Equation group malware - Is Linux also affected

Recently kaspersky reported Equation Group malware. While they claim that windows and mac are affected. They haven’t said anything about linux. Any ideas guys.
http://anonhq.com/kaspersky-exposes-massive-us-spying-program-your-pc-may-be-infected-too/
http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html

I have read nothing specific to this ‘equation group’ and GNU/Linux directly.

But if you read the articles on this, you will note one of their tools is to install an MS-Windows application that will re-write the BIOS, making it impossible to remove even if the Hard drive is reformated. ie the app would continually re-install itself. The details of its re-install, and how it does such, were not to the best of my knoweldge,detailed/explained. My view is that definitely opens up the possibility that GNU/Linux could be infected if not directly, then via MS-Windows in a dual boot setup.

Plus there are a number of recent security updates for GNU/Linux blocking holes in GNU/Linux, where hackers could have obtained access. My guess is this is not the end of security holes in GNU/Linux being found.

Note in such a case of someone having an exploit to an OS and wanting to use the same exploit, this access to an OS needs to be kept as quiet as possible for as long as possible, by those who have access.

wrt my own view, I would be very surprised if GNU/Linux has not been compromised for a long time. But that is just a personnel view with lots of speculation on my part.
.

Reading the kaspersky report on eqaution group http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf they told that windows is most affected and also mac os upto some extent (page 22, “13.Have you seen any non-Windows malware from the Equation group?”)

Also, they say the malware cannot be removed after reinstallation of os. What I’m asking here, suppose the user has only GNU/Linux on their system (no other os), then would it be possible to exploit the system.

Also the mechanism of exploitation says the “The malware installer uses escalation of privilege exploits to install DoubleFantasy payload” (page 16). IMO it’s not that easy to escalate privilage, it always requires root password.

So, I want to believe linux won’t be affected so easily.

That is one specific attack method by an organization with absolutely massive resources. Do you believe that will be their only tool ?

So, you may be able to get rid of it by flashing the BIOS from an external boot device. Or not, if the compromised BIOS has a subroutine to prevent this. With the increased/surplus size of UEFI memory, that may well be possible, so the only solution would be to send the laptop/MoBo for someone to erase the BIOS - if it’s still EEPROM or similar.

But I think it’s a matter of time until we have a hardware switch/jumper that will reinstall the original firmware regardless of what is running the BIOS, similar to the CLEAR CMOS jumper every desktop MoBo has.

Even today, one can buy firmware for many laptops, where one can modify the firmware to have the laptop ‘call home’ if stolen - where this firmware will survive an hard drive reformatting. For example absolute.com offers firmware that one can buy commercially, and here is a link to their laptop bios compatibility list: Partners | BIOS & Device Compatibility | Absolute . If absolute.com can sell this commercially, imagine the use that a massively funded spy operation can put such technology to.

Of course, who is going to nominally re-write the BIOS on their computer? How can one even detect one’s BIOS has been compromised? IMHO its not simple.

I would comment more - but then I diverge from the technical and get into the political which I wish to avoid.
.

The product in this case, I believe was lojack (from this site: Leader in Data and Device Protection - Absolute Home & Office ) . For all I know there could be other company’s that offer the same.

HI,

[RANT]Maybe UEFI, EFI was created for that kind of purpose… installing spyware/malware without the users knowledge. There was some rumors with that kind of firmware you know.[/RANT] rotfl!

Hi
Other way around… lojack writes to the mbr, no mbr with uefi…

Well lets be honest no OS is fully bulletproof, however I think this issue could be more easily avoided under linux due to its code being easily patched.

To the best of my knowledge, the Toshiba Z930 Ultrabook (that I own) is nominally sold only with UEFI configured. LoJack have a BIOS replacment for it. That makes me question the assertion that lojack does not work with UEFI fitted machines. (Unless the LoJack software is designed to only work with the UEFI functionality disabled ? )

I dug through the Lojack website a bit, but could find a reference to an MBR only restriction for its functionality.
.

I still maintain GNU/Linux is vulnerable. Here is an example of a user’s (hacker’s) investigation into hacking the firmware of a hard drive so that it can infect and steal data … etc … off of a GNU/Linux system. One has to dig a bit into the article to appreciate the hack is to a GNU/Linux system (which makes sense, since many of the servers of the world run GNU/Linux). Sprites mods - Hard disk hacking - Intro

As I noted previous, I would be very surprised if an organization with absolutely massive resources would have only one specific attack method that did not include GNU/Linux. Everything I have read suggests tools/method such as that noted in the above Link I provided is within their arsenal of hacking tools.

Well that does it! I’m buying a new Mobo every month! An a new drive to boot! (pun intended)

Hi
I have some great second ha[cke]nd drives you can use :wink: :wink:

I’m thinking out loud.
Is mechanical hdd drives only susceptible or is sdd and other flash drives also susceptible.

If sdd is also susceptible and GNU/linux is also then, Android is also susceptible.

What about the Blackphone by Silent Circle. Would it also be susceptible?

I would forget high end tech and would use land-line phones / 1st gen mobile phone (like Nokia 114) only. Or, I would move to a village and do farming and completely forget about tech. :wink:

Further, here is another article, that goes in detail into how one of the most secure GNU/Linux systems (Tails) can be inflitrated: https://threatpost.com/new-bios-implant-vulnerability-discovery-tool-to-debut-at-cansecwest/111710 referencing capabilities recently released publically wrt the National Security Agency’s ANT division catalog of surveillance tools.

I believe this is another example illustrating how GNU/Linux systems are also vulnerable to determined Government sponsored hacking attempts.
.

Further to this, the register notes that most BIOS can be hacked Noobs can pwn world's most popular BIOSes in two minutes • The Register , independant of any OS on the PC, making it possible to deposit the sort of maleware that the quoted “threatpost.com” article notes. It would surprise me if teams funded by the large resources available to a Government are not taking advantage of such.

Dumb Question: The given attack method is valid only for BIOS or also with EFI with secure-boot enabled.


Source: Global Surveillance Disclosures article at wikipedia

Given the resources that a superpower has available I see no reason why EFI should be excluded. Having typed that you should note that is speculation on my part and only those who meet the TOP SECRET//COMINT//REL TO USA, FVEY security caveat are likely to say for certain. For certain anyone who has such a clearance should never answer that question. That clearance also clearly excludes non-US citizens, not to mention excludes many others from knowing. My personal preference given the security cavaet is to leave this in the realm of speculation.

Having typed the above, I speculate it is PC specific and a moving target as new PCs with different EFIs are produced everyday and that there is a high degree of constant tool maintenance required for it to function…

Given the way this particular hack is alleged to work, you need something like a hard disk controller, with the ‘SMART’ facilities, and the Three Letter Agencies need to have worked on the controllers from that particular hard disk manufacturer to exploit their controllers and facilities. There aren’t that many (hard) disk drive manufacturers, these days, and it seems that they have been prepared to work on all of the major ones, and have them ‘cracked’.

SSDs do have a traditional controller but ‘thumb drives’ don’t, so there is no reason that SSDs couldn’t be exploited off, but thumb drives would need a modified version.

Android would need this, hypothetical, modified version.

There may be some additional reassurance with an ssd in that there is more market fragmentation…but, that may be probably deceptive, in that there aren’t many manufacturers of controllers (well, ones that have decent performance, anyway), so, if the drive manufacturer uses the controller supplier’s firmware, that may not get you anywhere, although that is a bit obscure.

@oldcpu

I still maintain GNU/Linux is vulnerable.

At least in the sense if you are multi-booting from one hard drive, then it is. Given that Mac is fundamentally a BSD, there is no reason to think that a Linux Distro would be invulnerable where a BSD would be vulnerable. That is not quite the same as saying that there is any evidence that there is an attack packaged up for a Distro (might not be worth the bother to the authors???), but it would certainly be dangerous to place any great reliance on the authors not finding it worthwhile, or being too lazy (as yet).

The ‘spritesmod’ article is a different case again, and that shows it may not be necessary to have the SMART facility, if you are really prepared to work at it (and, if you are a three letter agency, it would only be laziness or market fragmentation that would stop you).

Well, if you mean an android phone, that’s not clear because they don’t usually have a hard disk controller. There are single board computers that use Android and that would be a different case, because they may use a controller (or, may not).