Researchers Seek Help Cracking Gauss Mystery Payload

An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out." Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."

Geez, just ask the NSA

[crazyjj]

What did you guys put in it, again?

Re:Geez, just ask the NSA

[Anonymous Coward]

And notice they're only giving out pieces, no nobody knows what they're working on. Nice way to keep secrets while exploiting cheap labor from "the crowd"

Re:Geez, just ask the NSA

[jhoegl]

I wonder if they tried "GOD" for the password.
Hey... it worked in hackers.

Re:

[93 Escort Wagon]

And notice they're only giving out pieces, no nobody knows what they're working on

This pretty much describes how my boss runs most projects...

Re:

[fredprado]

The same can be said about US and its weapons.

Re:

[jpmorgan]

Probably? Of all people and organizations in the world, I suspect the NSA is the least likely to be relying on GPL'd third party code for their encryption needs.

Re:Geez, just ask the NSA

[tgd]

If they probably are using a GPL library for decoding/uncompressing, they could be sued to release the code to be compliant with the license.

That seems to be a common misconception. That's not how the GPL works. They need to make the code available to their customers on demand. You aren't their customer, you can't demand anything.

Re:

[gmuslera]

If you got it, no matter if got activated or not because your machine is not the full target system, then you should be able to demand it (specially if got delivered to you in the way that the maker intended to, is not like you stole it)

Re:

[tgd]

If you got it, no matter if got activated or not because your machine is not the full target system, then you should be able to demand it (specially if got delivered to you in the way that the maker intended to, is not like you stole it)

Laws, contracts and licenses aren't made of "shoulds"

Re:

[VortexCortex]

Laws, contracts and licenses aren't made of "shoulds"

Actually, they seem quite musty to me.

Re:

[gstoddart]

Do you seriously believe the NSA would give a flying fig about the GPL?

I'm quite sure they could cite any number of "national security" reasons and tell you to go screw off.

That, of course, presumes you'd get any respond other than "no comment" on your inquiries.

Seriously, playing "what if" about how to force the NSA to disclose code under the GPL is kind of a pointless exercise. You'd be stonewalled to the point of being ignored.

Re:

[ceoyoyo]

The GPL v3 contains the word "customer" in only one place, and it precedes "support" and is talking about the period of time you offer customer support for a hardware device.

The requirement is that if you "convey" the code in binary form you must also "convey" the source. Sending it to someone over a network or on, for example, flash drives purposely left in parking lots, would seem to be "conveying" it.

The GPL v2 uses the word "distribute" in the same context, which seems to be functionally identical to "

Re:

[tftp]

Sending it to someone over a network or on, for example, flash drives purposely left in parking lots, would seem to be "conveying" it.

Possibly so. However then you only need to prove in court that developer A created and left a Flash drive with the software B to be inevitably collected by customer C.

This is necessary because, for example, the developer could simply discard the media with software that was never meant for distribution; you dived into that dumpster and got it. Or perhaps it was not the d

Re:

[c++0xFF]

Pay particular attention to section 10:

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.

Each infected computer in the chain gets an explicit license to run and propagate the work (a virus can't violate the GPL by spreading itself!), but the original distributor would still be held accountable for providing the source code.

Re:

[chrb]

That seems to be a common misconception. That's not how the GPL works. They need to make the code available to their customers on demand. You aren't their customer, you can't demand anything.

The GPL covers distribution, not "being a customer". If someone uses GPL code in a project, then only the GPL itself gives them a right to re-distribute the derivative product. If the distributor does not comply with the GPL then they do not have a license to redistribute and are guilty of copyright infringement unless they have some alternative license, or copyright law does not apply to them for some reason.

Re:

[HiThere]

Welll...I don't think you're properly considering this in detail (not that it applies to the NSA anyway).

If you use a GPL tool in a project, but don't distribute the tool, then the GPL places NO constraints on you. It only applies if you are distributing SOMEONE ELSE'S GPL CODE. If it's your code, there aren't any constraints. If it's someone else's code, but you aren't distributing it, then there aren't any constraints.

Re:

[HiThere]

It might well be GPL, but have you considered that they may well have written it? If you wrote it, you aren't bound by the copyright terms.

(P.S.: I think the feds have exempted themselves from obeying the copyright laws anyway, though I can't remember for sure.)

Re:

[c++0xFF]

I've heard people call the GPL "viral" ... but this is ridiculous!

Cracking might be impossible

[cvtan]

If the DOJ and NSA can't get into an Apple iPhone, what chance is there of cracking this?

Re:

[Anonymous Coward]

Pfft. You actually believed that story about the iPhone?

Re:

[cvtan]

I read it on Slashdot so it must be true!

Degauss?

[MatrixCubed]

Clever of the tech world, to obsolete CRT monitors. Perhaps shaking one's head rapidly from side to side would help solve this mystery.

Re:

[SQLGuru]

You also have to make that sound: BRrrrrrrrrrdddddddTick.

I've Got It!!!

[MasterOfGoingFaster]

I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

Re:

[Medievalist]

I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

You shouldn't have set your PATH to /iran/fission/uranium/centrifuge, then.

From the Article

[cryptizard]

According to Kaspersky, the way it works is:

1) Enumerate all directories in the computers PATH variable
2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
3) Hash every pair from the previous two lists with MD5 and check against a known hash

If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.

Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.

Re:From the Article

[vlm]

it will be very difficult to break this unless the targeted party comes forth.

Difficult to break it legally, you mean... All you need do is release a new virus/worm that only does the first hash step, then if by some miracle a match is found the victim gets a popup "You won, to collect your winnings please contact contest@nsa.gov" or whatever.

As sort of a running joke / meme I can imagine black hats doing this purely for fun. The IRC channel for the bot net gets spammed with the PATH and PROGRAMFILES once it finds a match.

Might also make a hilarious "antivirus update" as part of perfectly legit anti-virus suites. Run this test to see if you're vulnerable to the "whatever its called" targeted worm.

Re:From the Article

[medcalf]

How large is the universe of Windows programs not named in Latin characters? I have to think it's in the low millions at most, and probably less than that. Maybe the way to do this is to try the paths and filenames of those programs, and see if you get a match. As a first try at reducing the things you have to check, you could eliminate anything widely used, since this is likely targeted at a rare configuration. I'd start by looking at SCADA control programs, personally, because there's a good chance that this is targeted at industrial control systems, based on the last few weaponized software bits that have been found (stuxnet, et al).

Re:From the Article

[cryptizard]

The problem is that the specific program they are targeting is likely not known publicly. It could be a secret program developed by another country, which our intelligence services happen to know about through espionage but the public sector would not.

set of programs have to match

[schlachter]

I'm assuming that the set of programs names have to match; it's not sufficient for the system to contain a single program of interest. So then you have to look at all the possible subsets of the programs available...a much larger space.

Re:

[ThatsMyNick]

How large is the universe of non-publicly available Windows programs not named in Latin characters? Infinite.

Re:

[medcalf]

Clearly wrong, as there are not an infinite number of programs, period. For that matter, there are not an infinite number of names for programs, because there are a limited set of characters for those names and there are limitations on the maximum length of those names. The set may be quite large, certainly is theoretically quite large, but it is neither practically nor theoretically infinite.

Re:

[Jeremy Erwin]

Usually, program names, even in non english languages, are non random-- so this does reduce the search space.

Easy to defend against

[Dan East]

This would be trivial to defend against. Simply add an empty directory (starting with a non-latin-alphabet character) to Program Files, or to the PATH variable. However, if this targets the control computers of industrial machines (as it most certainly does) then all of that is probably static and locked down.

I'm slightly surprised that the signature involves non-latin directory names for programs. Stuxnet targeted Siemens equipment, and it is very, very likely that the directory names their control softw

Re:

[Sloppy]

The next question is how did the author know *exactly* what the PATH and program files folders are configured on the target machine.

It's a follow-up attack. The target has already been seen (though perhaps indirectly) in the past by the attacker. Perhaps the target was already running some malware which has been (inadvertently?) disabled, and the attacker is trying to update it, or fetch some data that it collected.

I've already significantly narrowed down who the target is, from RTFAing. It looks like the

Minimizing options

[Errol backfiring]

Don't forget that the installation of a single application could ruin the key. So we are probably searching for a computer that will NOT be regularly updated. I remember that ATMs run Windows. So I expect the target to be some "embedded" device. OR a device in a company where every update is tested for two years before it is allowed be proven ancient.

Re:

[cryptizard]

It loops over all path/program pairs so adding will not foil it, only removing or changing the specific one it is looking for.

Re:

[PPH]

3) Hash every pair from the previous two lists with MD5 and check against a known hash

So, distribute a tiny program (as source, so as not to cause suspicion) that hashes each name and checks for a match. If found, pop up a message that says 'You might be a target.'

Once a group of potential targets have been identified (and now we know what they are looking for) crack the payload.

Re:

[VortexCortex]

Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload.

I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

If I actually gave a damn I'd set up the algorithm to generate their flavor of salted MD5, then start a Kickstarter to get it on Amazon's compute, and also distribute CPU and GPU versions and job/batch assignme

Re:

[cryptizard]

Due to the entropy loss in MD5, the algorithm itself adds characteristics to the output data. Some of these characteristics are compounded in iterative key stretching. Thus it's actually faster to do the key stretching to find the key than building a rainbow table for the last iteration -- the stretching itself helps build the characteristics that lead to hash collisions.

We're not trying to find collisions here, we are trying to find a preimage. As far as I know there are only theoretical attacks against MD5 that can do that (reduce complexity from 2^128 to 2^123). All the collision attacks (chosen-prefix and chosen-suffix) are attacks on a plaintext-ciphertext pair.

I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

Getting a few bits of the keystream is not helpful as all attacks on RC4 require either a large amount of the keystream or a number of messages encrypted with related keys. Even brute-forcing the hash in th

Re:

[pr0nbot]

it will be very difficult to break this unless the targeted party comes forth

Surely this novel method of encrypting data has been patented, can't we discover the culprits from the patent filing?

what happens if the user installs a new program?

[circletimessquare]

seems like the payload is not only for a specific machine, but it has a limited window of time in order to work. unless it knows it is some locked up industry or government box used by someone who will never install programs, i guess

Re:

[cryptizard]

No because it loops over all path/program pairs so adding things will not break it. Only removing or renaming the target program will work.

Re:

[circletimessquare]

thanks, i thought it was hashing all programs together

Warhead?

[gr8_phk]

Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?

Re:Warhead?

[__aaeihw9960]

When we started the propaganda about how evil technology and evil hackers are ruining the world.

Re:

[phantomfive]

'Warhead' is the kind of terminology 'evil hackers' are happy to use themselves. DEFCON is the name of the conference, after all, which doesn't help countering the 'evil' propaganda.

Another aspect of this mystery

[bolek_b]

By the way, TFA says that the virus even installs some font. This unusual step confuses me quite a lot. Is it for some kind of "exposed but not obvious" document watermarking. Or is it preparation for some future infection vector? Questions :-(

Does somebody know whether there is that font ("Palida Narrow") available?

Re:Another aspect of this mystery

[ledow]

Google it.

Last time I did, it's basically believed to be a vector for detecting infection by simply making a target navigate to a web page that tries to load the font. If it's there, you can tell the PC has the font and (therefore) the infection. If it's not, it just gets substituted and you can tell from the CSS etc. what's happened.

Probably a way for the author to see if their target machine actually ended up getting infected or not.

Re:

[bolek_b]

Pity. I was hoping that this would be a clever part of systemic offensive. Like forcing laser printer to release deadly toner fumes by downloading evil curves of this font. Or making its kerning so bad that the users would collapse with severe headaches.

Judging from the infection vector (i.e. USB sticks), I suspect that the targets are off-line, or at least heavily firewalled. Mind you, the target is most probably some military facility, likely in Iran. I don't think navigating to a non-white-listed web

Re:

[PPH]

Yep. So the countermeasure is for everyone to install a font with that name (Palida Narrow). Its not necessary to install the font itself, just something that will satisfy the CSS request and make it appear their machine has been infected.

Rename a copy of Dingbats. When you get a web page with a string of screwball characters (where you'd expect text), you could assume that this is a site that is probing for the Gauss infection.

Counter-counter measure: Everyone specify this font in their web pages.

Re:

[bolek_b]

As an evil virus author, I would add another twist: make the plain-text part of the virus install the font (we know it does so). Few moments later, from within the encrypted code, uninstall the font (we have no clues what that code actually does).

Unsuspecting folks would devise infection detectors, which will give nice "false negatives".

Re:

[leonardluen]

in other words it is like the little tracking image that spammers put in emails to try to see if you read it.

Re:

[dackroyd]

The assumption is that it allows detection of the installation of the virus via a web-browser.

http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-of-gauss-malware-and-possible-remote-detection/ [crysys.hu]

As the virus seems to be only installed on certain machines with known paths, and those paths can be exposed through Microsoft Office document files, it is possible that whoever targeted this attack had received a MS Office document, that told them who to target. I would not be entirely surprised if the font wa

Naive request?

[Framboise]

Of course confirmed world class cryptographers might think twice before showing what they can do, especially if they are hired by national labs to do precisely this.

Kaspersky Lab's request might also be an easy cover to discover new
talents in the field.

 

Program name

[jones_supa]

Notice how in the article it says that the code wants to find a program name with the first letter being over 0x007A (Unicode ‘z’). What possibilities could there be?

Why can't Kaspersky just ask for infected machine?

[MasaMuneCyrus]

Couldn't Kaspersky Labs just post a Gauss detection tool or instructions to determine if your computer has been compromised, then just ask people/companies with infected machines to come forward and contact them? I'm sure the people who Gauss is targeting are probably paranoid of CIA and Mossad plots against them, but if they're infected with Gauss, they probably are already a victim of a CIA or Mossad plot to get them. They're already screwed, so it certainly couldn't hurt much more to trust Kaspersky.

Re:

[Cid Highwind]

If Kaspersky doesn't know what the "warhead" does, it's going to be very difficult to write a tool (or instructions) to detect it!

easy

[fredan]

hunter2

Could someone explain

[Alkonaut]

The code that extracts the machine parameters that make up the key has to be non-encrypted, right? Wouldn't that be where to start? I.e. if you know the key is a combination of a path and a MAC address, and you know how they are combined to form the key, then you could reduce the key space by looking at plausible paths/macs?

Let me try

[Errol backfiring]

I work in a nuclear plant. Shall I try it?

Elegant solution

[coinreturn]

I found an elegant solution to the problem, but it doesn't fit in the slashdot comment box.

if you move the N...

[phlowbieuq]

also posted this on one of the topics on securelist but figured it might get more discussion here...has anyone else noticed that if you move the N in the font name, it becomes "Palidan Arrow"? Does that name mean anything to anyone?

I realize that Palidan should be spelled Paladin, but since "Pali" is a normal shorthand for Paladin, it's not a completely unbelievable mistake. Also Palida sounds more believable for a font name than Paladi.

Anyway, it could be nothing, but it also could be an intentiona

Re:can someone please explain

[bolek_b]

The trick in this case is that the key is already available at the targeted machine - the virus tries to combine various pairs of %PATH% paths and names from %PROGRAMFILES% and if some combination has an expected checksum, that's the key. To make cryptanalysis a bit more difficult, it seems that the second part of the key is not in plain ASCII. Therefore the "key distribution problem" is nicely solved - if the code runs on targeted system, the key will be easily generated. On any other machine you won't obtain any information about the key.

Re:can someone please explain

[TheCarp]

Its a very clever hack indeed. We always think of encryption keys as something that we make up randomly and need to be transmitted.... but this isn't even an unusual style of use.

This is kind of like... taking some shared knwoledge, using it to make a key, then sending the encrypted data to someone, giving them a riddle only they can solve.

"The key is the date we first met, plus the date you left your first job, plus the name of the resteraunt we went to after your mothers funeral".

Except...its based on system configs. I have to wonder with path elements and program files how well balanced they are between identification of the specific machine(s) they want, against the possibility those configs will change before the payload goes off.

Re:can someone please explain

[bolek_b]

One of my guesses is that both the PATH element and the Program Files item are linked to a single application. That way, as long as the application is installed, the payload would be decryptable. The name check suggests that the application is some in-house project, probably not publicly released.

But maybe the "trigger" is an application in certain environment. Then the Program File would determine application presence. Then the expected item of PATH could refer to some network share, mapped disk, e.g. T:\Repository\bin. Such combination would be pretty unique and therefore an ideal "trigger", IMHO.

Re:

[TheCarp]

That would make a lot of sense. Of course... while we are speculating... hows this one...

Perhaps there is no payload. The real action is the moles at kaspersky....

"Nope we haven't found it yet.... we have even asked the internet for help. Are you SURE there aren't any more program names/file paths we should be checking against?"

I would count that as unlikely, given the sophistication, but, its a possibility.

The really neat thing here is that.... the payload could have already gone off. Unless someon

Re:

[sunking2]

Really? This is what we consider clever now a days? It seems like a rather obvious way to do things to me.

Re:

[Richy_T]

You might just be clever yourself, y'know.

Re:

[bolek_b]

If I remember correctly, Stuxnet targeted Windows machines in the first step too. There it infected developer tools and the damage-causing payload did get compiled into programs for those SCADA systems of certain importance. So Windows systems might not have any obvious importance at all, but they play a role of the weakest link surprisingly well.

Re:

[gagol]

What if they discover it's targeting systems in a nuclear facility? We dint know what its target is until we crack it.

Re:can someone please explain

[jpmorgan]

The program doesn't have the key, the target computer does! When it runs, it collects various information about the computer's configuration and uses that to generate a possible key. It tries to decrypt its payload with that, and if the decryption works, the payload runs. If the decryption doesn't, then the key was wrong, and it's not the target computer, and the payload doesn't run.

It's a very clever approach, and depending on how specific the target configuration is, we may never see the decrypted payload in the public world.

Re:

[timeOday]

try USER=ahmadinejad

Re:

[Xest]

I think the answer is in the summary.

Don't quote me on this, but judging from what the summary is saying, the key is derived from a piece or combination of information on the host machine. That is, the key itself could be derived from for example, the currently logged in user, combined with their MAC address, combined with some identifier from the motherboard or whatever.

As such yes, the computer has the key, but you need to know what computer. Presumably you can figure out what the malware is building the

Re:

[Xiph]

I think the answer is, that the payload is a command and control utility.
That way, the people who deployed it can use it at any / from any location, which is infected.

It could be used to escalate privileges on the local computer or many more useful things, and would reduce the need to be tied.
Sure similar things have been achieved in different ways, this is just speculation

Re:

[CanHasDIY]

Put simply, for the payload to be contingent on a key that is tied to extremely specific information exclusive to the target machine, the attacker therefore must already possess intimate knowledge of said machine, wouldn't they?

Sounds like an inside job to me.

Re:

[Xest]

Not necessarily. As I say some information is external, and knowable without knowledge of the system - i.e. my example of an e-mail address stored for a configuration of Outlook.

You can often tell if somewhere is running exchange simply by connecting to the mail server, and if the e-mail address is known then as I say you could simply build the key to read the local installation settings of an Outlook install to see if it's configured locally for that account, and if it is, you likely have that account's co

Re:Why ask cryptographers when the key is in there

[Xest]

No, the key isn't in there. The algorithm to generate the key from specific information on the host system is in there, but the key can only be correctly generated from the host system having the right information for which the algorithm can properly derive the correct key.

Re:

[hAckz0r]

Yes, as I said, you exercise the algorithm to produce the key. The key is just 'in the algorithm' that derives the key. The software is quite capable of deriving its own key given the proper host parameters. The examiners can and will know what system the code was taken from, and can collect any parameters from that system that are needed. In a harware virtual environemnt you can inject any host attribute you like, at any time you like, and the code running in it will never know the difference if you take

Re:

[Baloroth]

The examiners can and will know what system the code was taken from, and can collect any parameters from that system that are needed.

No, they can't. They don't know what machines the payload code runs on, and if the target (as is very very likely) was a government system somewhere in the Arab world, they probably never will. In other words, they have no clue what the parameters are for decrypting the payload: if they did, they wouldn't need to issue this challenge, which BTW isn't a brute-force, it's more like a distributed dictionary attack (testing various parameters that might be the target). They found the malware with encrypted payl

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Why ask cryptographers when the key is in there

[cryptizard]

This is not at all how it works. Nobody has the key, the key is derived from local configuration values using a cryptographic hash function. Just as your hard drive may be encrypted with a key that is generated from your password, this payload is encrypted with a key that is generated from a very long password which is a combination of specific settings on the machine. If you run it on a machine with the settings exactly right, it will unlock. If you run it on any other machine, it will not and you will get no information about what they key is. Since there are so many possible combinations of settings (particularly it is looking at all the programs in your program files folder in combination with all the directories in your path variable) it is unlikely that people will just stumble across the correct one.

Re:

[jpmorgan]

The key is not in there. It's generated dynamically, based on information pulled from local computer's configuration. The key generating algorithm isn't obfuscated, but it will only generate the correct key on the target computer (or one very similar).

The only way this will be cracked will be by finding a computer with a sufficiently similar configuration (unlikely), or by a herculean feat of cryptanalysis (incredibly unlikely).

Wrong.

[gr8_phk]

The reason the payload exists is so that it can be decrypted and used. Both the algorithm and the key are in there somewhere.

You didn't read carefully. The key is on the target machine and is not part of the attack software.
Dumb old way to do this:
1) Check for certain system configurations.
2) Use some key in the malware to decrypt and run the payload.

New hot way to do this:
1) Use some combination of system configuration to decrypt the payload
2) If that worked, run it.

See that? it hides both the d

Re:

[tgd]

Load the code in a hardware virtualization monitoring environement with an emulated CPU clock and let it run. Analyse the code execution and discover the branches not taken and then force it to take each branch the next time around, and watch/trace what it does. If you find ant-debugging protections along that path then you are probably on the right track to recover the key. There is no singular trick in their little-black-bag-of-tricks that can't be worked around. Be persistant and the key will be recovered, and a lot sooner than trying to brute-force decrypt the payload without the key.

Its guys like you being involved insecurity that makes people like the NSA get all warm and fuzzy.

Do you really think you're smarter than people at Kapersky? Or whatever shadowy group created the payload? I'm sure on the offence or defence side of things, no one has ever thought about debuggers.

Really?

Re:Why ask cryptographers when the key is in there

[Cytotoxic]

Not to mention that reverse engineering isn't something most people think about or specialize in.

Nope, not something people think about... not so much. Except Kapersky. Yeah, Kapersky labs - that's pretty much what they think about and specialize in. Reverse engineering malware and viruses, that is. That's pretty much exactly what their core expertise involves. So maybe suggesting that they use reverse engineering is a little silly. Particularly when the accompanying article states that they reverse engineered the program and gives details as to exactly what it is doing based on this reverse engineering.

Let's see, who are we talking about anyway? Hmm... Eugene Kapersky [kaspersky.com] is the top guy over there. It seems he was involved with building AVP back in the early 90's before founding Kapersky labs in the late 90's. He also "graduated from the Institute of Cryptography, Telecommunications and Computer Science, where he studied mathematics, cryptography and computer technology, majoring in mathematical engineering." - so he's got the training. Yup, I'd say advising this guy that executing the code in a virtualized environment might solve his problem just might be enough to make you look a tiny bit ridiculous.

Re:

[jimbolauski]

The problem as I see it is to figure out how to exercise the code that unlocks the key used to decrypt the payload. Brute force to crack the payload is going about it the hard way. When dealing with criminals, never play by their rules.

The reason the payload exists is so that it can be decrypted and used. Both the algorithm and the key are in there somewhere. The problem is discovering under what conditions it is exercised and halt the process after the decryption but before the key is removed from memory. Timing is the key to success.

Load the code in a hardware virtualization monitoring environement with an emulated CPU clock and let it run. Analyse the code execution and discover the branches not taken and then force it to take each branch the next time around, and watch/trace what it does. If you find ant-debugging protections along that path then you are probably on the right track to recover the key. There is no singular trick in their little-black-bag-of-tricks that can't be worked around. Be persistant and the key will be recovered, and a lot sooner than trying to brute-force decrypt the payload without the key.

The algorithm can be know and still does not make it easier to decrypt, the key does not have to be know by the program rather is it used to decrypt the actual code. There are two parts to the code the encrypted and the unencrypted, the unencrypted will use certain settings on the target computer that are unique as the key. The program then decrypts the encrypted part of program, verifies that the decryption was successful using a hash function and comparing it to a different section of the encrypted data,

Re:

[nedlohs]

Do you always rave about completely unrelated crap? That doesn't apply to this case as not just the article but the summary explain.

Re:

[jpmorgan]

Never overlook the obvious. Want to piss off a small security team? Put a small sample of /dev/urandom into a binary blob and release it. They'll spend all their time trying to decrypt that white noise source and never notice the Really Interesting thing nearby it.

That doesn't even make sense. You're suggesting that the author, instead of actually encrypting the payload, is only pretending to, to distract attention from a different unencrypted portion elsewhere? That makes about as much sense as a 'the moon landing was a hoax' conspiracy theory.

Re:

[HiThere]

Well, it does make sense, but only if your serious attack was via a different virus, or via social engineering or some such. I.e., it makes sense, but it's not plausible. Which, of course, would make it a better attack. But if you're going to do this kind of attack, you need to make sure you "fake attack" vector is discovered, while appearing to try to hide. Not all that simple.

Re:

[cryptizard]

Agreed, I don't see how they think cryptographers could have some kind of magic to break this. The designers of Gauss did everything right, salting and stretching their hashes, so there is not much we can do but try and stumble across that correct configuration.

Re:

[djdanlib]

Perhaps the security team KNOWS this. And perhaps the authors knew that they would know that.

Reminds me of a scenario played out in a movie. "Clearly, I cannot drink from the cup in front of you."

Re:

[kav2k]

Obviously, you haven't read the original article here [securelist.com].

Just embedding a binary blob doesn't help. Having a complex routine to decrypt it, verify the extracted data, and run it if verification succeeds is another story.

Though, arguably, you CAN put such a loader and throw in random data just for trolling.

Re:

[vlm]

Though, arguably, you CAN put such a loader and throw in random data just for trolling.

Exactly.

Re:

[cryptizard]

Not sure what you mean by variations. The problem is that hash functions are one-way or "preimage resistant", meaning that if they are secure then you cannot get any information about the input from only the output. Additionally, they have an avalanche property where small changes in the input produce large changes in the output. This makes it difficult to analyze hashes by tweaking the input piece by piece until you get the desired hash.

I could be confused about what you are suggesting, maybe you coul

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[93 Escort Wagon]

Ha! First thing I did after opening this page was search for the word "Ovaltine".

Re:

[drobety]

Of course they figured the bootstrap, now they need help to figure the key to decrypt the real payload. Very simply stated: create key from environment -> if key == 'hard coded key' then decrypt payload -> run payload

Re:sure, give Iran free tech support

[Master of Transhuman]

Since Iran does not have a nuclear weapons program - as concluded by both US and Israeli intelligence agencies (as opposed to their corrupt politicians) - and has every legal right to have its existing nuclear energy program - including full enrichment rights, even to 20% levels - which is fully under supervision by the IAEA, any attempt to attack its program is illegal.

For those seeking the real facts, as opposed to the propaganda crap put out by Fox News, The Washington Post, and the New York Times, go to www.antiwar.com, www.raceforiran.com, www.asiatimes.com and www.campaigniran.com.

In any event, the Gauss malware appears to be targeting Lebanon and not Iran. Some have suggested that it is targets at Lebanese banks which might be handling financial transactions by Hizballah, the Shia national resistance movement in Lebanon. If so, this is likely in preparation for the upcoming Israeli attack on Lebanon, which is scheduled to occur during the upcoming US/NATO/Turkey attack on Syria.

Allow me to explain the purpose of the Syrian crisis...

Back in 2006, Bush and Cheney were pushing for Israel to attack Iran. However, Israeli leaders balked because they believed that attacking Iran would result in
Iranian, Syrian AND Hizballah missiles raining down on Israel, causing Israelis to hide in bomb shelters for most of every day, damaging the economy, and
possibly causing the electorate to vote out the leaders in the next election.

In short, Israel wanted a "cheap" Iran war where they only had to deal with a couple hundred missiles from Iran (if that, once the US air strikes had taken
out most of Iran's missiles or where Iran had used most of its missiles on US assets in the region.)

So Israel decided with US blessing to attack Hizballah in Lebanon, hoping to force them far enough north that their (at that time limited-range) missiles
would be ineffective in an Iran war. As we know, Israel failed miserably due to Hizballah's superior preparation.

At that point, Middle East expert Colonel Pat Lang pointed out that the only way Israel could take out Hizballah in southern Lebanon would be to attack Hizballah
in the Bekaa Valley, which provides Hizballah with "defense in depth".

To do this, however, would require Israeli forces to enter Syrian territory and engage Syrian forces. Not that Israel couldn't do this, but it would result in
Israel forces facing Hizballah guerrilla war in their front while the remnants of Syria's forces engaged in guerrilla war in Israel's rear - not a good
position to be in if you want to minimize casualties and get Israel electorate support.

BUT...IF Syria were ALREADY under attack by the US/NATO/Turkey air strikes for "humanitarian reasons", that would make such an attack feasible because large
concentrations of Syrian forces would be suppressed by air strikes.

And this is why Syria is where it is today. And this is what will happen:

1) The US and NATO and Turkey will find a way to bypass the lack of UNSC Resolution authorization and will attack Syria before the end of this year.

2) In the course of that war, Israel - using the excuse that Syrian weapons are being sent to Hizballah (already floated in the Israel press as an excuse that
Israel "will have to" attack Syria and Lebanon) - will send one armored division into Syria to protect a second armored division which will proceed up the
Lebanese/Syrian border and then turn into the Bekaa Valley, while a third armored division attacks Southern Lebanon as before, in a classic "pincer
movement".

3) IF Israel succeeds in damaging Hizballah enough (which I am not sure is feasible but Israel has to try) and IF the US and NATO can damage enough of
Syria's missile inventory, then in the next year or so Israel and/or the US will attack Iran.

The ENTIRE purpose of the Syrian crisis is to remove Syria and Hizballah as effective actors in an Iran war, and thus to enable the Iran war to proceed.