Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption

Researchers Seek Help Cracking Gauss Mystery Payload 229

An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out." Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."
This discussion has been archived. No new comments can be posted.

Researchers Seek Help Cracking Gauss Mystery Payload

Comments Filter:
  • by crazyjj ( 2598719 ) * on Tuesday August 14, 2012 @09:05AM (#40984047)

    What did you guys put in it, again?

    • by Anonymous Coward on Tuesday August 14, 2012 @09:12AM (#40984129)

      And notice they're only giving out pieces, no nobody knows what they're working on. Nice way to keep secrets while exploiting cheap labor from "the crowd"

  • by cvtan ( 752695 ) on Tuesday August 14, 2012 @09:19AM (#40984243)
    If the DOJ and NSA can't get into an Apple iPhone, what chance is there of cracking this?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Pfft. You actually believed that story about the iPhone?

  • Degauss? (Score:3, Funny)

    by MatrixCubed ( 583402 ) on Tuesday August 14, 2012 @09:19AM (#40984245) Homepage
    Clever of the tech world, to obsolete CRT monitors. Perhaps shaking one's head rapidly from side to side would help solve this mystery.
  • by MasterOfGoingFaster ( 922862 ) on Tuesday August 14, 2012 @09:23AM (#40984293) Homepage

    I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

    • I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

      You shouldn't have set your PATH to /iran/fission/uranium/centrifuge, then.

  • From the Article (Score:5, Informative)

    by cryptizard ( 2629853 ) on Tuesday August 14, 2012 @09:35AM (#40984461)
    According to Kaspersky, the way it works is:

    1) Enumerate all directories in the computers PATH variable
    2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
    3) Hash every pair from the previous two lists with MD5 and check against a known hash

    If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.

    Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.
    • Re:From the Article (Score:4, Interesting)

      by vlm ( 69642 ) on Tuesday August 14, 2012 @09:44AM (#40984567)

      it will be very difficult to break this unless the targeted party comes forth.

      Difficult to break it legally, you mean... All you need do is release a new virus/worm that only does the first hash step, then if by some miracle a match is found the victim gets a popup "You won, to collect your winnings please contact contest@nsa.gov" or whatever.

      As sort of a running joke / meme I can imagine black hats doing this purely for fun. The IRC channel for the bot net gets spammed with the PATH and PROGRAMFILES once it finds a match.

      Might also make a hilarious "antivirus update" as part of perfectly legit anti-virus suites. Run this test to see if you're vulnerable to the "whatever its called" targeted worm.

    • by medcalf ( 68293 ) on Tuesday August 14, 2012 @10:05AM (#40984851) Homepage
      How large is the universe of Windows programs not named in Latin characters? I have to think it's in the low millions at most, and probably less than that. Maybe the way to do this is to try the paths and filenames of those programs, and see if you get a match. As a first try at reducing the things you have to check, you could eliminate anything widely used, since this is likely targeted at a rare configuration. I'd start by looking at SCADA control programs, personally, because there's a good chance that this is targeted at industrial control systems, based on the last few weaponized software bits that have been found (stuxnet, et al).
      • Re:From the Article (Score:4, Interesting)

        by cryptizard ( 2629853 ) on Tuesday August 14, 2012 @10:31AM (#40985119)
        The problem is that the specific program they are targeting is likely not known publicly. It could be a secret program developed by another country, which our intelligence services happen to know about through espionage but the public sector would not.
      • I'm assuming that the set of programs names have to match; it's not sufficient for the system to contain a single program of interest. So then you have to look at all the possible subsets of the programs available...a much larger space.

      • How large is the universe of non-publicly available Windows programs not named in Latin characters? Infinite.

        • by medcalf ( 68293 )
          Clearly wrong, as there are not an infinite number of programs, period. For that matter, there are not an infinite number of names for programs, because there are a limited set of characters for those names and there are limitations on the maximum length of those names. The set may be quite large, certainly is theoretically quite large, but it is neither practically nor theoretically infinite.
    • This would be trivial to defend against. Simply add an empty directory (starting with a non-latin-alphabet character) to Program Files, or to the PATH variable. However, if this targets the control computers of industrial machines (as it most certainly does) then all of that is probably static and locked down.

      I'm slightly surprised that the signature involves non-latin directory names for programs. Stuxnet targeted Siemens equipment, and it is very, very likely that the directory names their control softw

      • by Sloppy ( 14984 )

        The next question is how did the author know *exactly* what the PATH and program files folders are configured on the target machine.

        It's a follow-up attack. The target has already been seen (though perhaps indirectly) in the past by the attacker. Perhaps the target was already running some malware which has been (inadvertently?) disabled, and the attacker is trying to update it, or fetch some data that it collected.

        I've already significantly narrowed down who the target is, from RTFAing. It looks like the

    • Don't forget that the installation of a single application could ruin the key. So we are probably searching for a computer that will NOT be regularly updated. I remember that ATMs run Windows. So I expect the target to be some "embedded" device. OR a device in a company where every update is tested for two years before it is allowed be proven ancient.
      • It loops over all path/program pairs so adding will not foil it, only removing or changing the specific one it is looking for.
    • by PPH ( 736903 )

      3) Hash every pair from the previous two lists with MD5 and check against a known hash

      So, distribute a tiny program (as source, so as not to cause suspicion) that hashes each name and checks for a match. If found, pop up a message that says 'You might be a target.'

      Once a group of potential targets have been identified (and now we know what they are looking for) crack the payload.

    • Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload.

      I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

      If I actually gave a damn I'd set up the algorithm to generate their flavor of salted MD5, then start a Kickstarter to get it on Amazon's compute, and also distribute CPU and GPU versions and job/batch assignme

      • Due to the entropy loss in MD5, the algorithm itself adds characteristics to the output data. Some of these characteristics are compounded in iterative key stretching. Thus it's actually faster to do the key stretching to find the key than building a rainbow table for the last iteration -- the stretching itself helps build the characteristics that lead to hash collisions.

        We're not trying to find collisions here, we are trying to find a preimage. As far as I know there are only theoretical attacks against MD5 that can do that (reduce complexity from 2^128 to 2^123). All the collision attacks (chosen-prefix and chosen-suffix) are attacks on a plaintext-ciphertext pair.

        I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

        Getting a few bits of the keystream is not helpful as all attacks on RC4 require either a large amount of the keystream or a number of messages encrypted with related keys. Even brute-forcing the hash in th

    • by pr0nbot ( 313417 )

      it will be very difficult to break this unless the targeted party comes forth

      Surely this novel method of encrypting data has been patented, can't we discover the culprits from the patent filing?

    • seems like the payload is not only for a specific machine, but it has a limited window of time in order to work. unless it knows it is some locked up industry or government box used by someone who will never install programs, i guess

  • Warhead? (Score:5, Insightful)

    by gr8_phk ( 621180 ) on Tuesday August 14, 2012 @09:46AM (#40984607)
    Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?
  • By the way, TFA says that the virus even installs some font. This unusual step confuses me quite a lot. Is it for some kind of "exposed but not obvious" document watermarking. Or is it preparation for some future infection vector? Questions :-(

    Does somebody know whether there is that font ("Palida Narrow") available?

    • by ledow ( 319597 ) on Tuesday August 14, 2012 @10:23AM (#40985051) Homepage

      Google it.

      Last time I did, it's basically believed to be a vector for detecting infection by simply making a target navigate to a web page that tries to load the font. If it's there, you can tell the PC has the font and (therefore) the infection. If it's not, it just gets substituted and you can tell from the CSS etc. what's happened.

      Probably a way for the author to see if their target machine actually ended up getting infected or not.

      • by bolek_b ( 246528 )

        Pity. I was hoping that this would be a clever part of systemic offensive. Like forcing laser printer to release deadly toner fumes by downloading evil curves of this font. Or making its kerning so bad that the users would collapse with severe headaches.

        Judging from the infection vector (i.e. USB sticks), I suspect that the targets are off-line, or at least heavily firewalled. Mind you, the target is most probably some military facility, likely in Iran. I don't think navigating to a non-white-listed web

      • by PPH ( 736903 )

        Yep. So the countermeasure is for everyone to install a font with that name (Palida Narrow). Its not necessary to install the font itself, just something that will satisfy the CSS request and make it appear their machine has been infected.

        Rename a copy of Dingbats. When you get a web page with a string of screwball characters (where you'd expect text), you could assume that this is a site that is probing for the Gauss infection.

        Counter-counter measure: Everyone specify this font in their web pages.

        • by bolek_b ( 246528 )

          As an evil virus author, I would add another twist: make the plain-text part of the virus install the font (we know it does so). Few moments later, from within the encrypted code, uninstall the font (we have no clues what that code actually does).

          Unsuspecting folks would devise infection detectors, which will give nice "false negatives".

      • in other words it is like the little tracking image that spammers put in emails to try to see if you read it.

    • The assumption is that it allows detection of the installation of the virus via a web-browser.

      http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-of-gauss-malware-and-possible-remote-detection/ [crysys.hu]

      As the virus seems to be only installed on certain machines with known paths, and those paths can be exposed through Microsoft Office document files, it is possible that whoever targeted this attack had received a MS Office document, that told them who to target. I would not be entirely surprised if the font wa

  • Of course confirmed world class cryptographers might think twice before showing what they can do, especially if they are hired by national labs to do precisely this.

    Kaspersky Lab's request might also be an easy cover to discover new
    talents in the field.

     

  • by jones_supa ( 887896 ) on Tuesday August 14, 2012 @10:33AM (#40985141)
    Notice how in the article it says that the code wants to find a program name with the first letter being over 0x007A (Unicode ‘z’). What possibilities could there be?
  • Couldn't Kaspersky Labs just post a Gauss detection tool or instructions to determine if your computer has been compromised, then just ask people/companies with infected machines to come forward and contact them? I'm sure the people who Gauss is targeting are probably paranoid of CIA and Mossad plots against them, but if they're infected with Gauss, they probably are already a victim of a CIA or Mossad plot to get them. They're already screwed, so it certainly couldn't hurt much more to trust Kaspersky.

    • If Kaspersky doesn't know what the "warhead" does, it's going to be very difficult to write a tool (or instructions) to detect it!

  • by fredan ( 54788 )
    hunter2
  • The code that extracts the machine parameters that make up the key has to be non-encrypted, right? Wouldn't that be where to start? I.e. if you know the key is a combination of a path and a MAC address, and you know how they are combined to form the key, then you could reduce the key space by looking at plausible paths/macs?
  • Let me try (Score:4, Interesting)

    by Errol backfiring ( 1280012 ) on Tuesday August 14, 2012 @11:10AM (#40985545) Journal
    I work in a nuclear plant. Shall I try it?
  • I found an elegant solution to the problem, but it doesn't fit in the slashdot comment box.
  • also posted this on one of the topics on securelist but figured it might get more discussion here...has anyone else noticed that if you move the N in the font name, it becomes "Palidan Arrow"? Does that name mean anything to anyone?

    I realize that Palidan should be spelled Paladin, but since "Pali" is a normal shorthand for Paladin, it's not a completely unbelievable mistake. Also Palida sounds more believable for a font name than Paladi.

    Anyway, it could be nothing, but it also could be an intentiona

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...