Kaspersky Calls For Cryptography Help On Gauss ‘Warhead’

Security firm Kaspersky is calling for help decrypting parts of the Gauss malware, which appear to form a significant “warhead”.

Gauss, believed to be the work of the nation state or states who created the Flame cyber espionage tool and therefore the Stuxnet and Duqu malware, emerged last week. Researchers discovered the malware was mainly targeting machines in Lebanon and could steal banking information, hijack account information for social network, email and IM accounts as well as  intercept browser cookies and passwords.

Yet Gauss (code of which is pictured below) has an “unknown, encrypted payload which is activated on certain specific system configurations”, which Kaspersky now needs help cracking.

The Russian company has tried and failed to get into encrypted data hidden in three different sections in two Gauss files – “System32.dat” and “System32.bin”, which are 32-bit and 64-bit versions of the same code. Those two files are used for gathering information from an infected machine and writing it back to a file on the system’s USB drive.

Two of the three sections – exrdat and .exdat – hold data, whilst another – the .exsdat file – is believed to contain the code for decrypting and executing contents of the “warhead”, Kaspersky said.

The hunt for the missing program

Whilst it has been unable to crack the encryption, Kaspersky has found that the attackers were planning on running the payload when a specific program had been found. Furthermore, that program has to be written in an “extended character set”, such as Arabic or Hebrew, or one that starts with a symbol such as “~”.

It is not an application with an English name. Cryptographers should look to determine what that application is, as it will help unlock the remainder of the encrypted information.

It appears the Gauss attackers were launching a highly-targeted campaign, Kaspersky said, and the warhead is sizeable enough to contain “a Stuxnet-like SCADA targeted attack code”.

Vitaly Kamluk, chief malware analyst at Kaspersky Lab, told TechWeekEurope it was likely all the targets of Gauss were picked manually. “It must be [going after] something very critical,” he said.

The company has now offered cryptographers the first 32 bytes of encrypted data and hashes from known variants of the modules and has called on those who want to take part in uncovering Gauss’ secrets to email theflame@kaspersky.com.

“It is like a pure mathematical problem,” Kamluk added. “We have a definition of the problem, all the required conditions and there are multiple ways of solving it.”

Kaspersky is also trying to contact those infected with the malware, as they could help determine what the secret payload does. However, Kamluk was not optimistic about working with victims. “We don’t have good connections with all those people. Of those infected, there are 2500 using Kaspersky, but not all are legitimate,” he said.

“What we have are just IP addresses, and no contact information.”

Stuxnet and Flame are both believed to have been created by the US and Israel, meaning those two countries have again been implicated in another cyber espionage campaign, this time with Gauss.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

19 hours ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

22 hours ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

1 day ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

2 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

2 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

2 days ago