Kaspersky seeks help in cracking the Gauss trojan
Posted on: 08/14/2012 04:16 PM
[
Comments
]
Security researchers at Kaspersky Lab are looking to the cryptography community for help in deciphering the Gauss trojan. Despite their best efforts, the researchers have so far been unable to crack an encrypted payload in the trojan's "Godel" module; they hope that members of the cryptology and mathematics communities will be able to extract the hidden payload.
The Gauss trojan spreads via USB drives and infects systems using the well-known LNK exploit. These infected drives include two files "System32.dat" and "System32.bin" which are 32- and 64-bit versions of the same code which includes several encrypted sections. Once executed, the trojan first gathers information about the victim's system including running processes, drives and network shares, and save them to another file on the drive named ".thumbs.db", after which other modules are launched.
According to Kaspersky, the malware then tries to decrypt another module using several strings from the system. This payload is intended to run on a specific system; it will only be executed if the strings are found. The researchers at Kaspersky can only speculate as to what this module does until they can crack it: "We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success." The team say that the trojan appears to be looking for a very specific application that has a name that starts with a special symbol like "~" or is written in an extended character set such as Arabic or Hebrew.
The resource section of the payload is, the researchers say, large enough "to contain a Stuxnet-like SCADA targeted attack code". They also go on to note that all of the security precautions taken by the authors of the trojan seem to indicate that the trojan is after a high-profile target.
Those interested in helping to crack the trojan's payload can find further information, including sample and source data, in a post on Kaspersky's Securelist blog.
The Gauss trojan spreads via USB drives and infects systems using the well-known LNK exploit. These infected drives include two files "System32.dat" and "System32.bin" which are 32- and 64-bit versions of the same code which includes several encrypted sections. Once executed, the trojan first gathers information about the victim's system including running processes, drives and network shares, and save them to another file on the drive named ".thumbs.db", after which other modules are launched.
According to Kaspersky, the malware then tries to decrypt another module using several strings from the system. This payload is intended to run on a specific system; it will only be executed if the strings are found. The researchers at Kaspersky can only speculate as to what this module does until they can crack it: "We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success." The team say that the trojan appears to be looking for a very specific application that has a name that starts with a special symbol like "~" or is written in an extended character set such as Arabic or Hebrew.
The resource section of the payload is, the researchers say, large enough "to contain a Stuxnet-like SCADA targeted attack code". They also go on to note that all of the security precautions taken by the authors of the trojan seem to indicate that the trojan is after a high-profile target.
Those interested in helping to crack the trojan's payload can find further information, including sample and source data, in a post on Kaspersky's Securelist blog.
Comments
