One of the many mysteries around the discovery of the Gauss malware is why the tool installs a new font called Palida Narrow on infected machines. Researchers have been unable to figure out yet what the purpose of the font is, but as its presence on a PC is a good indicator of a Gauss infection, CrySyS Lab and Kaspersky Lab today released a tool to detect it.
The detection tool can be found on the Securelist site and also on the CrySyS Lab site. The two main questions surrounding Gauss are why Palida Narrow is installed and what’s inside the encrypted payload that Gauss installs on infected machines. While it may be some time before the contents of the payload are known, researchers have a number of theories about why the font is installed on newly infected machines.
Perhaps the most intriguing of these theories is that Palida Narrow is being used as a kind of brand to mark infected PCs for the command-and-control servers.
“A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how. If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system,” CrySyS Lab said in a blog post.
The other possibility is that the Gauss attackers are simply typeface enthusiasts and were proud of their creation and wanted to share it with the world. The Palida Narrow font apparently was created in 2000, according to data in the headers, and was last modified in December 2011.