Researchers Seek Help Cracking Gauss Mystery Payload 229
An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out."
Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."
Re:Geez, just ask the NSA (Score:5, Interesting)
And notice they're only giving out pieces, no nobody knows what they're working on. Nice way to keep secrets while exploiting cheap labor from "the crowd"
irc bot author (Score:0, Interesting)
It looks like validation of one of my first creation irc bot (war bot, for taking over channels, not for spamming people and stealing their CCs).
It was also doing validation, to verify it binary has not been altered using MD5 and some kind of computation of the binary itself.
And then it was loading a userfile (payload), which was ecnypted using system specific key. In my case it was a physical location of a file on a disk (i-node, blocks, etc.. all you could get from file info syscall), nicely md5 hased to get good blowfish key.
The userfile contained list of people (ident@host.com) with their rights, and passwords for their accounts + information about how to link to the botnet...
I am pretty sure here you have the same thing, so. do I get candy as a reward?
Re:From the Article (Score:4, Interesting)
it will be very difficult to break this unless the targeted party comes forth.
Difficult to break it legally, you mean... All you need do is release a new virus/worm that only does the first hash step, then if by some miracle a match is found the victim gets a popup "You won, to collect your winnings please contact contest@nsa.gov" or whatever.
As sort of a running joke / meme I can imagine black hats doing this purely for fun. The IRC channel for the bot net gets spammed with the PATH and PROGRAMFILES once it finds a match.
Might also make a hilarious "antivirus update" as part of perfectly legit anti-virus suites. Run this test to see if you're vulnerable to the "whatever its called" targeted worm.
Re:can someone please explain (Score:5, Interesting)
Its a very clever hack indeed. We always think of encryption keys as something that we make up randomly and need to be transmitted.... but this isn't even an unusual style of use.
This is kind of like... taking some shared knwoledge, using it to make a key, then sending the encrypted data to someone, giving them a riddle only they can solve.
"The key is the date we first met, plus the date you left your first job, plus the name of the resteraunt we went to after your mothers funeral".
Except...its based on system configs. I have to wonder with path elements and program files how well balanced they are between identification of the specific machine(s) they want, against the possibility those configs will change before the payload goes off.
Re:can someone please explain (Score:5, Interesting)
One of my guesses is that both the PATH element and the Program Files item are linked to a single application. That way, as long as the application is installed, the payload would be decryptable. The name check suggests that the application is some in-house project, probably not publicly released.
But maybe the "trigger" is an application in certain environment. Then the Program File would determine application presence. Then the expected item of PATH could refer to some network share, mapped disk, e.g. T:\Repository\bin. Such combination would be pretty unique and therefore an ideal "trigger", IMHO.
Re:From the Article (Score:4, Interesting)
Re:Geez, just ask the NSA (Score:1, Interesting)
Consider this. This time they don't want to be as dumb as they were in the past when they let our nation's enemies have all the information they need about the attacks we were doing to them. In this case, once they find out exactly what it's doing and can determine if it's some retarded hacking team that wants to steal CC info or it's something the government's involved in. If it's the latter, there's no need to release info on who's being targeted and other specifics. They were probably also contacted in regards to what happened previously. Some countries feel a need to have some form of national security, regardless of what some bearded basement dweller thinks.
Of course there isn't anything to stop another country that finds code like this to setup something to let IT people do the work for them to tell them exactly what it does. In this case, if things go right, that country can then start setting up fake systems and start feeding bad info through the exploit.
Let me try (Score:4, Interesting)
Re:sure, give Iran free tech support (Score:5, Interesting)
Since Iran does not have a nuclear weapons program - as concluded by both US and Israeli intelligence agencies (as opposed to their corrupt politicians) - and has every legal right to have its existing nuclear energy program - including full enrichment rights, even to 20% levels - which is fully under supervision by the IAEA, any attempt to attack its program is illegal.
For those seeking the real facts, as opposed to the propaganda crap put out by Fox News, The Washington Post, and the New York Times, go to www.antiwar.com, www.raceforiran.com, www.asiatimes.com and www.campaigniran.com.
In any event, the Gauss malware appears to be targeting Lebanon and not Iran. Some have suggested that it is targets at Lebanese banks which might be handling financial transactions by Hizballah, the Shia national resistance movement in Lebanon. If so, this is likely in preparation for the upcoming Israeli attack on Lebanon, which is scheduled to occur during the upcoming US/NATO/Turkey attack on Syria.
Allow me to explain the purpose of the Syrian crisis...
Back in 2006, Bush and Cheney were pushing for Israel to attack Iran. However, Israeli leaders balked because they believed that attacking Iran would result in
Iranian, Syrian AND Hizballah missiles raining down on Israel, causing Israelis to hide in bomb shelters for most of every day, damaging the economy, and
possibly causing the electorate to vote out the leaders in the next election.
In short, Israel wanted a "cheap" Iran war where they only had to deal with a couple hundred missiles from Iran (if that, once the US air strikes had taken
out most of Iran's missiles or where Iran had used most of its missiles on US assets in the region.)
So Israel decided with US blessing to attack Hizballah in Lebanon, hoping to force them far enough north that their (at that time limited-range) missiles
would be ineffective in an Iran war. As we know, Israel failed miserably due to Hizballah's superior preparation.
At that point, Middle East expert Colonel Pat Lang pointed out that the only way Israel could take out Hizballah in southern Lebanon would be to attack Hizballah
in the Bekaa Valley, which provides Hizballah with "defense in depth".
To do this, however, would require Israeli forces to enter Syrian territory and engage Syrian forces. Not that Israel couldn't do this, but it would result in
Israel forces facing Hizballah guerrilla war in their front while the remnants of Syria's forces engaged in guerrilla war in Israel's rear - not a good
position to be in if you want to minimize casualties and get Israel electorate support.
BUT...IF Syria were ALREADY under attack by the US/NATO/Turkey air strikes for "humanitarian reasons", that would make such an attack feasible because large
concentrations of Syrian forces would be suppressed by air strikes.
And this is why Syria is where it is today. And this is what will happen:
1) The US and NATO and Turkey will find a way to bypass the lack of UNSC Resolution authorization and will attack Syria before the end of this year.
2) In the course of that war, Israel - using the excuse that Syrian weapons are being sent to Hizballah (already floated in the Israel press as an excuse that
Israel "will have to" attack Syria and Lebanon) - will send one armored division into Syria to protect a second armored division which will proceed up the
Lebanese/Syrian border and then turn into the Bekaa Valley, while a third armored division attacks Southern Lebanon as before, in a classic "pincer
movement".
3) IF Israel succeeds in damaging Hizballah enough (which I am not sure is feasible but Israel has to try) and IF the US and NATO can damage enough of
Syria's missile inventory, then in the next year or so Israel and/or the US will attack Iran.
The ENTIRE purpose of the Syrian crisis is to remove Syria and Hizballah as effective actors in an Iran war, and thus to enable the Iran war to proceed.