Call for help on Gauss highlights new malware era
When is the last time you heard of Kaspersky or others turning to crypto and math experts with a call for help?
By Antone Gonsalves
August 15, 2012 — CSO — Kaspersky Lab is asking for help in unraveling the mysterious payload of Gauss, a task that security experts say would help enterprises determine whether they are potential targets of the highly sophisticated cyber-surveillance virus.
On Tuesday, Kaspersky asked for assistance from cryptographers and mathematicians who could help the security vendor decrypt Gauss' warhead, a module named "Godel." Breaking the payload's code would make it possible to determine what the malware does within an infected system.
"Despite our best efforts, we were unable to break the encryption. So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets," Kaspersky said on its blog. "We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload."
The code to decrypt Gauss is more complex than any Kaspersky usually finds in malware. The company said it had tried millions of combinations without success in trying to find the decryption keys. "If you are a world-class cryptographer or if you can help us with decrypting them, please contact us by e-mail: firstname.lastname@example.org," the company said.
Gauss and its relatives are at the far end of a trend toward more sophisticated malware. For years, security experts have seen malware grow more complex and gain capabilities surpassing expectations.
"In the long term, what you're going to observe is that more malware will become significantly more complex," Huston said. "It's going to be able to reach across different applications and different computing platforms and have a significantly larger impact than we have today."
[See also: Advanced evasion techniques emerge]
Kaspersky discovered Gauss this month in the Middle East. Security experts believe the malware is a descendant of Stuxnet, Flame and Duqu.
The three spying malware are aimed at specific government and industrial targets. Flame was discovered in May in Iran's oil-ministry computers. Like Flame, Duqu, discovered in October 2011, is related to Stuxnet, which is believed to have damaged control systems within Iranian nuclear facilities in 2010. Duqu used similar code, but was built to steal information.
The New York Times reported in June that Stuxnet was part of a U.S. and Israeli intelligence operation.
Security experts have garnered enough information from Gauss to create signatures for antivirus software and intrusion protection systems (IPS). Therefore, the defense mechanisms are the same as with any other known malware. "Enterprises must have up-to-date antivirus at the endpoint, some type of [antivirus] at the gateway, either network or email, or, if possible, both," said Charles Kolodgy, an analyst for IDC. In addition, he recommended the use of an IPS to identify abnormal traffic within the network.
The value of understanding Gauss' payload is in learning the components targeted after the malware plants itself in a system. "Until we can decrypt or observe that payload in execution, we really don't know what happens after the initial stage of infection," said Brent Huston, chief executive of MicroSolved, a provider of security assessments and penetration testing.
Once that information is made available to chief security officers, they can determine whether their company is a potential target, Huston said. "It keeps you from spending a bunch of resources, if you don't have to."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.