Kaspersky Lab discovered the spyware that infects hard disk, SSD or flash drives by reprogramming the drive firmware, which is the permanent software installed on a drive that makes it function.
The source of the spyware infection was named as the Equation group by Kaspersky Lab, but most sources are naming it as the US National Security Agency (NSA). For example, one of Computerworld’s headlines is: “There is no way of knowing if the NSA’s spyware is on your hard drive.”
That is true. Anti-virus/anti-malware scanners cannot detect an infection because it rewrites an infected computer’s hard drive’s firmware, which kicks into action as soon as the computer starts up. There is no way in which that firmware can be scanned and formatting or low-level formatting cannot put things right because the firmware is not changed in any way during any kind of formatting of a drive.
Kaspersky Lab has stated that the spyware has been discovered on hard disk and SSD drives made by all of the major drive manufacturers. For that to have been achieved, the spyware writers would have had to have the firmware source code from each of those manufacturers. Therefore, the question now is, how was that secret source code acquired?
Could it be that the major drive manufacturers are installing the spying firmware on to their drives in the factory. If so, even if the user downloads and installs the latest firmware for a particular drive to get rid of the spyware, it will be reinstalled along with it.
Western Digital (WD), second only to Seagate as a major hard-drive manufacturer, has denied any complicity, stating that the integrity of its products are of paramount importance.
The reprogrammed firmware is able to reserve disk space and download and install several types of spyware. Kaspersky has stated that it has discovered computers infected with one or more types of spyware in 30 countries, mainly in the East, Middle East and North Africa, including Russia and China.
The firmware reprogramming had only been detected on the computers of a relatively few targets, very probably the ones that would supply the most valuable information.
None of the stories on this security vulnerability states whether the infection can be removed or not by downloading and installing the latest firmware from the drive manufacturers’ websites. Firmware is specific to the make and model of drive it has been written for. This might be because the downloads are infected. I’ll post if this aspect is ever clarified.
