Kaspersky Calls For Cryptography Help On Gauss ‘Warhead’

Security firm Kaspersky is calling for help decrypting parts of the Gauss malware, which appear to form a significant “warhead”.

Gauss, believed to be the work of the nation state or states who created the Flame cyber espionage tool and therefore the Stuxnet and Duqu malware, emerged last week. Researchers discovered the malware was mainly targeting machines in Lebanon and could steal banking information, hijack account information for social network, email and IM accounts as well as  intercept browser cookies and passwords.

Yet Gauss (code of which is pictured below) has an “unknown, encrypted payload which is activated on certain specific system configurations”, which Kaspersky now needs help cracking.

The Russian company has tried and failed to get into encrypted data hidden in three different sections in two Gauss files – “System32.dat” and “System32.bin”, which are 32-bit and 64-bit versions of the same code. Those two files are used for gathering information from an infected machine and writing it back to a file on the system’s USB drive.

Two of the three sections – exrdat and .exdat – hold data, whilst another – the .exsdat file – is believed to contain the code for decrypting and executing contents of the “warhead”, Kaspersky said.

The hunt for the missing program

Whilst it has been unable to crack the encryption, Kaspersky has found that the attackers were planning on running the payload when a specific program had been found. Furthermore, that program has to be written in an “extended character set”, such as Arabic or Hebrew, or one that starts with a symbol such as “~”.

It is not an application with an English name. Cryptographers should look to determine what that application is, as it will help unlock the remainder of the encrypted information.

It appears the Gauss attackers were launching a highly-targeted campaign, Kaspersky said, and the warhead is sizeable enough to contain “a Stuxnet-like SCADA targeted attack code”.

Vitaly Kamluk, chief malware analyst at Kaspersky Lab, told TechWeekEurope it was likely all the targets of Gauss were picked manually. “It must be [going after] something very critical,” he said.

The company has now offered cryptographers the first 32 bytes of encrypted data and hashes from known variants of the modules and has called on those who want to take part in uncovering Gauss’ secrets to email theflame@kaspersky.com.

“It is like a pure mathematical problem,” Kamluk added. “We have a definition of the problem, all the required conditions and there are multiple ways of solving it.”

Kaspersky is also trying to contact those infected with the malware, as they could help determine what the secret payload does. However, Kamluk was not optimistic about working with victims. “We don’t have good connections with all those people. Of those infected, there are 2500 using Kaspersky, but not all are legitimate,” he said.

“What we have are just IP addresses, and no contact information.”

Stuxnet and Flame are both believed to have been created by the US and Israel, meaning those two countries have again been implicated in another cyber espionage campaign, this time with Gauss.

Are you a security guru? Try our quiz!