Alexelsevier's Security Config

[alexelsevier]

1. Can all the family of Equation Group malware be found with antivirus check by Kaspersky or other software, using advanced options?

2. Can Equation group malware system replace or modify drivers, hard drive firmware, make other changes in system loading, if Secure boot is on and there is software with Elam support?

3. Are these changes fixed if they can do it in question 2 conditions?

4. Can be changes be fixed, blocked or reported by TPM module, if they are not fixed by Secured boot?

5. Can Secure boot and TPM module prevent infected system from Loading?

6. Can security or other software tools intercept or prevent direct malware modules interactions?

7. Can these tools intercept or prevent their interaction through windows system?

8. Are there any hard drives firmware can not be compromised by malware or any ways without physical manipulations?

9. Can the malwares and core of Equation group hide themselves and other components to become invisible for behavioral analysis? Especially I am interested in the effectiveness of Kaspersky software control and Comodo Internet Security HIPS.

10. What signs point on the high possibility that the firmware is patched by Equation group or mother malware? Can there be some files or virtual file systems on the drive?
11. let us assume we can safely change firmware everyday, can Equation drug repeat its infection?

 

[hjlbx]

Kaspersky discovery-detected Equation malware and wrote White Paper about it. Did you read it?

http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage/

Comodo Internet Security - difficult to ascertain. Best to submit questions to @BuketB . She is Comodo Internet Security Project Manager...

 

[Tony Cole]

That my friend is something you, nor I will never know. If the Equation group does exsist, then it is probably a government agency i.e., the NSA.

 

[alexelsevier]

Kaspersky discovery-detected Equation malware and wrote White Paper about it. Did you read it?

http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage/

Comodo Internet Security - difficult to ascertain. Best to submit questions to @BuketB . She is Comodo Internet Security Project Manager...

These questions are formed because I have read all the Kaspersky online materials. Frankly speaking, I shall accept hypothetic answers on these questions because calling to kaspersky was useless. Answers are desirable, but opinions are valuable also.

 

[jamescv7]

Thoughts:

Regarding from your configuration seems a bit misleading where your on demand scanners are primarily AV unless you use from other computers. (MBAM and Hitman Pro/Zemana AM are the alternatives)

For cleaning tools CCleaner should be fine for you, if you purchase Tuneup Utilities in legit then should be fine.

Extensions: Adguard and HTTPS everywhere.

--------------------------------------------------------------------------------------------------------

Regarding in Equation group malware questions:

1) http://www.symantec.com/connect/blo...respionage-group-has-all-tricks-book-and-more
https://www.trendmicro.com/vinfo/us...153/equation-group-takes-precise-calculations

Most common AV's in the market should able to detect at any place from their components (Cloud, or in-depth Heuristics/BB); these are two of more articles how it shows the details of protecting against these threats.

2 - 11 Highlights from this link: http://www.eweek.com/security/security-researchers-find-unexpected-weakness-in-equation-malware.html

However, there are limits to what the Equation malware can do. Raiu said that it does not appear that the malware can infect virtual storage or virtualized drives and it does not appear to be able to infect drives that are part of a RAID array. He added that this makes it appear that servers, and thus data centers, are not the target of the Equation malware. Instead, he said that it appears to be aimed at stand-alone computers or laptops.

Raiu also noted that the Equation malware may have bumped up against new technology. "Most modern hard drives from top brands around the world have some additional security measures and they check to see if the firmware is original," he said. "If it's not, they don't allow the firmware to work."

Your question no.8 should answered it from above quote.

First, the targeted computer is invaded by the GrayFish Trojan, either through phishing or an infected USB memory drive. Once it's in the computer, it takes over the Windows boot process. Once it's there, GrayFish uses an encrypted virtual file system that Symantec says is hidden inside the Windows registry.

Seems question no.7 is covered for this.

Regarding in Secure Boot, if there's something cause a problem then a backup to attempt to recover the original one on an image or OEM due to a malware which may modified the crucial parts of the system.

http://msdn.microsoft.com/library/windows/hardware/br259097.aspx (For more information)

 

[alexelsevier]

That my friend is something you, nor I will never know. If the Equation group does exsist, then it is probably a government agency i.e., the NSA.

I agree, please your opinion on these questions if you can.

Thoughts:

Regarding from your configuration seems a bit misleading where your on demand scanners are primarily AV unless you use from other computers. (MBAM and Hitman Pro/Zemana AM are the alternatives)

For cleaning tools CCleaner should be fine for you, if you purchase Tuneup Utilities in legit then should be fine.

Extensions: Adguard and HTTPS everywhere.

--------------------------------------------------------------------------------------------------------

Regarding in Equation group malware questions:

1) http://www.symantec.com/connect/blo...respionage-group-has-all-tricks-book-and-more
https://www.trendmicro.com/vinfo/us...153/equation-group-takes-precise-calculations

Most common AV's in the market should able to detect at any place from their components (Cloud, or in-depth Heuristics/BB); these are two of more articles how it shows the details of protecting against these threats.

2 - 11 Highlights from this link: http://www.eweek.com/security/security-researchers-find-unexpected-weakness-in-equation-malware.html



Your question no.8 should answered it from above quote.



Seems question no.7 is covered for this.

Regarding in Secure Boot, if there's something cause a problem then a backup to attempt to recover the original one on an image or OEM due to a malware which may modified the crucial parts of the system.

http://msdn.microsoft.com/library/windows/hardware/br259097.aspx (For more information)

Thank you for very valuable information. I look it now.

 

[Exterminator]

Are you updated to Windows 8.1?
Do you mean KAV & Comodo firewall for real time protection
Change your on demand scanners.I don't understand why you are uninstalling and re-installing each of these real time AV's one by one???
As @jamescv7 pointed out those that would be used as on demand scanners.ESET online scanner is also an on demand scanner but if you are running EAV in real time some other choices would be appropriate.
Consider CCleaner or Privazer

 

[alexelsevier]

Yes update. Yes I mean. On demand scanners I use by such way. I install one, scan, uninstall. install other. I simply do not want them to conflict. I shall consider mentioned antimalwares for on demand scanning.

 

[Exterminator]

Yes update. Yes I mean. On demand scanners I use by such way. I install one, scan, uninstall. install other. I simply do not want them to conflict. I shall consider mentioned antimalwares for on demand scanning.

Installing,scanning and uninstalling is not necessary for on demand scanners.If you use MBAM,Hitman Pro/Zemana AM,Emsisoft Emergency Kit,ESET online Scanner,etc. there is no need for repetitive installation and uninstall as these do not run in real time and are meant to be used just for scanning purposes only.
One real time AV/Security Suite and a combination of two or three on demand scanners is sufficient.

 

[Ink]

As you have Kaspersky Antivirus installed. I would uninstall the Antivirus component for Comodo Internet Security.

Outcome: Kaspersky Antivirus + Comodo Firewall

On-demand scanners do not run in the background nor real-time, therefore they do not need to be installed/uninstalled. However, if you use the full versions, ie. real-time AV software, then they are not intended as on-demand scanners. ...And you are doing this whole unnecessary process for no reason.

On-Demand Scanners:

• Malwarebytes Anti-Malware (Free download, quarantine and threat removal)
• ESET Online Scanner (Free download, quarantine and threat removal)

What is the difference between ESET Online Scanner and ESET NOD32 Antivirus?
The ESET Online Scanner is an on-demand scanner, while ESET Smart Security and ESET Antivirus software pro-actively protect your computer from being infected in the first place.​

• Optional- Bitdefender QuickScan (for Firefox)

Not to sure about all the questions in regards to the Equation malware group, but here's a short-list of sector's that potentially infected by this malware since 2001.

• Government and diplomatic institutions
• Telecoms
• Aerospace
• Energy
• Nuclear research
• Oil and gas
• Military
• Nanotechnology
• Islamic activists and scholars
• Mass media
• Transportation
• Financial institutions
• Companies developing encryption technologies

Source: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

 

[alexelsevier]

Comodo antivirus and kaspersky firewall functions are off.

Thoughts:

Regarding from your configuration seems a bit misleading where your on demand scanners are primarily AV unless you use from other computers. (MBAM and Hitman Pro/Zemana AM are the alternatives)

For cleaning tools CCleaner should be fine for you, if you purchase Tuneup Utilities in legit then should be fine.

Extensions: Adguard and HTTPS everywhere.

--------------------------------------------------------------------------------------------------------

Regarding in Equation group malware questions:

1) http://www.symantec.com/connect/blo...respionage-group-has-all-tricks-book-and-more
https://www.trendmicro.com/vinfo/us...153/equation-group-takes-precise-calculations

Most common AV's in the market should able to detect at any place from their components (Cloud, or in-depth Heuristics/BB); these are two of more articles how it shows the details of protecting against these threats.

2 - 11 Highlights from this link: http://www.eweek.com/security/security-researchers-find-unexpected-weakness-in-equation-malware.html



Your question no.8 should answered it from above quote.



Seems question no.7 is covered for this.

Regarding in Secure Boot, if there's something cause a problem then a backup to attempt to recover the original one on an image or OEM due to a malware which may modified the crucial parts of the system.

http://msdn.microsoft.com/library/windows/hardware/br259097.aspx (For more information)

Thank you for very valuable answers for questions 1 and 8. Using your quotation on issue 7 I can guess about a lot of things. Eweek and Microsoft material are usefull for common knowledge.

 

[hjlbx]

Comodo antivirus and kaspersky firewall functions are off.

Thank you for very valuable answers for questions 1 and 8. Using your quotation on issue 7 I can guess about a lot of things. Eweek and Microsoft material are usefull for common knowledge.

I really do understand what you are trying to accomplish. I've learned from experience that obsessing about protection against a particular malware group - such as Equation - or class of malware - such as nation-state surveillance software similar to Gamma International FinFisher Surveillance Suite is nothing but a waste of personal time, effort and needless worry.

Even if you pick the best AV it might detect and block such sophisticated malware as Equation and FinFisher... while in the meantime it can still allow a malware sample - written by someone working alone in their basement - that enables them to clean out all your bank accounts, steal your identity and ruin your credit worthiness.

Obviously, one should protect their system with the best security solution possible. However, in the end, there is only so much that can be done after a certain point with consumer grade security software... and despite all your best efforts your system will always be at risk against the most sophisticated malwares.

Even with advanced protection features - such as 64-bit hooking, really good HIPS, strong firewall - I have seen certain malwares that, if launched with Admin rights - will immediately disable AV, firewall, UAC, etc. Granted, they are rare, but the fact that they are out there means there is always a persistent risk to some degree.

In short, there is no absolute protection against all malware, vulnerabilities, data theft,...

 

[jamescv7]

Remember the prevalence of risk threat is very low when you are in a home network, but it will increase when the propagation of malware came from USB/ or malicious websites if its an accident or intentionally click. There are many ways to prevent but it needs your knowledge and preferably common sense to work everything.

Now if you want to learn more about this malware, its a little bit patience from analyzing and testing on a isolated environment.