Mitigation against sneakerware

What are the mitigation measures against the sneaky-ware below?

Is AV or IPS more relevant in mitigating against it?

is DDoS mitigation (using clean-pipe etc) effective?


Super-sneaky malware found in companies worldwide

A shadowy hacking group has infected computers at companies, universities and governments worldwide with the sneakiest malware ever. The mysterious group, which researchers nicknamed "the Equation group," uses malware that's unusually quiet, complex and powerful.

The Equation group also appears to have ties to Stuxnet, the computer worm that sabotaged Iran's nuclear enrichment program in 2010 and was later revealed to be a joint U.S.-Israeli project. Malware attacked Windows computers, Macs and even iPhones.

Security researchers have documented 500 infections by Equation Group and believes that the actual number of victims likely reaches into the tens of thousands because of a self-destruct mechanism built into the malware. They have also reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.

These infected hard drives would have given the cyber criminals persistence on victims' computers and allowed them to set up secret data stores on the machines, which is only accessible to the malicious hackers. One of the most sophisticated features of these notorious pieces of hacking tools is the ability to infect not just the files stored on a hard drive, but also the firmware controlling the hard drive itself. The malware is hidden deep within hard drives in such a way that it is difficult to detect or remove it.

The campaign infected tens of thousands of personal computers with one or more of the spying programs in more than 30 countries, with most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets included government and military institutions, telecommunication providers, banks and financial institutions, energy companies, nuclear researchers, mass media organisations, and Islamic activists among others.

Security researchers are calling the malware as the "ancestor" of Stuxnet and Flame, the most sophisticated and powerful threats that were specially designed to spy and sabotage ICS and SCADA systems.

For the original news, kindly go to:

Potential Impact


·         Infection of files stored on hard drive as well as firmware

·         Data exfiltration

·         Network mapping

·         Unable to detect and difficult removal  of malware

·         Set up secret data stores on the machines which will only be accessible to malicious hackers
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
(at least to me) sneakerware is just another combination of the malware families with mixture of spyware, RAT, rootkits capabilities - in short, it is can be any stealthy APT type of attack like the equation group shared. They are not the street kiddies or the opportunistic ones just going one single kill of curiosity or  simply towards identity theft.

As in all APT type of group, they focus on very much in depth research, further recon, penetrate into lateral movement in target's internal , quickly surfaced out known vulnerabilities, and exploit based using their "precious" or "customised" zero day exploits (unknown), finally persist with multi-channels to their callback mothership with exfiltrated "goldmine" and more traits information of victim architectures, mgmt plans etc. They are proxy aware and likely to be from cluster of known APT groups and highly likely state sponsored groups based from the "common" pointed ones like US, UK, Russian and China. You can easily see and read on the threat reports esp on Equation from various AV leading  and security research lab providers.

A1: The Equation modus operandi as listed is not simply task, once exploited, it is very hard to detect unless they surfaced anomaly to be detected based on known signature or behaviours from anti-malware or AV at endpoint. The network checker at the boundary and endpoints will be just service and port based which known http or known service will be tunneled and even secured making these checkers blinded. You need more than just their logs but also required raw packet analysis to surface anomaly.

The worry is the deep planting of the BIOS firmware (that can be like in past attacks in Shamoon, Destover, DarkSeoul malware that destroy machine ) and even any technology cannot simply sense that once these bootkit capture the whole OS. I do see clean slate client VM instance to revert back in each reboot as a mean for really easily exposed public terminal. And do also control all ext device interfaces (suceptible to BadUSB, Thundrstrike etc) and enforce application whitelisting to reduce exposure. There is likely to balance off the user experience using this too, so measure your environment risk appetite.

A2: As in A1, it is defence in depth but do not rely just on this which eventually the known signatures can be detected but such APT group has customised ones to break easily traditional defences.

I believe you know about breach detection, network forensic and threat management technology by most of of the network security provider in like Cisco, FireEye, Trend Micro, Bluecoat ... the IOC in the reports from Kaspersky lab will help to kill off the known ones...for now.. payload like be the same but the stager and callback will varied. This will need continuous monitoring and start off early to check against your environment's baseline to surface the anomalous activities early by SIEMS in your SOC (and not simply NOC).

A3: In this case, Equation is not DDoS n/w unlike hacktivists which intent is to bring down or impact reputation public - in short they wanted to shame to the victim as a form of strong reminder of public (or should I say their dissatisfaction). DDoS required huge bot and impact of the ISP too with ranges of 1-2Gbp to more than 30-40Gbps and even 300Gbps above as a real attack. I will see them as smokescreen as eventually the cost factor and returns need to be justify and the underground market is already DDoS as a Service to make it easily to launch the attack based on duration required.

You can find out more like googling those and even this "LizardStresser".. the case of cyber espionage is not similar to cyber sabotage which DDoS is more of the latter while Equation schemes are of the former. The Equation folks wanted stealthiness though DDoS can help to distract the incident responser as required but it is likely another team to perform that on some strategic day when Equation has surface enough intelligence to make further advance to sabotage certain their long term strategy..

Cleanpipe is not 100% for DDoS as the application level of attack can bypass this easily. Some ISP added in mechanism to clean even such traffic but I do not see assurance on how SSL traffic can be clean and even then fragments of legit build up of DDoS traffic are unlikely to trigger cleanpipe as cleaning is either removal or replacement of known threat inside the packet - it is not in depth to clean application DDoS when protocol vulnerability are being cannot even determine weak trigger cleaning when, in fact, there is nothing to clean at the first place
Don JohnstonConnect With a Mentor InstructorCommented:
Q1: Up to date AV.  Or you could disable external USB ports but that could impact the functionality of the computer.

Q2: IPS won't really help since the virus or malware is being introduced internally.  Although, I suppose you could have all internal traffic go through IPS as well.  But that seems like a kludge.

Q3: I don't think so as this doesn't appear to be DDOS attack.
sunhuxAuthor Commented:
Thanks;  bear with me, what does the following stands for :
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

btanExec ConsultantCommented:
no worries.
IOC - indicator of compromise
APT - Advanced Persistent threats
SIEMS - Security information & Event Management systems

You can see the Equation from Securelist (Kaspersky lab)

Also the NSS lab has sharing on next defence technology observations
Oleksiy GaydaConnect With a Mentor Commented:
Specifically on the Equation Group's HDD firmware exploit - the scary bit is that it is virtually impossible to detect by scanning (because it exists "below" the OS level and majority of HDD firmware is "write only" by design, as the means of protecting manufacturer's intellectual property, so it cannot be scanned even with specialized tools) and it will survive even drive reformat and OS reinstall.

I suppose that, theoretically, you could wipe the drive then flash its firmware with the manufacturer-provided one, ensuring that Equation firmware is overwritten, but there is no guarantee that it doesn't persist by copying itself back and forth between firmware and drive areas while you're performing each of the clean-up steps.

You can always just whack the drive with a hammer a couple of times, and replace it with a brand new one...
btanConnect With a Mentor Exec ConsultantCommented:
indeed bootkit of that sort went beyond into hardware planting and if you follow the NSA catelog, there is similarities to  "IRATEMONK". Equation used two modules belonging to EquationDrug (for use on older Windows operating systems) and GrayFish in same light to reprogram hard drives to give the attackers persistent control over a target machine. I really doubt there is effective means for removing those except not using them and terminating those h/w from further usage.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.