The mystery wrapped inside a riddle that is the Gauss malware’s encryption scheme may be closer to falling. Late last week, researcher Jens Steube, known as Atom, put the wraps on a tool that should bring experts closer to breaking open the encryption surrounding the espionage malware’s payload.
The tool, called oclGaussCrack, accelerates the process of calculating the hash value of Gauss’ known cipher scheme, Steube said.
“If it matches, we know we have used the correct key and we can use it to decrypt the encrypted payload,” Steube said. “This process is very time-consuming since it takes a lot of calculations. It is so many that we cannot simply brute-force the key. We need a targeted attack to crack it.”
Gauss, along with Flame, Wiper, MiniFlame and other malicious code used in state-sponsored espionage campaigns, was one of the most concerning stories of 2012. What separated Gauss from Flame, et al, was its focus on attacking financial services organizations.
Gauss is a banking Trojan targeting Windows machines in the Middle East; it also can infect USB sticks in order to spread to other machines. It steals data such as system and network information, browser cookies, passwords and more. It also installs a custom Palida Narrow font on infected systems, for reasons still unknown, and also includes an encrypted payload that is awakened only on systems configured in certain ways.
Steube’s work focused on cracking the encryption protecting the payload. He told Threatpost the best approach would be to split the problem in two different ways: generating plaintext key candidates, as well as working on the time-consuming work of creating a hash of the candidate to compare the results.
OclGaussCrack is the answer to the second part, he said. The tool has been released under a GPL license and Steube hopes that by doing so he can get help in writing a program for candidate generation. Version 1.1 has been released and includes Windows binaries; it speeds up significantly work on the has carrying out 489,000 calculations per second on an AMD Radeon HD 7970 card, more than 30 times faster than an AMD FX 8120 CPU, researchers at Kaspersky Lab said.
Steube gave the research community interested in generating candidate keys a couple of jumping off points: the key starts with a path from the PATH environment variable; and appended to this, a substring that is taken from a directory listing from %PROGRAMFILES%.
“I find it interesting that there is no backslash appended to the path before the second substring is added. This might be because it is assumed the string from the first fetch already contains one at the end,” Steube said. “It is possible the second substring contains a company name or a
product name since this is what we usually see when listing %PROGRAMFILES%. You should be able to write a program to generate candidates with this information. Then just pipe your candidates to oclGaussCrack.”
Steube is the creator of the oclHashcat password-recovery tool.
Gauss emerged in August and immediately, researchers saw links to Flame and Stuxnet in its code. The malware was found on thousands of machines, most of those in Lebanon. It has a similar architecture to Flame, despite its bent toward stealing banking credentials. It’s also able to infect USB drives with data-stealing malware so that when the infected USB is connected to another PC, the malware runs from the removable drive and collects information from the infected machine—likely in an attempt to target air-gapped networks.
Kaspersky Lab researchers helped in the initial investigation into Gauss and made the connection between Gauss and its predecessors Stuxnet, Duqu and Flame.
“Based on our analysis and the timestamps from the collected malware modules, we believe the Gauss operation started sometime around August-September 2011,” Kaspersky Lab said in August. “This is particularly interesting because around September 2011, the CrySyS Lab in Hungary announced the discovery of Duqu. We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.”
