Kaspersky appeals for help in cracking Gauss

Security company invites crypto fans to help decode hidden payload in Gauss malware

Tags: Cyber crimeKaspersky Lab
  • E-Mail
Kaspersky appeals for help in cracking Gauss Gauss contains an encrypted payload that Kaspersky has not been able to decrypt.
By  Mark Sutton Published  August 14, 2012

Security company Kaspersky Lab is appealing to cryptography enthusiasts to help it crack the Gauss malware discovered last week.

Gauss appears to be an espionage malware, created with the purpose of spying on online banking transactions with several Lebanese banks. The malware, which spread mainly via USB, was detected in about 2,500 PCs, with the majority in Lebanon, Israel and Palestine.

Kasperksy is warning however that the malware also contains another encrypted module, called GODEL, that will only activate under certain specific conditions, although the company has not been able to decrypt it so far.

Vitaly Kamluk, chief malware expert, Russian Global Research & Analysis Team, said that the company is concerned about the nature of this encrypted payload, as the resources file attached to it is large enough to contain a Stuxnet-like SCADA targeted attack code.

"We believe that there is some extra, advanced and dangerous malware hidden in this protected payload. Our main problem right now is in finding this decryption key or the system conditions which are required to generate the decryption key," Kamluk told ITP.net.

"Normally malware will try to execute as much useful payloads as possible, however this particular scheme shows that this malware will not execute its extra code unless it finds very specific systems.

Kamluk said that Kaspersky has been able to partially identify two of the conditions under which the hidden Gauss code will decrypt. The first is a very common variable relating to the PATH environment.

The second is that the malware is looking for a specific application installed in the program files directory. The specific application has yet to be discovered, but Kasperksy has identified that its name starts with either a special character or uses an UNICODE special char table, such as Arabic or Hebrew. The company says that this could mean that Gauss is looking for an application developed and named in a non-English language, and that by inviting others to join in research, it increases the chances of finding out what that application is.

"We hope that with the help of crowdsourcing we could probably check more local software and various configurations of computer system, and try them as the components for the decryption key generator," Kamluk said.

The company has now made code from the malware available via its Securelist blog, so that individuals can do their own analysis, and try to crack the encryption scheme.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code