From page 18 of paper
(https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)
...
'The disk is targeted by a specific serial number and reprogrammed by
a series of ATA commands.
For example, in the case of Seagate drives, we see a chain of
commands: “FLUSH CACHE” (E7) →
“DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT”
(3F). Depending on the reflashing request, there might be some unclear
data manipulations written to the drive using “WRITE LOG EXT” (3F)'
...
This 3-letters-agency did it with software, mostly using undocumented
ATA commands.
A software approach would reach a larger audience, assuming not
everyone knows eletronics and/or can pull his/her HDD off.
Assuming no one knows the specifications for the ATA commands, or has
the time/knowledge/samples to analyze and reverse engineer it, a
request of such a tool for the Kaspersky guys seems the best approach.
-Virilha
----- Message from grarpamp <[email protected]> ---------
Date: Tue, 17 Feb 2015 21:03:48 -0500
From: grarpamp <[email protected]>
Subject: Re: Extracting Equation Group's malware from hard drives
To: cpunks <[email protected]>
Cc: Cryptography Mailing List <[email protected]>
Does anyone know of any tools to extract the Equation Group's malware
from hard drive firmware?
You can pull firmware and even get a shell on most
drives with jtag and other pin headers. Search for it.
----- End message from grarpamp <[email protected]> -----
