

More details are available on Kaspersky's website.
Discuss this in the forums