Kaspersky Seeks a Few Beautiful Minds for Gauss Decryption
Aug 15, 2012 7:00 AM PT
Kaspersky Lab is reaching out for help to crack the security of the Gauss malware, which it discovered recently.
It's still not known how people get infected with the malware, Kaspersky Lab said. The purpose of the "Palida Narrow" font Gauss installs hasn't been figured out, either.
But the most interesting mystery is the encrypted warhead Gauss carries. It's contained in Godel, one of the malware package's many modules. Kaspersky hasn't been able to crack the encryption and is calling for help from cryptologists and mathematicians.
Other antivirus companies, including Symantec, are also studying Gauss.
"We're looking into this and will reach out as soon as we have more information to share," Mike Bradshaw, a Symantec spokesperson, told TechNewsWorld.
A Little Knowledge ...
The "Godel" module has a spy component, dskapi.ocx, that runs on infected workstations and will infect USB drives attached to these, said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
It creates various directories and contents on the infected USB drives whose overall purpose "is to collect information on systems that these infected USB sticks are plugged into and then delete their presence from the drive," Baumgartner told TechNewsWorld.
The attackers could be using infected USB sticks to get around air gapping, Baumgartner speculated. Air gapping is when a secure network is physically, electrically and electromagnetically isolated from insecure ones. Measures taken may include a ban on wireless connections to or from the secure network. The only way to transfer data from a secure system to other systems is to write data on a removable medium such as a USB stick and use that in the other system.
Further, infected USB sticks have two files that maintain three sections of "Godel" suspected of housing the payload. One is a 32-bit file and the other 64-bit, Baumgartner said. These three sections are RC4 encrypted with an unknown key that Kaspersky Lab has not yet discovered. Another version of these three sections is weakly encrypted with a xor routine.
Another "encrypted blob of mystery content" that's separate from the xor encoded sections and the RC4 encrypted sections is in what Kaspersky Labs calls "resource 100," Baumgartner stated. This is maintained within the 32-bit dll that resides on infected USB drives.
Ignorance Is Not Bliss
The code that decrypts the three sections is very complex compared to other routines found in malware, Kaspersky Lab said. It has tried millions of combinations of known names, and its researchers think the attackers are looking for a very specific program with the name written in an extended character set such as Arabic or Hebrew, or one that starts with a special symbol.
It's not feasible to break the encryption with a simple brute-force attack, Kaspersky Lab stated.
The resource section is big enough to contain attack code that, like Stuxnet, targets SCADA systems, Kaspersky suggested. Stuxnet, to which Gauss is apparently related, was used to attack the SCADA industrial control systems that run Iran's nuclear reactors.
Shout Out for Help
Kaspersky Lab is calling on world-class cryptographers or anyone else who can help to pitch in. It's providing up to 32 bytes from the beginning of each encrypted section for helpers to decrypt.
"Cryptography is years ahead of de-cryptography," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. "If a nation-state wants to protect secrets, it can use algorithms that will not likely be broken in the next 20 years, or even 200 years if quantum computing doesn't pan out as expected."
On the other hand, encryption, especially strong encryption, can be used as a decoy, Abrams pointed out.