Posts Tagged‘hard drive’

Equation Group Malware is Beyond Anything We’ve Seen.

The discovery of Stuxnet in the wild was a watershed moment, signalling the first known salvo sent across the wires of the Internet to strike at an enemy far away. The fact that a piece of software could wreak such destruction in the real world was what drew most people’s interest however the way in which it achieved this was, in my opinion, far more interesting than the results it caused. Stuxnet showed that nation state sponsored malware was capable of things far beyond that of what we’ve attributed to malicious hackers in the past and made us wonder what they were really capable of. Thanks to Kaspersky Labs we now have a really good (read: scary) idea of what a nation state could develop and it’s beyond what many of us thought would be possible.

Equation Group Victims Map

The Equation Group has been identified as being linked to several different pieces of malware that have surfaced in various countries around the world. They’ve been in operation for over a decade and have continuously improved their toolset over that time. Interestingly this group appears to have ties to the development teams behind both Stuxnet and Regin as some of the exploits found in early versions of Equation Group’s tools were also found in those pieces of malware. However those zero day exploits were really just the tip of the spear in Equation Groups arsenal as what Kaspersky Labs has discovered is far beyond anything else we’ve ever seen.

Perhaps the most fascinating piece of software that the group has developed is the ability to write disk firmware which allows them persist their malware through reboots, operating system reinstalls and even low level formats. If that wasn’t nasty enough there’s actually no way (currently) to detect an infection of that nature as few hard drives include the capability to read the firmware once its been written. That means once the firmware has wormed its way into your system there’s very little you could do to detect and remove it, save buying a whole new PC from a random vendor and keeping it isolated from every other device.

This then feeds into their other tools which give them unprecedented control over every facet of a Windows operating system. GrayFish, as it has been dubbed, completely replaces the bootloader and from there completely controls how Windows loads and operates. Essentially once a system is under GrayFish control it no longer uses any of its core boot process which are replaced by GrayFish’s toolkit. This allows Equation Group to be able to inject malware into almost every aspect of the system, preventing detection and giving them complete control to load any of their other malware modules. This shows a level of understanding of the operating system that would rival top Microsoft technicians, even those who have direct access to the source code. Although to be honest I wouldn’t be surprised if they had access to the source code themselves given the level of sophistication here.

These things barely begin to describe the capabilities that the Equation Group has developed over the past couple years as their level of knowledge, sophistication and penetration into world networks is well above anything the general public has known about before. It would be terrifying if it wasn’t so interesting as it shows just what can be accomplished when you’ve got the backing of an entire nation behind you. I’m guessing that it won’t be long before we uncover more of what the Equation Group is capable of and, suffice to say, whatever they come up with next will once again set the standard for what malware can be capable of.

A Tale of Woe and Eco-Friendly Hard Drives.

Up until recently most of my data at home hadn’t been living in the safest environment. You see like many people I kept all my data on single hard drives, their only real protection being that most of them spent their lives unplugged, sitting next to my hard drive docking bay. Of course tragedy struck one day when my playful feline companion decided that the power cord for one of the portable hard drives looked like something to play with and promptly pulled it onto the floor. Luckily nothing of real importance was on there (apart from my music collection that had some of the oldest files I had ever managed to keep) but it did get me thinking about making my data a little more secure.

The easiest way to provide at least some level of protection was to get my data onto a RAID set so that at least a single disk failure wouldn’t take out my data again. I figured that if I put one large RAID in my media box and a second in my main PC (which I was planning to do anyway) then I could keep copies of the data on each of them, as RAID on its own is not a backup solution. A couple thousand dollars and a weekend later I was in possession of a new main PC and all the fixings of a new RAID set on my media PC ready to hold my data. Everything was looking pretty rosy for a while, but then the problems started.

Now the media PC that I had built was something of a beast, sporting enough RAM and a good enough graphics card to be able to play most recent games at high settings. Soon after I had completed building it I was going to a LAN with a bunch of mates of mine, one of which who was travelling from Melbourne and wasn’t able to bring his PC with him. Too easy I thought, he can just use this new awesome beast of a box to play games with us and everything shall be good. In all honesty it was until I saw him reboot it once and the RAID controller flashed up a warning about the RAID being critical, which sent chills down my spine.

Looking at the RAID UI in Windows I found that yes indeed one of the disks had dropped out of the RAID set, but there didn’t seem to be anything wrong with it. Confused I started the rebuild on the RAID set and it managed to complete successfully after a few hours, leaving me to think that I might have bumped a cable or something to trigger the “failure”. When I got it home however the problem kept recurring, but it was random and never seemed to follow a distinct pattern, except for it being the same disk every time. Eventually however it stabilized and so I figured that it was just a transient problem and left it at that.

Unfortunately for me it happened again last night, but it wasn’t the same disk this time. Figuring it was a bung RAID controller I was preparing to siphon my data off it in order to rebuild it as a software RAID when my wife asked me if I had actually tried Googling around to see if others had had the same issue. I had done so in the past but I hadn’t been very thorough with it so I decided that it was probably worth the effort, especially if it could save me another 4 hours of babying the copy process. What I found has made me deeply frustrated, not just with certain companies but also myself for not researching this properly.

The drives I bought all those months ago where Seagate ST2000DL003 2TB Green drives which are cheap, low power drives that seemed perfect for a large amount of RAID storage. However there’s a slight problem with these kinds of drives when they’re put into a RAID set. You see the hard drives have error correction built into them but thanks to their “green” rating this process can be quite slow, on the order of 10 seconds to minutes if the drive is under heavy load. RAID controllers are programmed to mark disks as failed if they stop responding after a certain period of time, usually a couple seconds or so. That means should a drive start correcting itself and not respond quick enough to the RAID controller it will mark the disk as failed and remove it, putting the array into a critical state.

Seeing the possibility for this to cause issues for everyone hard drive manufacturers have developed a protocol called Time-Limited Error Recovery (or Error Recovery Correction for Seagate). TLER limits the amount of time the hard drive will spend attempting to recover from an error, so if it can’t be dealt with within that time frame it’ll then hand it off to the RAID controller, leaving the disk in the RAID and allowing it to recover. For the drives I had bought this setting is set to off as default and a quick Google has shown that any attempts to change it are futile. Most other brands are able to change this particular value but for these particular Seagate drives they are unfortunately locked in this state.

So where does this leave me? Well apart from hoping that Seagate releases a firmware update that allows me to change that particular value I’m up the proverbial creek without a paddle. Replacing these drives with similar drives from another manufacturer will set me back another $400 and a weekend’s worth of work so it’s not something I’m going to do immediately. I’m going to pester Seagate and hope that they’ll release a fix for this because other than that one issue they’ve been fantastic drives and I’d hate to have to get rid of them because of it. Hopefully they’re responsive about it but judging by what people are saying on the Seagate forums I shouldn’t hold my breath, but it’s all I’ve got right now.

OCZ Vertex 3: Don’t Play With My Heart (Or The SSD Conundrum).

My main PC at home is starting to get a little long in the tooth, having been ordered back in the middle of 2008 and only receiving upgrades of a graphics card and a hard drive since then. Like all PCs I’ve had it suffered a myriad of problems that I just usually put up with until I stumbled across a work around, but I think the vast majority of them can be traced to a faulty motherboard (Can’t put more than 4GB of RAM in it or it won’t post) and a batch of faulty hard drives (that would randomly park the heads causing it to freeze). At the time I had the wonderful idea of buying the absolute latest so I could upgrade cheaply for the next few years, but thanks to the consolization of games I found that wasn’t really necessary.

To be honest it’s not even really necessary now either, with all the latest games still running at full resolution and most at high settings to boot. I am starting to lag on the technology front however with my graphics card not supporting DirectX 11 and everything but the RAM being 2 generations behind (yes, I have a Core 2 Duo). So I took it upon myself to build a rig that combined the best performance available of the day rather than trying to focus on future compatibility. Luckily for me it looks like those two are coinciding.

Just because like any good geek I love talking shop when it comes to building new PCs here are the specs of the potential beast in making:

  • Intel Core i7 2600K
  • Asrock P67 Motherboard
  • Corsair Vengeance 1600MHz DDR3 16GB
  • Radeon HD6950
  • 4 x 1TB Seagate HDD in RAID 10
  • OCZ Vertex 3 120GB

The first couple choices I made for this rig were easy. Hands down the best performance out there is with the new Sandy Bridge i7 chips with the 2600K being the top of the lot thanks to its unlocked multiplier and hyperthreading, which chips below the 2600 lack. The choice of graphics cards was a little harder as whilst the Radeon comes out leagues ahead on a price to performance ratio the NVIDIA cards still had a slight performance lead overall, but hardly enough to justify the price. Knowing that I wanted to take advantage of the new SATA 6Gbps  range of drives that were coming out my motherboard choice was almost made for me as the Asrock P67 seems to be one of the few that has more than 4 of the ports available (it has 6, in fact).

The choice of SSD however, whilst extremely easy at the time, became more complicated recently.

You see back in the initial pre-production review round the OCZ Vertex 3 came out shooting, blasting away all the competition in a seemingly unfair comparison to its predecessors. I was instantly sold especially considering the price was looking to be quite reasonable, around the $300 mark for a 120GB drive. Sure I could opt for the bigger drive and dump my most frequently played games on it but in reality a RAID10 array of SATA 6Gbps drives should be close enough without having to overspend on the SSD. Like any pre-production reviews I made sure to keep my ear to the ground just in case something changed once they started churning them out.

Of course, something did.

The first production review that grabbed my attention was from AnandTech, renowned for their deep understanding of SSDs and producing honest and accurate reviews. The results for my drive size of choice, the 120GB, were decidedly mixed on a few levels with it falling down in several places where the 240GB version didn’t suffer any such problems. Another review confirmed the figures were in the right ballpark although unfortunately lacking a comparison to the 240GB version. The reasons behind the performance discrepancies are simple, whilst functionally the same drives the differences come from the number of NAND chips used to create the drive. The 240GB version has double the amount of the 120GB version which allows for higher throughput and additionally grants the drive a larger scratch space that it can use to optimize its performance¹.

So of course I started to rethink my position. The main reason for getting a real SSD over something like the PCIe bound RevoDrive was that I could use it down the line as a jumbo flash drive if I wanted to and I wouldn’t have to sacrifice one of my PCIe lanes to use it. The obvious competitor to the OCZ Vertex 3 would be something like the Intel 510 SSD but the reviews haven’t been very kind to this device, putting it barely in competition with previous generation devices.

After considering all my options I think I’ll still end up going with the OCZ Vertex 3 at the 120GB size. Whilst it might not be the kind of performance in every category it does provide tremendous value when compared to a lot of other SSDs and it will be in another league when compared to my current spinning rust hard drive. Once I get around to putting this new rig together you can rest assured I’ll put the whole thing through its paces, if at the very least to see how the OCZ Vertex 3 stacks up against the numbers that have already been presented.

¹Ever wondered why some SSDs are odd sizes? They are in fact good old fashioned binary sizes (128GB and 256GB respectively) however the drive reserves a portion of that (8GB and 16GB) to use as scratch space to write and optimize data before committing it. Some drives also use it as a buffer for when flash cells become unwritable (flash cells don’t usually die, you just can’t write to them anymore) so that the drive’s capacity doesn’t degrade.

Solid State Drives, Not Just All Talk.

Last year Intel made headlines by releasing the X25-E, an amazing piece of hardware that showed everyone that it was possible to get a large amount of flash and use it as a main disk drive without having to spend thousands of dollars on custom hardware. Even though the price tag was even outside most enthusiasts price ranges it still came out as the piece of hardware that everyone wanted and dreamed about.

Fast forward a year and several other players have entered the SSD market space. Competition is always a good thing as it will lead to companies fighting it out by offering products at varying price points in order to entice people into the market. However, although there appeared to be competition on the outside a deeper look into most of the other drives showed that they shared a controller (from JMicron, the JMF602B MLC) except for Samsung and Intel. Unfortunately these drives focused on sequential throughput (transferring big files and the like) at the cost of random write performance. This in turn made all operating systems that were installed on them appeared to freeze for seconds at a time, since any Operating System is constantly writing small things to disk in the background.

However, thanks to a recent AnandTech reviewer, one company has stepped up to the plate and addressed these issues, giving a low cost option (circa $400 for a 60GB drive, as oppose to Intel’s $900 for 32GB) for people wanting to try SSDs but not put up with a freezing computer. One of my tech friends just informed me that a recent update to the firmware of the drive saw improvements up to 3~4 times that of the original drive, an amazing improvement by any metric.

So are these things worth the money? Pretty much everyone I’ve talked to believe they are. These things really aren’t meant to be your main storage drive and once the paradigm shifts from disks being slow I believe you’ll see many more systems built around a tiered storage arrangement. Have your OS and favourite applications on the SSD and keep your giant lumbering magnetic disks trundling along in the background holding all your photos, music and the like. There’s always been a strong disconnect between the blistering fast memory of your computer when compared to the slow crawl of the hard disk and it would seem that SSDs will bridge that gap, making the modern PC a much more usable device.

I am fortunate enough to be working with some of the latest gear from HP which includes solid state drives (for work, of course! :)). For the hardware geeks out there we’ve just taken delivery of 2 HP C7000 Blade Chassis, 4 BL495c FLEX10 blades with 32GB of memory and dual 32GB SSD drives (they’re Samsung SLC drives) and all the bibs and bobs that are needed to hook all this up as our new VMware environment. It is a pity that they won’t let me put them together myself (How dare they tempt a geek with a myriad of boxes of components!) but I can understand my boss’ requirements of having someone else do it, just so we can blame them should anything go wrong.

So we’ve seen what SSDs can do for the consumer market, I’ll let you know how they go in the corporate world 🙂