Kaspersky Lab, a prominent antivirus vendor has recently revealed that an advanced hacker group whom they call the “Equation Group” has been successfully installing malicious hard drive firmware in more than a dozen hard drive vendors (basically everyone). By reprogramming the HDD (hard drive) firmware, it is an extremely persistent infection that cannot be wiped by formatting the drive or by reinstalling the operating system. It acts as “an invisible, persistent storage hidden inside the hard drive”. This malware is surreptiously named “nls_933w.dll“.
Although Kaspersky Labs do not name the NSA, Reuters’ sources confirmed that this firmware was a NSA creation and this is further evidenced with the malware’s close links to other seemingly politically and defense motivated malware programs such as Stuxnet and Flame.
On the bright side, the targets of this malware seem to be mainly in the Middle East or Russia and according to Vitaly Kamluk, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team,
“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it. It’s a precious plugin that’s used only in specific cases with somebody very important.”
It is also very hard to detect:
“It’s extremely hard to detect. From the software level it’s impossible. You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.”
So what do we do?
At the moment, it isn’t clear how we can check if we are detected and our searches for a removal tool yielded some unconvincing ‘removal tools’ of doubtful integrity. Just hang in tight and in general if you’re not a high value target, most likely you’re not affected.