back to article Kaspersky claims to have found NSA's 'space station malware'

Kaspersky malware probers have uncovered a new 'operating system'-like platform that was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims. "It's important to …

  1. Thought About IT

    Subeditor needed!

    "Kaspesky claims"

    "platform they was developed"

    1. Destroy All Monsters Silver badge

      Re: Subeditor needed!

      The subeditor is still repairing the diesel on the VIIIC. He will bee bakk later this month.

    2. CAPS LOCK Silver badge

      Re: Subeditor needed!

      Drink, it's the curse of the Fourth Estate.

    3. Anonymous Coward
      Anonymous Coward

      Re: Subeditor needed!

      Indeed.

      The more interesting part is that they are now coming out with a "busted espionage suite" announcement once a month. Reverse engineering and analyzing a trojan like this takes considerable resources. Additionally, it is not something prevalent in the wild, you need to get samples from target machines. Most of these are from classified installations - you are not getting that without a collab agreement.

      I smell money and I smell collaboration with interesting institutions they did not have before. This starts to get interesting and frankly, in a battle of nefariousness between Fort Meade or Glocester and Novosibirsk, I would bet on Novosibirks (or Kaluga, or Donetsk, or wherever around there). Anything else aside the salaries you get doing (anti)malware in any of the latter locations have significantly higher buying power due to the lower relative living standard so they can attract appropriate talent too. One that would not work for the equivalent of a 19k junior analyst job (actual GCSA number as advertised on el reg).

      Popcorn, please. This will be worth watching.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Subeditor needed!

        Popcorn, please. This will be worth watching.

        But who watches whom?

      2. Captain Hogwash Silver badge

        Re:Glocester

        Did you mean Gloucester? Or even Cheltenham?

      3. Anonymous Coward
        Anonymous Coward

        Re: Subeditor needed!

        "Reverse engineering and analyzing a trojan like this takes considerable resources. Additionally, it is not something prevalent in the wild, you need to get samples from target machines. Most of these are from classified installations - you are not getting that without a collab agreement."

        It's Kaspersky. Do you really think the FSB isn't feeding them samples & money, if not expertise?

        1. Anonymous Coward
          Anonymous Coward

          Re: Subeditor needed!

          @AC

          "Do you really think the FSB isn't feeding them samples & money"

          And what do you think the other lot over the pond are doing ?

          Given the US is home to most of the worlds largest tech firms.......thud.

        2. Anonymous Coward
          Anonymous Coward

          Re: Subeditor needed!

          It's Kaspersky. Do you really think the FSB isn't feeding them samples & money, if not expertise?

          It's a shame you haven't met Eugene Kaspersky himself, the guy is a pretty straight player (which is smart, because if you start favouring one club, the other club gets pissed off even more).

          These guys DO have the resources, internally, and they've had them for years. The reason you get so much official spyware uncloaked is because there is precious little new left to do in the PC world, but an almost desperate search by governments to still find something that stays under the radar.

          (all IMHO of course - this world is too shadowy to ever know things for sure, but this is my assessment).

  2. Destroy All Monsters Silver badge
    Thumb Up

    Damn!

    With these kind of skills ... An acceptable systemd could be developed!

    1. Rhiakath Flanders

      Re: Damn!

      I can only suppose systemd is being "sponsored" by the NSA. What a wonderful collection of system-centric binaries, which no-one can understand.. What a perfect place to insert some sniffing code...

      Linux is going down the drain with systemd, i'm afraid... :(

    2. Anonymous Coward
      Anonymous Coward

      Re: Damn!

      The NSA should probably develop an OS riddled with spyware and give it away for free. Kind of like Android, but for the desktop.

      1. fajensen Silver badge
        Trollface

        Re: Damn!

        Google did the job for them!

      2. Chris G Silver badge

        Re: Damn!

        Why not? I often think Farcebook was sponsored by one of the alpha betties.

      3. tony2heads

        Re: Damn!

        This seems to have almost all the capabilities of an OS. Only missing email and Angry Birds.

        1. asdf Silver badge
          Trollface

          Re: Damn!

          >This seems to have almost all the capabilities of an OS. Only missing email and Angry Birds.

          Even Windows Phone has Angry Birds so almost might be pushing it.

  3. Avatar of They
    Trollface

    Even better idea.

    If they can develop a tiny piece of software with more power than the windows OS, these guys should go an work at Microsoft. Just saying.

    1. Warm Braw Silver badge

      Re: Even better idea.

      How do you know they don't / didn't ?

      1. elDog

        Re: Even better idea.

        Maybe they should shift their monthly updates to Patch Wednesday (Tuesday's taken).

    2. boltar Silver badge

      Re: Even better idea.

      I'd be interested to know if internally they run Linux or the *BSDs for their own classified systems and what changes they've made to the kernel code. If these guys are this good they've probably made something virtually bullet proof.

      1. Destroy All Monsters Silver badge

        Re: Even better idea.

        Well, we do have Flask-based SELinux...

      2. Anonymous Coward
        Anonymous Coward

        Re: Even better idea.

        I'll take a guess... management run Windows (evidenced by all those leaked PPT slides) and the techies are forced to use a clunky locked-down Linux distro that doesn't have all the latest security patches, let alone patches for the secret vulns NSA created/discovered. This is a government agency we're talking about.

      3. Aitor 1 Silver badge

        Re: Even better idea.

        It is always easier to break the door than to build a new one.

        As for being good, I would say no. Good at being evil at most.

      4. Cynic_999 Silver badge

        Re: Even better idea.

        "I'd be interested to know if internally they run Linux or the *BSDs for their own classified systems and what changes they've made to the kernel code. If these guys are this good they've probably made something virtually bullet proof."

        I'd take a bet the opposite is true. The cobbler's kids are invariably the ones with no shoes.

  4. Barticus
    Coat

    Uplink

    It's the new version of Uplink. Arunmor and ARC are getting up to their old tricks.

  5. frank ly

    "Executable timestamps ..."

    Why wouldn't they obfuscate this data, at least in the 'released' version?

  6. Rich 11 Silver badge

    Late starts?

    Executable timestamps reveal NSA developers likely work hardest on the platform on Tuesdays to Fridays, perhaps having late starts to Monday.

    Or a brain-sapping number of Monday morning meetings leading to an essential liquid-lunch recovery session.

    1. Doctor Syntax Silver badge

      Re: Late starts?

      More meetings, please. Fill up Monday to Thursday with meetings and review them all on Friday mornings. So all the code gets written on Friday afternoon.

      1. Anonymous Coward
        Anonymous Coward

        Re: Late starts?

        All the code delivered Friday afternoon? Business as usual for the QA department then!

        1. BongoJoe

          Re: Late starts?

          That's us then?

  7. Tachikoma

    I have always wondered about these announcements. Does Kaspersky/whoever add a rule to their virus/malware database to get rid of these things if found? I can't imagine the government would openly acknowledge the existence of the software and say "don't delete it, it helps us catch ne'er do wells" but at the same time they could lean on the anti-virus companies to produce a fake certificate that merely pretends to clean an infected system "for national security"

    1. Yet Another Anonymous coward Silver badge

      That's Kaspersky big selling point, they are a Russian company so are about as lilkely to bend over for the NSA as Microsoft would be to do a favor for the KGB

  8. Anonymous Coward
    Anonymous Coward

    oooo

    A new OS!! will it run on my chromebook!!!!

    1. TRT Silver badge

      Re: oooo

      It already is.

    2. SteveK

      Re: oooo

      And can it run Crysis?

      1. Anonymous Coward
        Anonymous Coward

        Re: oooo

        In Soviet US, permanent crisis runs you!

  9. Anonymous Coward
    Linux

    I think Kaspersky have actually just discovered and documented systemd. The feature list sure reads like it.

    1. norman

      Finally, lets hope Kasperski will open source the new ELI5 systemd documentation for the rest of us to finally get it.

  10. jzlondon

    Job Opening!

    Editor required at The Register. Must be able to start immediately.

  11. boltar Silver badge

    I don't care about the morality of it

    I just want to get a job at the NSA! This looks like exciting work.

    1. Brent Longborough
      Big Brother

      Re: I don't care about the morality of it

      "Then they came for me—and there was no one left to speak for me."

    2. Destroy All Monsters Silver badge
      Trollface

      Re: I don't care about the morality of it

      Sure beats chilling out users because "muh budget has been cut" as I don't have a Keystone XL to the federal reserve.

  12. NoneSuch Silver badge

    Welcome to the United States of Paranoia. One nation under Big Brother. Where all vulnerabilities are created equal with privacy and protections for none.

    And this is only the beginning.

  13. Anonymous Coward
    Anonymous Coward

    The beginning of the end for Windows

    Who wants to use windows now? They would have to give it away....oh

    1. Pascal

      Re: The beginning of the end for Windows

      Yeah, because in a theoretical future where even just 25% of workstations run (say, Linux), the NSA will just go "Oh well, we had a good run" and give up.

      1. Destroy All Monsters Silver badge

        Re: The beginning of the end for Windows

        "MUST BE AT LEAST OF THIS HEIGHT TO STORM CASTLE"

      2. Mark 65

        Re: The beginning of the end for Windows

        Yeah, because in a theoretical future where even just 25% of workstations run (say, Linux), the NSA will just go "Oh well, we had a good run" and give up.

        True, but given the Windows centric bent of those module listings I'd be happier to make more work for them than offer it up on a plate.

        To anyone who says "Why would they be interested in you?" I offer "Who knows who they are interested in, it seems like they want to tap everything everywhere?". Mass surveillance is, after all, designed to prevent you getting any big ideas on non-conformity.

    2. Anonymous Coward
      Anonymous Coward

      Re: The beginning of the end for Windows

      Linux would be more fun, all the backdoors they could sneak into open source code.

      1. Cynic_999 Silver badge

        Re: The beginning of the end for Windows

        "Linux would be more fun, all the backdoors they could sneak into open source code."

        Yes, it is very easy to put in backdoors if you have the source code. I have no doubt that the NSA has the source code for Windows. The flip side however is that if *everyone* has access to the source code, such backdoors are likely to be found PDQ as well, which would spell the rapid death of any distro they are found in.

        1. raphidae

          Re: The beginning of the end for Windows

          We will never know whether heartbleed was an honest mistake or a vulnerability. NSA can (and probably is) inserting vulnerabilities in lots of open source stuff that can reasonably be explained away as mistakes.

          Some of these will sit in the code for years until they are found. Open source has some serious weaknesses.

          Check out: https://www.youtube.com/watch?v=fwcl17Q0bpk

          And remember that this is from BEFORE heartbleed and some other major vulnerabilities in openssl were found. It's almost prophetic :)

  14. Anonymous Coward
    Anonymous Coward

    This discovery is unfortunate

    Now the bad guys will be removing useful programs to deter crime. We certainly do not want to help the bad guys. With Russia's brutal and unacceptable imperialistic actions of recent days, we may soon learn about some of their spyware.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: This discovery is unfortunate

      >> Russia's brutal and unacceptable imperialistic actions of recent days

      You must not mistake "Red Dawn" for CNN regional news, Amurrican!

    2. Bob Dole (tm)

      Re: This discovery is unfortunate

      >>Now the bad guys will be removing useful programs to deter crime. We certainly do not want to help the bad guys. With Russia's brutal and unacceptable imperialistic actions of recent days, we may soon learn about some of their spyware.

      ProTip: They are ALL bad guys.

  15. BongoJoe

    So, Kaspersky

    Can you remove this code and not replace it by anything written by anyone east of the Urals?

    And, more to the point. Where does this stuff come from?

    1. Anonymous Coward
      Anonymous Coward

      Re: So, Kaspersky

      Herr Poettering, of course.

  16. Crazy Operations Guy Silver badge

    Hypervisor as malware

    I've always wondered if it would be possible to a Hypervisor to produce a more advanced version of this. Wouldn't be all that difficult now that pretty much every processor supports the virtualization extensions and they can be turned on by way of UEFI. Just spoof the device IDs to the guest and re-direct all of the systems peripherals and you could get a very difficult to detect rootkit that can access whatever it wants.

  17. Anonymous Coward
    Anonymous Coward

    Search warrant?

  18. Anonymous Coward
    Anonymous Coward

    I wasn't here

    You didn't see me.

    Quick!

    LOOK OVER THERE....

  19. doggod42

    This goes way beyond computers

    The problem is when you give a group of people this much power ... the ability to snoop anywhere on anyone and not get caught ... you've given them everything. No one, not Parliament, not Congress, not the President, not the courts, dares to defy them because they control the architecture of everything that matters. They can destroy, they can promote, they can reveal, they can hide. You're now a slave.

    But who are "they"? Yes, now it gets really interesting because supreme power lies in a shadowy underworld. No one knows, and no one can know what or where the real levers of power are.

    You would think the politicians, the powermongers par excellance, would have thought of this and would have done something to stop it. I believe they have thought of it. I believe they know the only way to stop it is to shut off the money, but you hear few if any politicians proposing to do that. Because, well, you catch my drift?

  20. atlatl265

    Late Starts

    Software QA, used to be does the software do what it is supposed to do, properly and every time. Now the QA dept. has to do de-bugging and check for software security. Usually by Monday morning, so that the Manufacturing dept. can boot it up first thing ie., install, patch whatever.

  21. Anonymous Coward
    Anonymous Coward

    Some of this type of malware is very badly written and causes clear changes in the behaviour of a computer. Sometimes I've had to issue "customer" complaints about the low quality. That's easy to do, just type your complaint into web search engine.

  22. boatsman
    Linux

    have a hard time believing it is only/mostly windows that is targeted........

    where are the linux hacks / spook code & tools ?

    is it only SE linux they did ? I do not believe it.... :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019