View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 15, 2012

Kaspersky calls for help over Gauss malware

Researchers cannot crack encrypted warhead, leaving big questions of Gauss' ultimate aim

By Steve Evans

Kaspersky Lab has called on the security industry to help crack part of the Gauss malware that has so far left it stumped.

The Russian security firm revealed details of Gauss last week. The malware is said to be targeted organisations primarily in Lebanon and can, amongst other things, monitor financial information on infected PCs. Kaspersky said Gauss was developed by a nation-state and is related to Flame, Stuxnet and Duqu.

As well as the ability to steal banking, email and social network information and intercept passwords, Gauss also contains what Kaspersky described as, "an unknown, encrypted payload which is activated on certain specific system configurations."

Despite plenty of analysis, the encrypted element is still a mystery to Kaspersky Lab researchers.

Describing the encrypted element as a "warhead," the company said Gauss "contains a module named "Godel" that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it."

The blog post added that the company has so far been unable to crack the code. The decrypted file arrives on the victim’s PC by way of an infected USB. The decryption keys are then, "generated dynamically and depends on the features of the victim system, preventing anyone except the designated target(s) from extracting the contents of the sections," Kaspersky added.

The post added that a simple brute-force attack would not help with decryption.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

"So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload," Kaspersky added.

The company has released the first 32 bytes of encrypted data and hashes from known variants of the modules and has called on world class cryptographers to help them crack the code. Anyone with any information should contact theflame@kaspersky.com, the company said.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU