Kaspersky Lab has called on the security industry to help crack part of the Gauss malware that has so far left it stumped.
The Russian security firm revealed details of Gauss last week. The malware is said to be targeted organisations primarily in Lebanon and can, amongst other things, monitor financial information on infected PCs. Kaspersky said Gauss was developed by a nation-state and is related to Flame, Stuxnet and Duqu.
As well as the ability to steal banking, email and social network information and intercept passwords, Gauss also contains what Kaspersky described as, "an unknown, encrypted payload which is activated on certain specific system configurations."
Despite plenty of analysis, the encrypted element is still a mystery to Kaspersky Lab researchers.
Describing the encrypted element as a "warhead," the company said Gauss "contains a module named "Godel" that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it."
The blog post added that the company has so far been unable to crack the code. The decrypted file arrives on the victim’s PC by way of an infected USB. The decryption keys are then, "generated dynamically and depends on the features of the victim system, preventing anyone except the designated target(s) from extracting the contents of the sections," Kaspersky added.
The post added that a simple brute-force attack would not help with decryption.
"So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload," Kaspersky added.
The company has released the first 32 bytes of encrypted data and hashes from known variants of the modules and has called on world class cryptographers to help them crack the code. Anyone with any information should contact theflame@kaspersky.com, the company said.