Researchers Seek Help Cracking Gauss Mystery Payload

An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out." Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."

Re:Cracking might be impossible

[Anonymous Coward]

Pfft. You actually believed that story about the iPhone?

Warhead?

[gr8_phk]

Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?

Re:From the Article

[medcalf]

How large is the universe of Windows programs not named in Latin characters? I have to think it's in the low millions at most, and probably less than that. Maybe the way to do this is to try the paths and filenames of those programs, and see if you get a match. As a first try at reducing the things you have to check, you could eliminate anything widely used, since this is likely targeted at a rare configuration. I'd start by looking at SCADA control programs, personally, because there's a good chance that this is targeted at industrial control systems, based on the last few weaponized software bits that have been found (stuxnet, et al).

Re:Warhead?

[__aaeihw9960]

When we started the propaganda about how evil technology and evil hackers are ruining the world.

Re:Geez, just ask the NSA

[gstoddart]

Do you seriously believe the NSA would give a flying fig about the GPL?

I'm quite sure they could cite any number of "national security" reasons and tell you to go screw off.

That, of course, presumes you'd get any respond other than "no comment" on your inquiries.

Seriously, playing "what if" about how to force the NSA to disclose code under the GPL is kind of a pointless exercise. You'd be stonewalled to the point of being ignored.

Re:can someone please explain

[bolek_b]

If I remember correctly, Stuxnet targeted Windows machines in the first step too. There it infected developer tools and the damage-causing payload did get compiled into programs for those SCADA systems of certain importance. So Windows systems might not have any obvious importance at all, but they play a role of the weakest link surprisingly well.

Re:Why ask cryptographers when the key is in there

[Cytotoxic]

Not to mention that reverse engineering isn't something most people think about or specialize in.

Nope, not something people think about... not so much. Except Kapersky. Yeah, Kapersky labs - that's pretty much what they think about and specialize in. Reverse engineering malware and viruses, that is. That's pretty much exactly what their core expertise involves. So maybe suggesting that they use reverse engineering is a little silly. Particularly when the accompanying article states that they reverse engineered the program and gives details as to exactly what it is doing based on this reverse engineering.

Let's see, who are we talking about anyway? Hmm... Eugene Kapersky [kaspersky.com] is the top guy over there. It seems he was involved with building AVP back in the early 90's before founding Kapersky labs in the late 90's. He also "graduated from the Institute of Cryptography, Telecommunications and Computer Science, where he studied mathematics, cryptography and computer technology, majoring in mathematical engineering." - so he's got the training. Yup, I'd say advising this guy that executing the code in a virtualized environment might solve his problem just might be enough to make you look a tiny bit ridiculous.

Re:Really?

[fredprado]

The same can be said about US and its weapons.