Tool Aids in Cracking Mysterious Gauss Malware Encryption

The mystery wrapped inside a riddle that is the Gauss malware’s encryption scheme may be closer to falling. Late last week, researcher Jens Steube, known as Atom, put the wraps on a tool that should bring experts closer to breaking open the encryption surrounding the espionage malware’s payload.

GaussThe mystery wrapped inside a riddle that is the Gauss malware’s encryption scheme may be closer to falling. Late last week, researcher Jens Steube, known as Atom, put the wraps on a tool that should bring experts closer to breaking open the encryption surrounding the espionage malware’s payload.

The tool, called oclGaussCrack, accelerates the process of calculating the hash value of Gauss’ known cipher scheme, Steube said.

“If it matches, we know we have used the correct key and we can use it to decrypt the encrypted payload,” Steube said. “This process is very time-consuming since it takes a lot of calculations. It is so many that we cannot simply brute-force the key. We need a targeted attack to crack it.”

Gauss, along with Flame, Wiper, MiniFlame and other malicious code used in state-sponsored espionage campaigns, was one of the most concerning stories of 2012. What separated Gauss from Flame, et al, was its focus on attacking financial services organizations.

Gauss is a banking Trojan targeting Windows machines in the Middle East; it also can infect USB sticks in order to spread to other machines. It steals data such as system and network information, browser cookies, passwords and more. It also installs a custom Palida Narrow font on infected systems, for reasons still unknown, and also includes an encrypted payload that is awakened only on systems configured in certain ways.

Steube’s work focused on cracking the encryption protecting the payload. He told Threatpost the best approach would be to split the problem in two different ways: generating plaintext key candidates, as well as working on the time-consuming work of creating a hash of the candidate to compare the results.

OclGaussCrack is the answer to the second part, he said. The tool has been released under a GPL license and Steube hopes that by doing so he can get help in writing a program for candidate generation. Version 1.1 has been released and includes Windows binaries; it speeds up significantly work on the has carrying out 489,000 calculations per second on an AMD Radeon HD 7970 card, more than 30 times faster than an AMD FX 8120 CPU, researchers at Kaspersky Lab said.

Steube gave the research community interested in generating candidate keys a couple of jumping off points: the key starts with a path from the PATH environment variable; and appended to this, a substring that is taken from a directory listing from %PROGRAMFILES%.

“I find it interesting that there is no backslash appended to the path before the second substring is added. This might be because it is assumed the string from the first fetch already contains one at the end,” Steube said. “It is possible the second substring contains a company name or a
product name since this is what we usually see when listing %PROGRAMFILES%. You should be able to write a program to generate candidates with this information. Then just pipe your candidates to oclGaussCrack.”

Steube is the creator of the oclHashcat password-recovery tool.

Gauss emerged in August and immediately, researchers saw links to Flame and Stuxnet in its code. The malware was found on thousands of machines, most of those in Lebanon. It has a similar architecture to Flame, despite its bent toward stealing banking credentials. It’s also able to infect USB drives with data-stealing malware so that when the infected USB is connected to another PC, the malware runs from the removable drive and collects information from the infected machine—likely in an attempt to target air-gapped networks.

Kaspersky Lab researchers helped in the initial investigation into Gauss and made the connection between Gauss and its predecessors Stuxnet, Duqu and Flame.

“Based on our analysis and the timestamps from the collected malware modules, we believe the Gauss operation started sometime around August-September 2011,” Kaspersky Lab said in August. “This is particularly interesting because around September 2011, the CrySyS Lab in Hungary announced the discovery of Duqu. We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.”

Suggested articles

Bots, Zeus, Web Exploits: the Most Potent Threats of 2012

Every year it seems that security-related news advances further from its roots in national security circles, IT departments, and the antivirus industry into the mainstream consciousness. From July to the end of year was no exception. However, despite a handful of flashy security stories, F-Secure claims that the second half of 2012 was really about things that rarely (if ever) come up in local and national news: botnets, ZeroAccess in particular, Java and other Web exploits, and the ubiquitous Zeus banking Trojan.

Attackers to Exploit Search Personalization, Supply Chains

Information systems and algorithms designed to personalize online search results will give attackers the ability to influence the information available to their victims in the coming years. Researchers, in turn, must seek ways to fortify these systems against malicious manipulation, according to the Emerging Cyber Threats Report 2013 [PDF], a report released ahead of yesterday’s Georgia Tech Cyber Security Summit 2012.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.