Researchers at Kaspersky Lab are asking for help peeling back the layers covering a mysterious payload of the Gauss malware.
Speculated to be linked to Flame, Gauss was revealed last week to be the latest piece of cyber-espionage malware targeting the Middle East. Primarily hitting users in Lebanon, Gauss steals data about the infected machine as well as information from browsers, such as the history of visited websites and user passwords. In addition, it targets financial information from clients of several Lebanese banks, as well as Citibank and PayPal – possibly making it the first publicly known state-sponsored banking Trojan, Kaspersky has said.
“Perhaps the most interesting mystery is Gauss’ encrypted warhead,” according to Kaspersky. “Gauss contains a module named “Godel” that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it.”
“Despite our best efforts, we were unable to break the encryption,” the firm said in a blog post. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload.”
The encrypted payload hits systems through infected USB sticks. The USB keys have two files with several encrypted sections that are loaded onto target computers using the same LNK vulnerability exploited by Stuxnet. The primary goal of these files is to swipe information about the compromised computer and write it back to a file on the driver known as ‘.thumbs.db’, Kaspersky explained.
Several known versions of the files contain three encrypted sections – .exsdat, .exrdat and .exdat. The files also contain an encrypted resource ‘100’ that appears to be the actual payload. It is believed the section ‘.exsdat’ contains the code for decrypting the resource.
“The decryption key for these sections is generated dynamically and depends on the features of the victim system, preventing anyone except the designated target(s) from extracting the contents of the sections,” the company noted.
According to researchers, the resource section is big enough for Stuxnet-like SCADA attack code.
“We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success,” the company said. “The check for the first character of the folder in %PROGRAMFILES% indicates that the attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”.”
“We are providing the first 32 bytes of encrypted data and hashes from known variants of the modules,” the company added. “If you are a world class cryptographer or if you can help us with decrypting them, please contact us by e-mail: [email protected]”