Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Gauss Payload Content Remains A Mystery

Kaspersky Lab UK : 15 August, 2012  (Technical Article)
Kaspersky Lab is inviting cryptographers and mathematicians to solve the Gauss payload encryption keys
Gauss Payload Content Remains A Mystery
Kaspersky Lab recently announced the discovery of Gauss, a complex, nation-state sponsored cyber-espionage toolkit. Gauss contains many info-stealing capabilities, with a specific focus on browser passwords, online banking account credentials, and system configurations of infected machines. Kaspersky Lab’s experts discovered Gauss by identifying the commonalities the malicious program shares with Flame. Since late May 2012, more than 2,500 infections have been recorded by Kaspersky Lab’s cloud-based security system, with the majority of infections found in the Middle East.

Kaspersky Lab experts published a research paper about Gauss that analysed its primary functions and characteristics. It also focused on its architecture, unique modules, communication methods, and infection statistics. However, several mysteries and unanswered questions about Gauss still remain. One of the most intriguing aspects is related to Gauss’s encrypted payload.

The encrypted payload is located in Gauss’s USB data-stealing modules and is designed to surgically target a certain system (or systems) which have a specific program installed. Once an infected USB stick is plugged into a vulnerable computer, the malware is executed and tries to decrypt the payload by creating a key to unlock it. The key is derived from specific system configurations on the machine. For instance, it includes the name of a folder in Program Files which must have its first character written into an extended character set such as Arabic or Hebrew. If the malware identifies the appropriate system configurations, it will successfully unlock and execute the payload.

“The purpose and functions of the encrypted payload currently remain a mystery,” said Aleks Gostev, Chief Security Expert at Kaspersky Lab. “The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile. The size of the payload is also a concern. It’s big enough to contain coding that could be used for cyber-sabotage, similar to Stuxnet’s SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Kaspersky Lab would like to invite anyone with an interest in cryptography, reverse engineering or mathematics to help find the decryption keys and unlock the hidden payload.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo