One of the most worrying news that was recently broadcast is the ability of the secret services to break the firmware of a hard drive. by malicious code flashing. Kaspersky researchers who have unveiled the new type of espionage tool say it is "better than anything else" they have seen to date.
The hacking tool is believed to be an NSA product, and is particularly important as firmware breaches give attackers full control of a system. It is called "nls_933w.dll", and is the first of its kind to use both spy platforms (EquationDrug and GrayFish) discovered by Kaspersky.
But worrying is that it can create an invisible storage space on the victim's hard disk to hide the data stolen from the system. So the attackers can retrieve them later. This allows attackers to intercept files even from encrypted discs. How;
When the computer is running, the data is decrypted. At that time, it is very easy to make copies at the very bottom of the disk that is not encrypted.
How does it work
Hard disks have a controller, which is essentially a mini-computer, that includes a flash memory chip or ROM, where the firmware code for the hard disk operation is.
A Trojan firmware allows attackers to stay in the system even if the software is updated. From then on, the malicious code can not be eliminated. Even if the victim believes that his computer is infected, and performs a new installation of the operating system, the malicious code on the firmware remains intact.
According to the researchers, the firmware can be installed in many different hard disk chips, such as IBM, Seagate, Western Digital, and Toshiba.
The ROM chip containing the software includes a small storage space that remains unused. If the ROM chip is 2 MB, the software can fit into 1,5 MB, leaving half a megabyte of unused space that can be used to hide data from the attackers.
So super hackers do not need passwords if they can copy the entire directory from the operating system to a hidden space for later access. How, however, since the space that remains free of it firmware is too small. Thus, attackers need a larger hidden space for storage. Fortunately for them, there is. There are large sectors of the disk that are unused and could be used to secretly store data, even those that may have been deleted from the system.
A interest .pdf published in February 2013, by Ariel Berkman states: “there are sectors that not only can not be accessed through standard tools, but also remain inaccessible to antivirus software. ”
Berkman, according to Wired, reports that a particular Western Digital disk model has 141 MB designed for a system service area but only uses 12 MB from it, leaving the rest free for hidden storage.