August 15, 2012
Security Firm Kaspersky Asks For Help Cracking The Gauss Code
Peter Suciu for redOrbit.com — Your Universe Online
Russian security firm Kaspersky Labs has called for help from the world´s leading cryptographers to help break the encryption of what remains a still-mysterious and potentially devastating warhead delivered by the Gauss cyber-surveillance malware.
On Tuesday the company reached out to essentially anyone who could help crack the code.
“We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload,” said the Moscow-based security company in a blog post Tuesday. “Despite our best efforts, we were unable to break the encryption.”
“The code that decrypts the sections is very complex compared to any regular routine we usually find in malware.”
The Gauss warhead could join the ranks of the infamous uncracked codes that have baffled cryptographers, which include various ciphers such as the Russian D´Agapeyeff cipher and the mysterious Voynich Manuscript. Whether the Gauss warhead ever earns such an infamous place in history has yet to be seen — at least that is, unless it is cracked.
Additionally, it is still unknown what the so-called payload of the warhead is.
Gauss is known to be a sophisticated spying tool that was only uncovered by Kaspersky last week, and which has the ability to monitor financial transactions with Middle East banks. It was likely built or at least backed by one or more governments.
Among the theories circulating at present are that the Gauss cyber-spy Trojan was created by the U.S. government, reported E-Week on Tuesday, and possibly in the same lab that created the Flame malware. However, the outstanding question — especially given the encryption — is why?
The warhead can be delivered to infected machines by the Gauss malware tool, and it can be decrypted by the malware using a key of composed of configuration data from the system that it is targeting. However, without knowing what systems are being targeted, researchers have been unable to reproduce the key that is now required to actually crack the encryption.
What is also interesting about the payload is that it is delivered to machines via an infected USB drive rather than through normal Internet connections. This USB stick reportedly uses the .lnk exploit to execute its malicious activity. The payload isn´t the only file that has been discovered that Kaspersky has been unable to crack.
What is also known is that Gauss can not only spread through memory sticks, but that if it doesn´t find what it is looking for it actually deletes itself — something few Trojans or other malware have done. It seems to be “interested” in banking information but it isn´t actually stealing money — which again points that it could be looking into covert government or even terrorist activity.
It is believed that the malware is looking for banking information, along with user data, passwords, personal data, and social networking information.
One other interesting piece of information has been discovered, it installs the Palida Narrow font, but no one seems to know why. A theory online is that this TrueType font isn´t widely used and that its presence could allow Gauss to “know” that it is already on a machine or had been there.
What isn´t known is how the machine spreads. While it has shown up in the United States on more than 40 machines according to E-Week, it is believed this was through the use of VPNs that were connected with computers in the Middle East. The New York Times noted this week that Kaspersky found Gauss on more than 2,500 computers, most in Lebanon.
The Lebanon connection could prove this is U.S. black ops stuff going on, as the United States had been concerned that banks in the Middle Eastern country were housing money to back the Syrian government, which currently faces a civil war, as well as that of the Lebanese militant group Hezbollah.
So what´s its purpose maybe it isn´t like ordering out for Middle Eastern food.