In August, Kaspersky Lab started an initiative to get the public’s help in cracking the encryption used in the payload of the Gauss malware. On Friday, the Hashcat project lent their resources to the cause by releasing a tool to help crack Gauss’ verification hash.
In August, Kaspersky speculated that Gauss was related to Flame, a family of malware suspected to be developed by a nation state.
Built on the same platform as Flame and sharing module structures, code bases, and means of communication with command and control servers, Gauss was created almost certainly by the same team responsible for Flame, Vitaly Kamluk, head of the Global Research and Analysis Team at Kaspersky Lab, said during a press in August 2012.
Gauss mostly targets users in Lebanon, hijacking data about the infected host and information from the browser, including passwords. Gauss also targets financial information from customers of several Lebanese banks, as well as Citibank and PayPal. This, Kaspersky said, could mean that Gauss is the first publicly known state-sponsored banking Trojan.
“Perhaps the most interesting mystery is Gauss’ encrypted warhead. Gauss contains a module named ‘Godel’ that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it. Despite our best efforts, we were unable to break the encryption,” a Kaspersky researcher wrote at the time.
In August, along with its call for help, Kaspersky Lab provided the first 32 bytes of encrypted data and hashes from known variants of the modules.
“We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload,” the Russian security firm said.
The Hashcat project is helping by releasing a tool that is said to achieve 489,000 crypts per second on an AMD Radeon HD 7970 graphics card, dramatically improving the public’s chances of decrypting the validation key needed to fully unlock Gauss.
According to Hashcat, here’s how the tool works:
• The program waits for any arbitrary input data on stdin. This is your password / path / the unknown key
• It then appends the fixed salt to the input and processes the first MD5 on CPU
• The resulting digest is used as input for the 10k MD5 loops which is done on the GPU
• The hashes are compared on GPU. If they match, the GID which matched is stored in the result buffer The host program reads the result buffer and if the hash was cracked it uses the GID to lookup the original plaintext used
If you’re interested in helping Kaspersky, the blog post linked above has more information. The Hashcat files are available here, complete with the source code and pre-compiled Windows binaries.