Anti-Virus Firm Needs Help Decrypting Gauss Malware
The Russian anti-virus company that discovered the Gauss banking Trojan has hit a wall — and is asking for your help.
"Gauss contains a module named 'Godel' that features an encrypted payload," wrote an unnamed researcher from Kaspersky Lab on the company blog this morning (Aug. 14). "Despite our best efforts, we were unable to break the encryption.
"So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload."
Curiouser and curiouser
The "payload" is a presumably important part of Gauss' code that seems to be keyed to activate once the malware is installed on a specific machine.
Gauss searches for file names in the "Program Files" that begin with non-Latin characters or regular numerals — anything higher than lowercase "z" in the Unicode character set (character number 007A in Unicode, number 122 in ASCII).
"In essence, this means the specific program which is installed in '%PROGRAMFILES%' has a name which starts either with a special char such as '~,' as in our example, or uses an UNICODE special char table, such as Arabic or Hebrew," said the Kaspersky blog posting.
However, the secret character doesn't need to be from a Middle Eastern language. Anything from a non-Latin character set would work, be it Greek, Cyrillic, Chinese, Cherokee or cuneiform.
Gauss creates a list of all the non-Latin file names and runs them through a complicated encryption process. If the end result matches any numbers in a preset list hard-coded into Gauss, the payload will decrypt.
"We have tried millions of combinations of known names ... without success," Kaspersky said.
What that payload is, no one except Gauss' creators knows, but Kaspersky fears it might be something serious.
"The resource section is big enough to contain a Stuxnet-like SCADA targeted attack code, and all the precautions used by the authors indicate that the target is indeed high-profile," the blog posting said.
State-sponsored, or just another banking Trojan?
Kaspersky unveiled Gauss last week and proclaimed it the fourth in a line of state-sponsored, highly sophisticated, presumably American pieces of malware.
The previous three include Stuxnet, the worm that sabotaged the Iranian nuclear facility at Natanz in 2010; Flame, an extremely advanced piece of spyware which may have "mapped the terrain" for the Stuxnet attack; and Duqu, a worm that bears many similarities to Stuxnet but whose purpose is still unknown.
Gauss seems to target Lebanese banks, recording online-banking login credentials and mapping out the system configuration of infected Windows PCs. Like Flame, it also records social-networking, instant-messaging and email account information.
Beirut is one of the financial hubs of the Middle East, and Iran's influence in the country makes it logical to assume that the Iranian government has a lot of money deposited in Lebanese banks.
Mikko Hypponen, chief research officer of Finnish security firm F-Secure, noted that "Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm" on a system, according to an array of filenames that the malware checks for.
Most of Gauss' features have been found in regular criminal-controlled banking Trojans, which are out to steal money, not information.
"There is reason to believe it was more than just your normal malware in that only specific targets can decrypt a payload," Robert Graham, founder and chief executive officer of Errata Security in Atlanta, told SecurityNewsDaily last week. "But it could just as easily be sponsored by a Russian crime syndicate as a 'state' — or just a couple of guys. So far, it sounds like it's technically within the limits of the average hacker."
However, Roel Schouwenberg, a Kaspersky malware researcher based in the firm's U.S. office, said there were certain aspects of Gauss' coding that definitively linked it to Flame.
"Gauss was created on the Flame(r) platform," Schouwenberg told SecurityNewsDaily via Twitter. "If Gauss isn't done by a nation-state, it'd mean [the] Flame source code [was] stolen/leaked."
Kaspersky's own anti-virus software already protects Windows PCs against Gauss. By now, five days after the malware's discovery, it's safe to assume most other major anti-virus products will as well.