Researchers Seek Help Cracking Gauss Mystery Payload

An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out." Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."

Geez, just ask the NSA

[crazyjj]

What did you guys put in it, again?

Re:Geez, just ask the NSA

And notice they're only giving out pieces, no nobody knows what they're working on. Nice way to keep secrets while exploiting cheap labor from "the crowd"

Re:Geez, just ask the NSA

[gmuslera]

If they probably are using a GPL library for decoding/uncompressing, they could be sued to release the code to be compliant with the license.

Re:Geez, just ask the NSA

[jpmorgan]

Probably? Of all people and organizations in the world, I suspect the NSA is the least likely to be relying on GPL'd third party code for their encryption needs.

Re:Geez, just ask the NSA

[tgd]

If they probably are using a GPL library for decoding/uncompressing, they could be sued to release the code to be compliant with the license.

That seems to be a common misconception. That's not how the GPL works. They need to make the code available to their customers on demand. You aren't their customer, you can't demand anything.

Re:Geez, just ask the NSA

[gmuslera]

If you got it, no matter if got activated or not because your machine is not the full target system, then you should be able to demand it (specially if got delivered to you in the way that the maker intended to, is not like you stole it)

Re:Geez, just ask the NSA

We are now.

Re:Geez, just ask the NSA

[tgd]

If you got it, no matter if got activated or not because your machine is not the full target system, then you should be able to demand it (specially if got delivered to you in the way that the maker intended to, is not like you stole it)

Laws, contracts and licenses aren't made of "shoulds"

Re:Geez, just ask the NSA

[jhoegl]

I wonder if they tried "GOD" for the password.
Hey... it worked in hackers.

Re:Geez, just ask the NSA

[chemosh6969]

Consider this. This time they don't want to be as dumb as they were in the past when they let our nation's enemies have all the information they need about the attacks we were doing to them. In this case, once they find out exactly what it's doing and can determine if it's some retarded hacking team that wants to steal CC info or it's something the government's involved in. If it's the latter, there's no need to release info on who's being targeted and other specifics. They were probably also contacted in regards to what happened previously. Some countries feel a need to have some form of national security, regardless of what some bearded basement dweller thinks.

Of course there isn't anything to stop another country that finds code like this to setup something to let IT people do the work for them to tell them exactly what it does. In this case, if things go right, that country can then start setting up fake systems and start feeding bad info through the exploit.

Re:Geez, just ask the NSA

[ceoyoyo]

The GPL v3 contains the word "customer" in only one place, and it precedes "support" and is talking about the period of time you offer customer support for a hardware device.

The requirement is that if you "convey" the code in binary form you must also "convey" the source. Sending it to someone over a network or on, for example, flash drives purposely left in parking lots, would seem to be "conveying" it.

The GPL v2 uses the word "distribute" in the same context, which seems to be functionally identical to "convey" in this context.

Re:Geez, just ask the NSA

the attacks we were doing to them

Its hard to feel like the good guys when "we" are doing all those attacks to "them"

Re:Geez, just ask the NSA

You are probably right, but you do know that Kaspersky Lab is a Russian company and may not agree with you on what constitutes 'Our Nation's Enemies'?

Re:Geez, just ask the NSA

[gstoddart]

Do you seriously believe the NSA would give a flying fig about the GPL?

I'm quite sure they could cite any number of "national security" reasons and tell you to go screw off.

That, of course, presumes you'd get any respond other than "no comment" on your inquiries.

Seriously, playing "what if" about how to force the NSA to disclose code under the GPL is kind of a pointless exercise. You'd be stonewalled to the point of being ignored.

Re:Geez, just ask the NSA

[VortexCortex]

Laws, contracts and licenses aren't made of "shoulds"

Actually, they seem quite musty to me.

Re:Geez, just ask the NSA

[93+Escort+Wagon]

And notice they're only giving out pieces, no nobody knows what they're working on

This pretty much describes how my boss runs most projects...

Re:Geez, just ask the NSA

[chrb]

That seems to be a common misconception. That's not how the GPL works. They need to make the code available to their customers on demand. You aren't their customer, you can't demand anything.

The GPL covers distribution, not "being a customer". If someone uses GPL code in a project, then only the GPL itself gives them a right to re-distribute the derivative product. If the distributor does not comply with the GPL then they do not have a license to redistribute and are guilty of copyright infringement unless they have some alternative license, or copyright law does not apply to them for some reason.

Re:Geez, just ask the NSA

[HiThere]

It might well be GPL, but have you considered that they may well have written it? If you wrote it, you aren't bound by the copyright terms.

(P.S.: I think the feds have exempted themselves from obeying the copyright laws anyway, though I can't remember for sure.)

Re:Geez, just ask the NSA

Executive privilege says fuck off cant sue me anyways so who cares about your hippy GPL

Re:Geez, just ask the NSA

So assuming the NSA were responsible for the code, not knowing whether they ever approved the distribution or whether it was done by an unauthorized party and never being able to prove it either way the whole argument is somewhat of a non-starter.

Re:Geez, just ask the NSA

[HiThere]

Welll...I don't think you're properly considering this in detail (not that it applies to the NSA anyway).

If you use a GPL tool in a project, but don't distribute the tool, then the GPL places NO constraints on you. It only applies if you are distributing SOMEONE ELSE'S GPL CODE. If it's your code, there aren't any constraints. If it's someone else's code, but you aren't distributing it, then there aren't any constraints.

Re:Geez, just ask the NSA

[tftp]

Sending it to someone over a network or on, for example, flash drives purposely left in parking lots, would seem to be "conveying" it.

Possibly so. However then you only need to prove in court that developer A created and left a Flash drive with the software B to be inevitably collected by customer C.

This is necessary because, for example, the developer could simply discard the media with software that was never meant for distribution; you dived into that dumpster and got it. Or perhaps it was not the developer who dropped the Flash disk but a thief who was robbing the office that night.

GPL requires the developer to do certain things if he distributes the binary. However GPL also allows private use of the software without distributing. Internal use in a company is one example. You cannot steal the binary and then go to the court and demand sources. It does matter how you got the binary. If someone compiled a super-special tar and emailed its binary to a wrong address, intending to use it only privately, the recipient cannot demand the sources - even he factually received the binary.

Re:Geez, just ask the NSA

[c++0xFF]

I've heard people call the GPL "viral" ... but this is ridiculous!

Re:Geez, just ask the NSA

[c++0xFF]

Pay particular attention to section 10:

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.

Each infected computer in the chain gets an explicit license to run and propagate the work (a virus can't violate the GPL by spreading itself!), but the original distributor would still be held accountable for providing the source code.

Re:Geez, just ask the NSA

or, try "de" as the password... as in deGauss, like only a few slashdotters are old enough to remember...

Re:Geez, just ask the NSA

[SethJohnson]

This time they don't want to be as dumb as they were in the past when they let our nation's enemies have all the information they need about the attacks we were doing to them. In this case, once they find out exactly what it's doing and can determine if it's some retarded hacking team that wants to steal CC info or it's something the government's involved in.

Hmmm... Checking the Kaspersky website to verify the location of the company headquarters reveals their definition of "our nation's enemies" might not match up with that of chemosh6969's definition.

The companyâ(TM)s headquarters are located in Moscow, Russia, from which it oversees global operations and business development.

This distinction might explain why Kaspersky was responsible for unearthing Stuxnet, while MacAfee, et. al. were pretty silent about it.

Re:Geez, just ask the NSA

[aaronb1138]

I'm reading this on a Sony FW900 you insensitive clod!

Re:Geez, just ask the NSA

[ceoyoyo]

You might get away with that defence, if the program didn't install itself. Since the program is designed to convey itself, you'd have a hard time arguing that you didn't intend anyone to get it.

Re:Geez, just ask the NSA

[RockDoctor]

This distinction might explain why Kaspersky was responsible for unearthing Stuxnet, while MacAfee, et. al. were pretty silent about it.

Way to go - 50 conspiracy theorists have just shot their wads into their cornflakes at having their suspicions confirmed.

Dear God, I've figured it out, but...

It's Cthulhu, he's in our Internet, eating our code!

Beware!

can someone please explain

[v1]

why these things are hard to decrypt? They're computer programs. The computer has to be able to decrypt them to run them. So either the computer has the key, doesn't need the key, or the key is going to be delivered to it later.

So I'm assuming the authors sent the payload and will be activating it later when they send the decryption key? Otherwise, this shouldn't be such a big deal to figure out. There's no reason to need to break the encryption if the key is IN the payload or in the malware shell.

The only time where this sort of thing works is in places like the sat boxes, where they've hardcoded the key in a chip that uses its hardware engine to decrypt data. In that case you have to physically get the key from the chip itself with a purpose-built microscope. But that sort of defense isn't possible with a purely-software thing like this. (I read today that's also what the iphone is doing, and I assume other smart-devices like crackberries)

Re:can someone please explain

[bolek_b]

The trick in this case is that the key is already available at the targeted machine - the virus tries to combine various pairs of %PATH% paths and names from %PROGRAMFILES% and if some combination has an expected checksum, that's the key. To make cryptanalysis a bit more difficult, it seems that the second part of the key is not in plain ASCII. Therefore the "key distribution problem" is nicely solved - if the code runs on targeted system, the key will be easily generated. On any other machine you won't obtain any information about the key.

Re:can someone please explain

The key is derived from the system configuration and environment. When the program runs on the machine with the target configuration the correct key is derived and the payload is decrypted. Nobody knows what the correct configuration is so the payload has yet to be decrypted.

Re:can someone please explain

[jpmorgan]

The program doesn't have the key, the target computer does! When it runs, it collects various information about the computer's configuration and uses that to generate a possible key. It tries to decrypt its payload with that, and if the decryption works, the payload runs. If the decryption doesn't, then the key was wrong, and it's not the target computer, and the payload doesn't run.

It's a very clever approach, and depending on how specific the target configuration is, we may never see the decrypted payload in the public world.

Re:can someone please explain

[Xest]

I think the answer is in the summary.

Don't quote me on this, but judging from what the summary is saying, the key is derived from a piece or combination of information on the host machine. That is, the key itself could be derived from for example, the currently logged in user, combined with their MAC address, combined with some identifier from the motherboard or whatever.

As such yes, the computer has the key, but you need to know what computer. Presumably you can figure out what the malware is building the key from so you know what information it's extracting from it's host and how it's building a candidate key from that, but you can't figure out the actual key unless your system provides it with the information to generate a candidate key that is actually the correct key. It may be that the malware is reading the logged in user's username and using that as a key such that it only decrypts succesfully if the user is logged in as mahmadinejad or whatever.

It's quite clever really, because it means you can make a targetted virus that only unloads the payload if it detects some parameters that you know about the target user or system (i.e. their e-mail address, and that they use Outlook (e.g. read their e-mail address setting for Outlook from the registry)) and remain harmless for everyone else and as is demonstrated here, no one else even if they find the virus will be able to figure out easily what is actually in the payload.

It sounds like a targetted virus has been uncovered, but all clues as to who or what it is targetting are hidden away in the encrypted payload. It'd be nice to know what the malware is using as the key as that narrows it down somewhat i.e. if it's trying to read something from the registry you know it's targetting Windows PCs which narrows it down to 90% of computers, if it also then tries to combine that with whether the system has a specific piece of software installed (like centrifugre control software ;)) then it narrows it down further and so on, but it's still probably a large search space to find the correct target(s).

Re:can someone please explain

RTFA. the key is made up of the target systems configuration, so only a machine with the target configuration will generate the correct decryption key.
Sounds like its time to wind up a few thousand S3 VMs and brute force it.

Re:can someone please explain

Security: something you have, something you know, something you are.

So either the computer has the key, doesn't need the key, or the key is going to be delivered to it later.

Or the computer (i.e. target) *is* the key. From the blurb: "targeting a specific machine with specific system configuration". All you need to do is convert "specific system configuration" settings into a key and voila, your target can decrypt while the rest of the world is none the wiser.

Proudly answered without RTFA'ing.

Re:can someone please explain

Dion't be silly. "State Level DoJ" != NSA.

Just that your "business as usual law enforcement" cannot break the iphone as easy as they need to to include it in their daily business in finding drug dealers does not mean the world's most advanced math-and-crypto-organisation also could not it.

Maybe they can, maybe they can't - but the statement from the DoJ (even if true) is no indicatior at all for either.

Re:can someone please explain

[TheCarp]

Its a very clever hack indeed. We always think of encryption keys as something that we make up randomly and need to be transmitted.... but this isn't even an unusual style of use.

This is kind of like... taking some shared knwoledge, using it to make a key, then sending the encrypted data to someone, giving them a riddle only they can solve.

"The key is the date we first met, plus the date you left your first job, plus the name of the resteraunt we went to after your mothers funeral".

Except...its based on system configs. I have to wonder with path elements and program files how well balanced they are between identification of the specific machine(s) they want, against the possibility those configs will change before the payload goes off.

Re:can someone please explain

[Xiph]

I think the answer is, that the payload is a command and control utility.
That way, the people who deployed it can use it at any / from any location, which is infected.

It could be used to escalate privileges on the local computer or many more useful things, and would reduce the need to be tied.
Sure similar things have been achieved in different ways, this is just speculation

Re:can someone please explain

[bolek_b]

One of my guesses is that both the PATH element and the Program Files item are linked to a single application. That way, as long as the application is installed, the payload would be decryptable. The name check suggests that the application is some in-house project, probably not publicly released.

But maybe the "trigger" is an application in certain environment. Then the Program File would determine application presence. Then the expected item of PATH could refer to some network share, mapped disk, e.g. T:\Repository\bin. Such combination would be pretty unique and therefore an ideal "trigger", IMHO.

Re:can someone please explain

[Dunbal]

You must be new here.

Re:can someone please explain

[TheCarp]

That would make a lot of sense. Of course... while we are speculating... hows this one...

Perhaps there is no payload. The real action is the moles at kaspersky....

"Nope we haven't found it yet.... we have even asked the internet for help. Are you SURE there aren't any more program names/file paths we should be checking against?"

  I would count that as unlikely, given the sophistication, but, its a possibility.

The really neat thing here is that.... the payload could have already gone off. Unless someone figures out the key, the chances of catching it "in the act" is pretty slim.

Re:can someone please explain

[sunking2]

Really? This is what we consider clever now a days? It seems like a rather obvious way to do things to me.

Re:can someone please explain

[CanHasDIY]

Put simply, for the payload to be contingent on a key that is tied to extremely specific information exclusive to the target machine, the attacker therefore must already possess intimate knowledge of said machine, wouldn't they?

Sounds like an inside job to me.

Re:can someone please explain

[putaqpariu]

The key may be a specif hardware driver installed! This would have the benefit of targeting only the intented machines -- lets say the target machine has an industrial controller of some kind -- and also make decryption impossible for those that dont have the correct driver (and cant guess which one is it).

Re:can someone please explain

[VortexCortex]

the virus tries to combine various pairs of %PATH% paths and names from %PROGRAMFILES%

Well then who the fuck cares what the thing does? It's not targeting any systems of any importance. *nix boxen don't use such strings.

Re:can someone please explain

[bolek_b]

If I remember correctly, Stuxnet targeted Windows machines in the first step too. There it infected developer tools and the damage-causing payload did get compiled into programs for those SCADA systems of certain importance. So Windows systems might not have any obvious importance at all, but they play a role of the weakest link surprisingly well.

Re:can someone please explain

[gagol]

What if they discover it's targeting systems in a nuclear facility? We dint know what its target is until we crack it.

Re:can someone please explain

trying c:\programfiles\sunking1 now.

Re:can someone please explain

[Mazda6s]

Just to be safe, I just reloaded Windows. -Bill G.

Re:can someone please explain

[timeOday]

try USER=ahmadinejad

Re:can someone please explain

[Richy_T]

You might just be clever yourself, y'know.

Re:can someone please explain

[Xest]

Not necessarily. As I say some information is external, and knowable without knowledge of the system - i.e. my example of an e-mail address stored for a configuration of Outlook.

You can often tell if somewhere is running exchange simply by connecting to the mail server, and if the e-mail address is known then as I say you could simply build the key to read the local installation settings of an Outlook install to see if it's configured locally for that account, and if it is, you likely have that account's computer.

Also as with my other example, they could be targetting machines with industrial control equipment on like Stuxnet did which narrows down the targets quite a bit, especially if it's narrowed down based on specific configurations. In this respect it could somewhat be an "inside" job though not in the way you're suggesting - it could be that if it's targetted as say Iran, that whoever wrote Stuxnet using the knowledge they gained last time from their previous attack to try and re-attack with this new method. Even if it's not another attack against Iran, you get the idea - if someone has had access before, but lost access, it could be an attempt to use that knowledge to get back in.

It all depends really on what data is being used. If it is stuff like the mac address or other hardware information you may be right. I can think of a number of ways how this sort of attack might be useful though for people who don't have access right now, or may never have even had access to the existing machines.

Re:can someone please explain

Hmmm... I wonder if it is one criminal or cyberwarfare enterprise targeting another one that is using a competing custom malware creation system? Find machines with that "other malware" installed, and this one tries to monitor what they are doing (i.e. stealthily) or wipe it out (search and destroy)?

Re:can someone please explain

Nice way to reply to the wrong post.

Re:can someone please explain

[plover]

Command and control, stealing bank login information, virus propagation, 0-day exploits, and phoning home are already known parts of Gauss. The malware operators can do all this bad stuff already. The real question is "what else is so awful that they had to hide it with such a sophisticated mechanism?"

Cracking might be impossible

[cvtan]

If the DOJ and NSA can't get into an Apple iPhone, what chance is there of cracking this?

Re:Cracking might be impossible

Everybody's a comedian.

Re:Cracking might be impossible

Pfft. You actually believed that story about the iPhone?

Re:Cracking might be impossible

Kaspersky Lab is not asking the US government for help, rather they are asking the general Internet public for help. The latter might actually be capable of coming up with a workable solution.

Re:Cracking might be impossible

Pfft. You actually believed that story about the iPhone?

That's funny and so true.

Burglar to home owner: "Oh God! You're using that latch and string, there's no way I can break into that! Oh jeeze! I''ll have to get a legitimate job!"

Re:Cracking might be impossible

Also with the history of stuxnet, flame etc the government may also be the ones who released it.At the very least they had a hand in creation of the original code.

Re:Cracking might be impossible

[cvtan]

I read it on Slashdot so it must be true!

Re:Cracking might be impossible

[EGSonikku]

Prove it isn't. If it were easy to hack an iPhone as you seem to suggest surely there are many guides online for hacking a non-simple passcoded iPhone online? No? The NSA doesn't have sone magical movie-like way to crack AES-256?

Re:Cracking might be impossible

[plover]

Prove it isn't. If it were easy to hack an iPhone as you seem to suggest surely there are many guides online for hacking a non-simple passcoded iPhone online? No? The NSA doesn't have sone magical movie-like way to crack AES-256?

As a matter of fact, they don't need a magical movie-like way to crack AES 256. They just need a magical movie-like tool to dig out the not-very hidden secret key.

From: http://www.zdnet.com/blog/hardware/law-enforcement-tools-can-bypass-the-iphone-passcode-in-under-two-minutes/19335

"Law enforcement tools can bypass the iPhone passcode in under two minutes

Do you have a passcode set on your iPhone? Does it give you a warm fuzzy feeling that your data is securely locked away from prying eyes? Think again. Technology available to law enforcement officials by Swedish firm Micro Systemation can be used by to hack into the handset and bypass the four-digit passcode in less than two minutes.

Here's a video of the tool, called XRY, in action against a passcode-protected iPhone 4"

Degauss?

[MatrixCubed]

Clever of the tech world, to obsolete CRT monitors. Perhaps shaking one's head rapidly from side to side would help solve this mystery.

Re:Degauss?

[SQLGuru]

You also have to make that sound: BRrrrrrrrrrdddddddTick.

Re:Degauss?

Unless you're joking, it is depressing that there are people on Slashdot who don't know who Gauss is.

Re:Degauss?

[arth1]

Unless you're joking, it is depressing that there are people on Slashdot who don't know who Gauss is.

What's depressing is that I think that most slashdotters, and nearly all of those who were schooled in the US after president Nancy, would not recognize names like Gauss, Euler, Erdos, Abel, Bernoulli or even al-Khwarizmi. And way less stand a chance of understanding what they're famous for, despite relying on their work in everyday life.

I've Got It!!!

[MasterOfGoingFaster]

I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

Re:I've Got It!!!

[Medievalist]

I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***

You shouldn't have set your PATH to /iran/fission/uranium/centrifuge, then.

irc bot author

It looks like validation of one of my first creation irc bot (war bot, for taking over channels, not for spamming people and stealing their CCs).

It was also doing validation, to verify it binary has not been altered using MD5 and some kind of computation of the binary itself.

And then it was loading a userfile (payload), which was ecnypted using system specific key. In my case it was a physical location of a file on a disk (i-node, blocks, etc.. all you could get from file info syscall), nicely md5 hased to get good blowfish key.

The userfile contained list of people (ident@host.com) with their rights, and passwords for their accounts + information about how to link to the botnet...

I am pretty sure here you have the same thing, so. do I get candy as a reward?

Re:irc bot author

[Ash-Fox]

Cool story, bro.

Obligatory

[devilsdean]

"Be sure to drink your Ovaltine."

Re:Obligatory

[93+Escort+Wagon]

Ha! First thing I did after opening this page was search for the word "Ovaltine".

Why ask cryptographers when the key is in there?

[hAckz0r]

The problem as I see it is to figure out how to exercise the code that unlocks the key used to decrypt the payload. Brute force to crack the payload is going about it the hard way. When dealing with criminals, never play by their rules.

The reason the payload exists is so that it can be decrypted and used. Both the algorithm and the key are in there somewhere. The problem is discovering under what conditions it is exercised and halt the process after the decryption but before the key is removed from memory. Timing is the key to success.

Load the code in a hardware virtualization monitoring environement with an emulated CPU clock and let it run. Analyse the code execution and discover the branches not taken and then force it to take each branch the next time around, and watch/trace what it does. If you find ant-debugging protections along that path then you are probably on the right track to recover the key. There is no singular trick in their little-black-bag-of-tricks that can't be worked around. Be persistant and the key will be recovered, and a lot sooner than trying to brute-force decrypt the payload without the key.

Never overlook the obvious

[vlm]

Never overlook the obvious. Want to piss off a small security team? Put a small sample of /dev/urandom into a binary blob and release it. They'll spend all their time trying to decrypt that white noise source and never notice the Really Interesting thing nearby it.

Researchers at Kaspersky Lab ... publishing encrypted sections and hashes

Ha ha they fell for it. The interesting stuff is going to be around or nearby the distractor, not the distractor itself.

This part makes no sense:

They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out.

If that happens it'll be a first in the serious crypto field. How do they expect that to happen? This being from a worm or whatever doesn't make it special.

Look I'll give you a baby example.

"13cbffe03010f846f46f123675bfc3c3"

I'll even make it more baby by telling you its a md5 hash and the plaintext is 11 chars of letters and spaces. The ultimate in baby examples and its still utterly hopeless.

P.S. its not a rickroll URL although that would be funnier than hell. The only thing funnier than the worm designers using /dev/random would be embedding a rickroll or a goatse instead of real worm payload.

Re:Never overlook the obvious

[jpmorgan]

Never overlook the obvious. Want to piss off a small security team? Put a small sample of /dev/urandom into a binary blob and release it. They'll spend all their time trying to decrypt that white noise source and never notice the Really Interesting thing nearby it.

That doesn't even make sense. You're suggesting that the author, instead of actually encrypting the payload, is only pretending to, to distract attention from a different unencrypted portion elsewhere? That makes about as much sense as a 'the moon landing was a hoax' conspiracy theory.

Re:Never overlook the obvious

[cryptizard]

Agreed, I don't see how they think cryptographers could have some kind of magic to break this. The designers of Gauss did everything right, salting and stretching their hashes, so there is not much we can do but try and stumble across that correct configuration.

Re:Never overlook the obvious

[djdanlib]

Perhaps the security team KNOWS this. And perhaps the authors knew that they would know that.

Reminds me of a scenario played out in a movie. "Clearly, I cannot drink from the cup in front of you."

Re:Never overlook the obvious

There's already a distraction in Gauss. what do you think the font is?

Re:Never overlook the obvious

[kav2k]

Obviously, you haven't read the original article here.

Just embedding a binary blob doesn't help. Having a complex routine to decrypt it, verify the extracted data, and run it if verification succeeds is another story.

Though, arguably, you CAN put such a loader and throw in random data just for trolling.

Re:Never overlook the obvious

[vlm]

Though, arguably, you CAN put such a loader and throw in random data just for trolling.

Exactly.

Re:Never overlook the obvious

[Ragnulf]

That makes absolutely no sense. Using malware for targeted attacks is a frail enough scheme as it is, why would anyone complicate it further?

Re:Never overlook the obvious

[HiThere]

Well, it does make sense, but only if your serious attack was via a different virus, or via social engineering or some such. I.e., it makes sense, but it's not plausible. Which, of course, would make it a better attack. But if you're going to do this kind of attack, you need to make sure you "fake attack" vector is discovered, while appearing to try to hide. Not all that simple.

Re:Never overlook the obvious

[plover]

I'll bite on your troll-bait.

Because the evidence overwhelmingly runs counter to your supposition.

Look at the facts.

The code is stealthy.

The code shares common attributes with other code that has delivered sophisticated attacks, strongly suggesting a common author, implying similar intentions are behind this code.

The code carries other unencrypted malicious code, including exploits and bank login thefts.

The code makes many attempts to decrypt an unknown value. Should it ever succeed, it will make a call to an address in the decrypted memory.

The amount of data to be decrypted and potentially executed is enough to contain a malicious payload on the same scale as the code that sabotaged Natanz.

Why would an established weapons developer go to all the work of fully implementing a cleverly targeted weapon hiding system if he isn't going to actually hide any weapons in it?

From the Article

[cryptizard]

According to Kaspersky, the way it works is:

1) Enumerate all directories in the computers PATH variable
2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
3) Hash every pair from the previous two lists with MD5 and check against a known hash

If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.

Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.

Re:From the Article

[vlm]

it will be very difficult to break this unless the targeted party comes forth.

Difficult to break it legally, you mean... All you need do is release a new virus/worm that only does the first hash step, then if by some miracle a match is found the victim gets a popup "You won, to collect your winnings please contact contest@nsa.gov" or whatever.

As sort of a running joke / meme I can imagine black hats doing this purely for fun. The IRC channel for the bot net gets spammed with the PATH and PROGRAMFILES once it finds a match.

Might also make a hilarious "antivirus update" as part of perfectly legit anti-virus suites. Run this test to see if you're vulnerable to the "whatever its called" targeted worm.

Re:From the Article

[medcalf]

How large is the universe of Windows programs not named in Latin characters? I have to think it's in the low millions at most, and probably less than that. Maybe the way to do this is to try the paths and filenames of those programs, and see if you get a match. As a first try at reducing the things you have to check, you could eliminate anything widely used, since this is likely targeted at a rare configuration. I'd start by looking at SCADA control programs, personally, because there's a good chance that this is targeted at industrial control systems, based on the last few weaponized software bits that have been found (stuxnet, et al).

Re:From the Article

[pmathew]

Hmm .. My guess is it is targeted at an enterprise than an individual .. because if an individual install something the payload doesn't see light .. However in an enterprise they tend to preload their new machines with an OS image with a common utility set it may work as machines are always added as part of hiring or upgrade .. May be we just need to test against the few machines in that obscure "nuke facility" in "wadiya" .. :)

Re:From the Article

"a non-latin-alphabet unicode character (i.e. arabic)"

or maybe Chinese.

Re:From the Article

It's me! I'm the target!

I confess!

Re:From the Article

Even in a small "universe" this may be impossible to find. It could be custom software that is not distrubuted comercially. So after a relatively "quick" check you are in a world of pain trying to test all posible combination of the UTF character set. In addion the software has to be installed in a specific context as the hash is made from the file name and what appears to be unrelated string in the path variable.

Re:From the Article

[cryptizard]

The problem is that the specific program they are targeting is likely not known publicly. It could be a secret program developed by another country, which our intelligence services happen to know about through espionage but the public sector would not.

Re:From the Article

[Jeremy+Erwin]

Usually, program names, even in non english languages, are non random-- so this does reduce the search space.

Re:From the Article

[ThatsMyNick]

How large is the universe of non-publicly available Windows programs not named in Latin characters? Infinite.

Re:From the Article

[PPH]

3) Hash every pair from the previous two lists with MD5 and check against a known hash

So, distribute a tiny program (as source, so as not to cause suspicion) that hashes each name and checks for a match. If found, pop up a message that says 'You might be a target.'

Once a group of potential targets have been identified (and now we know what they are looking for) crack the payload.

Re:From the Article

[VortexCortex]

Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload.

I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

If I actually gave a damn I'd set up the algorithm to generate their flavor of salted MD5, then start a Kickstarter to get it on Amazon's compute, and also distribute CPU and GPU versions and job/batch assignments to help crack it via distributed computing. Maybe save a section of the donated funds to reward the discoverer.

Due to the entropy loss in MD5, the algorithm itself adds characteristics to the output data. Some of these characteristics are compounded in iterative key stretching. Thus it's actually faster to do the key stretching to find the key than building a rainbow table for the last iteration -- the stretching itself helps build the characteristics that lead to hash collisions. If they wanted to slow us down, the morons should have used SHA-512 -- all the hash algorithms are trivial to implement (I've done them all in every language from Assembly to JavaScript in less than a week of evenings).

If you really wanted to deliver some secret code, that targets specific systems, and have it be very tiny to the point of being nearly unnoticeable, then I'd also use return oriented programming.
The spooks ain't spooky enough to be real hackers, IMO.

Re:From the Article

[medcalf]

Clearly wrong, as there are not an infinite number of programs, period. For that matter, there are not an infinite number of names for programs, because there are a limited set of characters for those names and there are limitations on the maximum length of those names. The set may be quite large, certainly is theoretically quite large, but it is neither practically nor theoretically infinite.

Re:From the Article

[pr0nbot]

it will be very difficult to break this unless the targeted party comes forth

Surely this novel method of encrypting data has been patented, can't we discover the culprits from the patent filing?

Re:From the Article

[cryptizard]

Due to the entropy loss in MD5, the algorithm itself adds characteristics to the output data. Some of these characteristics are compounded in iterative key stretching. Thus it's actually faster to do the key stretching to find the key than building a rainbow table for the last iteration -- the stretching itself helps build the characteristics that lead to hash collisions.

We're not trying to find collisions here, we are trying to find a preimage. As far as I know there are only theoretical attacks against MD5 that can do that (reduce complexity from 2^128 to 2^123). All the collision attacks (chosen-prefix and chosen-suffix) are attacks on a plaintext-ciphertext pair.

I'm old, lazy and patient. This is where I would start, not by finding the correct combinations of inputs, but brute forcing the MD5, or trying to pull out bits of the symmetric stream cipher via known plaintext attack -- It's encrypted machine code, it's going to have machine code in the payload.

Getting a few bits of the keystream is not helpful as all attacks on RC4 require either a large amount of the keystream or a number of messages encrypted with related keys. Even brute-forcing the hash in this case is hard because the domain is unknown. Perhaps the target program that it is looking for is in 10 nested directories with a 200 character long path. Because of the salts, this problem could actually be even harder than 2^128 because an input that you find that hashes to the correct value with the first salt will, with very high probability, not hash to the correct key when used with the second salt (unless you found the actual correct preimage and not a second preimage, which is unlikely if the domain actually is larger than 2^128).

Re:From the Article

It would be funny if someone posts the solution on Twitter and a swat team shows up at their house a few hours later.

Re:From the Article

I would not bet on a foreign country. Look closer to home. Remember who created Stux, and the older code. They are wanting to infect a certain computer. Not knowing its location, but and not knowing its OS, or to get what information. An unknown program is launched into the wild. Why, or maybe to refine a code that is incomplete. You may run the correct code if you have the skills and the program that you have on the computer you used may have the correct hash in the programs, Not a trier of this because if its out there, i may have the awnser.

Re:From the Article

Perhaps the target is the "specific" configuration of a fresh install of some Windows variant or a known clone image? Otherwise a small change would put the device off its target easily...

Re:From the Article

The use of %PROGRAMFILES% probably indicates it's 32-bit 7 or earlier (XP, 2000).

Re:From the Article

[MysteriousPreacher]

It would be funny if someone posts the solution on Twitter and a swat team shows up at their house a few hours later.

Pretty unlikely, unless they happen to run a website being used to pirate movies and music. Mind you, admitting making a mix tape could be enough.

Re:From the Article

They are probably searching for those encryption packages for Jihadists, or a specific internal application for a government oil ministry.

Re:From the Article

Mmmh... I run away from %PROGRAMFILES%, I always use my own dir names and even rename *.lnk. And currently %PATH% is almost unused. Doing this a real payload of the existence of this **warhead**! Target must be a well organized and audited corporation to be functional. Or it may want NEW standard installation systems! I do download some files to %PROGRAMFILES% and do change my %PATH% to my own names... ;)

Re:From the Article

query: could anyone who thinks this may be targeting them not just... change their %PROGRAMFILES% directory name to the latin alphabet?

Re:Why ask cryptographers when the key is in there

[Xest]

No, the key isn't in there. The algorithm to generate the key from specific information on the host system is in there, but the key can only be correctly generated from the host system having the right information for which the algorithm can properly derive the correct key.

Re:Why ask cryptographers when the key is in there

[Depili]

Read the FA :) The key isn't in the package, but is generated by characteristics of the intended target machine, you either need to brute-force it or find out what the target was.

Re:Why ask cryptographers when the key is in there

[cryptizard]

This is not at all how it works. Nobody has the key, the key is derived from local configuration values using a cryptographic hash function. Just as your hard drive may be encrypted with a key that is generated from your password, this payload is encrypted with a key that is generated from a very long password which is a combination of specific settings on the machine. If you run it on a machine with the settings exactly right, it will unlock. If you run it on any other machine, it will not and you will get no information about what they key is. Since there are so many possible combinations of settings (particularly it is looking at all the programs in your program files folder in combination with all the directories in your path variable) it is unlikely that people will just stumble across the correct one.

Complete noob question

[Rastl]

If the malware is looking for a specific MD5 hash why not look for the possible variations on that instead of the source of the hash? Once that's identified then the research can go both ways - looking for the source and looking for the next hash.

I freely admit I've never done any cryptography but from a process perspective this seems like a reasonable way to approach the problem.

I look forward to hearing why this can't work. Honestly I do. It will help my understanding of how these things are picked apart by the experts.

Re:Complete noob question

[cryptizard]

Not sure what you mean by variations. The problem is that hash functions are one-way or "preimage resistant", meaning that if they are secure then you cannot get any information about the input from only the output. Additionally, they have an avalanche property where small changes in the input produce large changes in the output. This makes it difficult to analyze hashes by tweaking the input piece by piece until you get the desired hash.

I could be confused about what you are suggesting, maybe you could clarify?

Re:Complete noob question

your question is unintelligible.

Re:Complete noob question

[Ash-Fox]

Because you can't. You either get the exact hash right or fail. It's not like in the "hacker" movies, where you see each character 'unlock' individually while 'hacking'.

Alternatively, there are side channel attacks that might be feasable if there was some depth to work with, but from what I can see, there isn't any here.

Re:Complete noob question

Brute force RC4 decrypting process illustrated:

Pick a number between 1 and 2^128... Nope, try again.
Pick a number between 1 and 2^128 - 1... Nope, try again.
Pick a number between 1 and 2^128 - 2... Nope, try again. ...
Pick a number between 1 and 2^128 - 2^64... On average, you might have it by now.

Okay, now count (simpler than picking, and checking) to 2^64, AS FAST AS YOU CAN (don't hold your breath, and maybe get your affairs in order first).

Re:Complete noob question

[Rastl]

It sounds like they were already doing something similar by running multiple variations of the environment data. If the goal is to get to the payload then running the hash just seems like an obvious extension of that process.

I never expected the data to 'reveal' the correct value in the correct place. It's another brute force method to try to find the key. My question is why the hash itself isn't the value that's used instead of the source value.

Re:Complete noob question

[Terrasque]

First of all, there are no variations to the hash. Either it fits perfectly, or not at all.

Secondly, finding the hash is like finding a specific sand particle.. That exist somewhere in the universe.

Since we know how it's generated, we can narrow it down to ... somewhere in the Milky Way..

When the program runs, however, it only have a few options to try.. Something like the sand in a spoonful. This can be tested almost instantly.

If it's not the correct spoonful, it won't get the correct key, and it won't (can't, in fact) deploy the mystic payload.

What they're doing now is basically saying "We found this strange thing, we haven't found the correct sand particle in our tries.. Anyone have a good idea?" - Since it seems to only look at non-English program folders, it's likely that it targets some internal program at the intended target. If that is so, the target is probably the only ones in the world that can find the correct key and decode it.

Re:Why ask cryptographers when the key is in there

[jpmorgan]

The key is not in there. It's generated dynamically, based on information pulled from local computer's configuration. The key generating algorithm isn't obfuscated, but it will only generate the correct key on the target computer (or one very similar).

The only way this will be cracked will be by finding a computer with a sufficiently similar configuration (unlikely), or by a herculean feat of cryptanalysis (incredibly unlikely).

Wrong.

[gr8_phk]

The reason the payload exists is so that it can be decrypted and used. Both the algorithm and the key are in there somewhere.

You didn't read carefully. The key is on the target machine and is not part of the attack software.
Dumb old way to do this:
1) Check for certain system configurations.
2) Use some key in the malware to decrypt and run the payload.

New hot way to do this:
1) Use some combination of system configuration to decrypt the payload
2) If that worked, run it.

See that? it hides both the decryption key AND the definition of the system it's meant to attack. Unless you have the target configuration (or can guess it) you can't decrypt the payload or figure out what it's meant to attack. Brilliant.

Warhead?

[gr8_phk]

Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?

Re:Warhead?

[__aaeihw9960]

When we started the propaganda about how evil technology and evil hackers are ruining the world.

Re:Warhead?

Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?

About the same time that anyone with a gun and mental condition is considered to be a 'terrorist'. And, entertainingly, just around the time the 'Transportation Safety Administration' was conceived.

Re:Warhead?

[phantomfive]

'Warhead' is the kind of terminology 'evil hackers' are happy to use themselves. DEFCON is the name of the conference, after all, which doesn't help countering the 'evil' propaganda.

Re:Warhead?

Well, until about 1992 crypto -was- classified as a munition...

Re:Warhead?

How else are we supposed to know that this is Serious Business?

Re:Why ask cryptographers when the key is in there

[tgd]

Load the code in a hardware virtualization monitoring environement with an emulated CPU clock and let it run. Analyse the code execution and discover the branches not taken and then force it to take each branch the next time around, and watch/trace what it does. If you find ant-debugging protections along that path then you are probably on the right track to recover the key. There is no singular trick in their little-black-bag-of-tricks that can't be worked around. Be persistant and the key will be recovered, and a lot sooner than trying to brute-force decrypt the payload without the key.

Its guys like you being involved insecurity that makes people like the NSA get all warm and fuzzy.

Do you really think you're smarter than people at Kapersky? Or whatever shadowy group created the payload? I'm sure on the offence or defence side of things, no one has ever thought about debuggers.

Really?

Re:Why ask cryptographers when the key is in there

[hAckz0r]

Yes, as I said, you exercise the algorithm to produce the key. The key is just 'in the algorithm' that derives the key. The software is quite capable of deriving its own key given the proper host parameters. The examiners can and will know what system the code was taken from, and can collect any parameters from that system that are needed. In a harware virtual environemnt you can inject any host attribute you like, at any time you like, and the code running in it will never know the difference if you take certain steps, like making the CPU clock instruction cycle correct for the given hardware. The malware code will only know what you tell it, so the trick is figuring out what parameters you need to tell it, and that comes from excercising the code as well to see what it tries to access. Locically everything it needs to defeat itself is already in there, except the host parameters, and we just need to be smart enough and persistant enough to figure it out.

Holy Hyperbolic Homonyms; Batman!

Could we get past the hyperbolic exaggerations when referring to computer code; please?

cracking an encrypted warhead

Really?

Just ignore the moron

Of course it doesn't make sense, but you're looking at this from a perspective of sanity and rationality, and not that of a mouthbreathing waste of oxygen with the IQ of a braindead petunia.

Remember: no one is as smart as the Conspiracy Theorist. The Conspiracy Theorist alone has the insight to discern signal from noise, and even if what they see is completely harebrained, nonsensical and discredited by others. In fact, being discredited is proof that the Conspiracy Theorist is on to something, because facts and that sort of jargon is Them trying to Cover Things Up. And the more harebrained the better---how else would They hide things from the ignorant masses?

So, yes, the Conspiracy Theorist has determined that the "encrypted" stuff is merely noise to distract from the unencrypted code. Encryption after all can be broken with a few keystrokes (and possibly a blowjob); if it was encrypted it wouldn't actually be all that secure, would it? So, it's the unencrypted stuff to be wary of. Innocuous code that does nothing is the worst: it fools the so-called "experts" and is actually a devious plan for Them to accomplish their true goals.

If all this doesn't make sense, or sounds like a bad movie plot, you're not a Conspiracy Theorist ... or a complete moron.

Re:Why ask cryptographers when the key is in there

Yes, that's obvious to every programmer everywhere. But after you know the parameters you still need to bruteforce them, just as if the key generation input was a password. Do you know anything at all about cryptography?

Easy to defend against

[Dan+East]

This would be trivial to defend against. Simply add an empty directory (starting with a non-latin-alphabet character) to Program Files, or to the PATH variable. However, if this targets the control computers of industrial machines (as it most certainly does) then all of that is probably static and locked down.

I'm slightly surprised that the signature involves non-latin directory names for programs. Stuxnet targeted Siemens equipment, and it is very, very likely that the directory names their control software resides in are in English, even if the software is localized for some other language. So this seems to be targeting home grown software / hardware this time around.

The next question is how did the author know *exactly* what the PATH and program files folders are configured on the target machine. That's the work of spies and moles. Someone probably stuck a USB drive into a target machine, which did a quick scan to grab the necessary info. That could be done in just a few seconds.

This configuration this software targets could be so extremely specific that there may only be a handful of computers in the world running the specific industrial control software the payload is designed to destroy.

Re:Easy to defend against

It tries ALL combinations of path parts and program files directories. Adding stuff to your program files or path doesn't work, only removing one of the two parts of the pair would work.

So if the path is c:\a\bin;c:\b\bin and in the program files there are the directories "alpha and "beta" and these two directories both start with a non-latin character, it tests the following combinations:

c:\a\bin - alpha
c:\a\bin - beta
c:\b\bin - alpha
c:\b\bin - beta

Re:Easy to defend against

From what I am reading.. Adding an empty path wont help.. It takes Every individual Item in the path, and every individual directory in %PROGRAMFILES%.. Pairs them (so if you have 10 directories in your path statement and 15 directories in %PROGRAMFILES% it would look at all 150 Pairs. then "Hash every pair from the previous two lists with MD5 and check against a known hash" when it finds one that matches, it performs a second function on that pair to generate the Key.

-J

Re:Easy to defend against

[Sloppy]

The next question is how did the author know *exactly* what the PATH and program files folders are configured on the target machine.

It's a follow-up attack. The target has already been seen (though perhaps indirectly) in the past by the attacker. Perhaps the target was already running some malware which has been (inadvertently?) disabled, and the attacker is trying to update it, or fetch some data that it collected.

I've already significantly narrowed down who the target is, from RTFAing. It looks like the target is someone who runs Windows. Hope my analysis helps. ;-)

Re:Easy to defend against

[KZigurs]

Someone who runs Windows. In an environment where upgrading to SP1 is unlikely (runs on at least Windows 7 vanilla, exits on SP1 - can also be explained by assuming more sophisticated detection on SP1 boxes), yet both x86 and x64 versions are in use (two versions of binaries - so perhaps previous versions with variants?), someone who is running a particular software package the name of which is known and which follows the normal windows software installation procedures (key hash generation and the fact it's looked up from under the program files - can be a distraction though!).

I actually think that the program files path is a distraction. The actual key is a hash of a particular known file in a system, the non-ascii entry in the program files is ether a null result to be matched against or an extra test.

Re:Why ask cryptographers when the key is in there

[Baloroth]

The examiners can and will know what system the code was taken from, and can collect any parameters from that system that are needed.

No, they can't. They don't know what machines the payload code runs on, and if the target (as is very very likely) was a government system somewhere in the Arab world, they probably never will. In other words, they have no clue what the parameters are for decrypting the payload: if they did, they wouldn't need to issue this challenge, which BTW isn't a brute-force, it's more like a distributed dictionary attack (testing various parameters that might be the target). They found the malware with encrypted payload in the wild, but never in it's decrypted state.

Another aspect of this mystery

[bolek_b]

By the way, TFA says that the virus even installs some font. This unusual step confuses me quite a lot. Is it for some kind of "exposed but not obvious" document watermarking. Or is it preparation for some future infection vector? Questions :-(

Does somebody know whether there is that font ("Palida Narrow") available?

Re:Another aspect of this mystery

[ledow]

Google it.

Last time I did, it's basically believed to be a vector for detecting infection by simply making a target navigate to a web page that tries to load the font. If it's there, you can tell the PC has the font and (therefore) the infection. If it's not, it just gets substituted and you can tell from the CSS etc. what's happened.

Probably a way for the author to see if their target machine actually ended up getting infected or not.

Re:Another aspect of this mystery

van eck friendly font?

Re:Another aspect of this mystery

[bolek_b]

Pity. I was hoping that this would be a clever part of systemic offensive. Like forcing laser printer to release deadly toner fumes by downloading evil curves of this font. Or making its kerning so bad that the users would collapse with severe headaches.

Judging from the infection vector (i.e. USB sticks), I suspect that the targets are off-line, or at least heavily firewalled. Mind you, the target is most probably some military facility, likely in Iran. I don't think navigating to a non-white-listed web page wouldn't raise alarm, from the virus author's point of view an unnecessary complication.

Re:Another aspect of this mystery

[PPH]

Yep. So the countermeasure is for everyone to install a font with that name (Palida Narrow). Its not necessary to install the font itself, just something that will satisfy the CSS request and make it appear their machine has been infected.

Rename a copy of Dingbats. When you get a web page with a string of screwball characters (where you'd expect text), you could assume that this is a site that is probing for the Gauss infection.

Counter-counter measure: Everyone specify this font in their web pages.

Re:Another aspect of this mystery

[bolek_b]

As an evil virus author, I would add another twist: make the plain-text part of the virus install the font (we know it does so). Few moments later, from within the encrypted code, uninstall the font (we have no clues what that code actually does).

Unsuspecting folks would devise infection detectors, which will give nice "false negatives".

Re:Another aspect of this mystery

[leonardluen]

in other words it is like the little tracking image that spammers put in emails to try to see if you read it.

Re:Another aspect of this mystery

[dackroyd]

The assumption is that it allows detection of the installation of the virus via a web-browser.

http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-of-gauss-malware-and-possible-remote-detection/

As the virus seems to be only installed on certain machines with known paths, and those paths can be exposed through Microsoft Office document files, it is possible that whoever targeted this attack had received a MS Office document, that told them who to target. I would not be entirely surprised if the font was used to detect installation on the target PC through either the virus using it in a office document as a file - or possibly even through printed material generated by the target machine.

Re:Another aspect of this mystery

Windows decodes fonts in kernel space (yes, WTF?!). It could be a privilege escalation vector.

Re:Another aspect of this mystery

Jeez man, +5 informative and you can't even bother to include a link to the test page for everyone? How self-centered. Here's the link it was too much trouble to include in your post: Gauss malware Palida font detection page. This test tries to check if Palida Narrow font is installed on your computer. Kaspersky Lab found that Palida Narrow, a previously unknown font is installed onto all computers infected by the Gauss Malware.

Re:Another aspect of this mystery

So you'nre saying that, for an an exceedingly precise target (see PATH....), sophisticated coding and delivery mechanisms, the chosen method for detecting successful infection is a) electronic means or b) induce target to print a known/seeded document, to be detected by a well placed observer. Presumably, said observer will then drop his keys on the way to the car park, thus setting in motion a sequence events culminating in white papal smoke from the vatican - and that, dr Watson, that is what the NSA is looking for.

Because everybody watches CNN.

Re:Another aspect of this mystery

Really... I think I just recently popped against that font name but cannot remember exactly where... I noticed because PALLIDA means **pale woman**, ie, just scared woman. But Paint is not showing it in its list. Nothing would uninstall it after use, right? But of course my Mc-A-fee installations have always been breached and Norton seems to do nothing... :(

Fewer targets than keys

Looks like they have narrowed the possible keys quite a bit.

Simulating the target in a virtual platform and running the combinations might be easier than attempting to decrypt the key.

Intercept the system calls looking for parameters and loop them over and over again.

The goal isn't necessarily to decipher the key as it is to get the payload.

If it were to get the key, I guess that would be more about finding the target. that would scare me.

Who ever it is intended for, even if its a test flight should reflect the system that created it and you would be able to use the key to track down the source.

I don't think I would want to have that information. or tell anyone that i had it.

Re:Why ask cryptographers when the key is in there

Hey, don't be so vicious on him. If it had been a simple logical mistake regarding any other programming problem he'd not get so much flak - so why get worked up about it? Not to mention that reverse engineering isn't something most people think about or specialize in.

Re:Why ask cryptographers when the key is in there

[Ash-Fox]

They know the system they took it from was not the target, because the parameters don't match. With all due respect, your suggestions have been unhelpful.

Naive request?

[Framboise]

Of course confirmed world class cryptographers might think twice before showing what they can do, especially if they are hired by national labs to do precisely this.

Kaspersky Lab's request might also be an easy cover to discover new
talents in the field.

 

Re:Why ask cryptographers when the key is in there

you're seeing it wrong
they are asking for help in reversing a hash, as if that's gonna happen.
and even if there's a reversed hash, its just as likely to be a 'random' collision as anything that can serve as a decrytion key.

what you have there is an idea for bounds on the key, a means of validating possible keys and a lock to try the key on.

can you see it now?

Program name

[jones_supa]

Notice how in the article it says that the code wants to find a program name with the first letter being over 0x007A (Unicode ‘z’). What possibilities could there be?

Re:Program name

Here's my guess. Assumptions: unicode chars are 32 bits. The first char is greater than 7A (122). The max length of NTFS directory path appears to be 32,000.

number of possibilities = (2^32 - 122) * (2^32)^(31199)

Re:Program name

Somehow this got deleted after I posted it a couple hours ago...

I believe the number of possibilities is: (2^32-122) * 2^32^(31199)

max directory length = 32000
unicode char size = 32 bits
first char is greater than 0x7A(122)

Re:Program name

Financial/home banking program? as the targets are reportedly banking customers

Re:Program name

Notice how in the article it says that the code wants to find a program name with the first letter being over 0x007A (Unicode ‘z’). What possibilities could there be?

You mean how much software has non-latin character names? I don't know, but isn't there a really fucking big part of the Earth that doesn't use latin based alphabets?

The PATH variable they hashed it with is probably unrelated but specific to the target environment, so good luck with that.

The real question is why bother with that check at all, is it that much more computationally expensive on an average system to check all programs? I think it was for non-technical reasons.

Re:Why ask cryptographers when the key is in there

[jimbolauski]

The problem as I see it is to figure out how to exercise the code that unlocks the key used to decrypt the payload. Brute force to crack the payload is going about it the hard way. When dealing with criminals, never play by their rules.

The reason the payload exists is so that it can be decrypted and used. Both the algorithm and the key are in there somewhere. The problem is discovering under what conditions it is exercised and halt the process after the decryption but before the key is removed from memory. Timing is the key to success.

Load the code in a hardware virtualization monitoring environement with an emulated CPU clock and let it run. Analyse the code execution and discover the branches not taken and then force it to take each branch the next time around, and watch/trace what it does. If you find ant-debugging protections along that path then you are probably on the right track to recover the key. There is no singular trick in their little-black-bag-of-tricks that can't be worked around. Be persistant and the key will be recovered, and a lot sooner than trying to brute-force decrypt the payload without the key.

The algorithm can be know and still does not make it easier to decrypt, the key does not have to be know by the program rather is it used to decrypt the actual code. There are two parts to the code the encrypted and the unencrypted, the unencrypted will use certain settings on the target computer that are unique as the key. The program then decrypts the encrypted part of program, verifies that the decryption was successful using a hash function and comparing it to a different section of the encrypted data, then executes the formerly encrypted payload. At no point does the program verify the key, the hash can be used to verify a successful brute force decryption but the hash will not lead you to a complete decryption. At no time does the program need a copy of the true key to work is simply runs the code through a hash function and compares it.

Re:Why ask cryptographers when the key is in there

[nedlohs]

Do you always rave about completely unrelated crap? That doesn't apply to this case as not just the article but the summary explain.

Why can't Kaspersky just ask for infected machine?

[MasaMuneCyrus]

Couldn't Kaspersky Labs just post a Gauss detection tool or instructions to determine if your computer has been compromised, then just ask people/companies with infected machines to come forward and contact them? I'm sure the people who Gauss is targeting are probably paranoid of CIA and Mossad plots against them, but if they're infected with Gauss, they probably are already a victim of a CIA or Mossad plot to get them. They're already screwed, so it certainly couldn't hurt much more to trust Kaspersky.

easy

[fredan]

hunter2

Re:easy

[masterofhisdomain]

Joshua

set of programs have to match

[schlachter]

I'm assuming that the set of programs names have to match; it's not sufficient for the system to contain a single program of interest. So then you have to look at all the possible subsets of the programs available...a much larger space.

RC4 is broken, but not that broken.

You can recover the key under certain circumstances given a few gigabytes of keystream, with the 32bytes they give it's not gonna work. Even if you had the entire encrypted payload and its plaintext (to get the keystream) it wouldn't be enough.

An encryption method must be very crappy if you can recover the key from 256 bits of output (32 bytes), not even knowing the plaintext to those 32 bytes. I think I read in another slashdot post about gauss that it uses RC4 with 512 bit keys, so it would be more of a compression algorithm than an encryption system...

Could someone explain

[Alkonaut]

The code that extracts the machine parameters that make up the key has to be non-encrypted, right? Wouldn't that be where to start? I.e. if you know the key is a combination of a path and a MAC address, and you know how they are combined to form the key, then you could reduce the key space by looking at plausible paths/macs?

Re:Could someone explain

[KZigurs]

And it's been already decompiled and it takes a local, available only on a target system, parameter as a key input. It's elegant, I grant them that.

Let me try

[Errol+backfiring]

I work in a nuclear plant. Shall I try it?

Re:Let me try

Great. Now my power is out! (posted by my backup IPoAC link)

Re:Let me try

What's the worst thing that could happen?

I solved it

But too bad for them-- their posted email address just bounces.

Emailing them multiple times is too risky. I guess the world will just never know what the payload does.

Minimizing options

[Errol+backfiring]

Don't forget that the installation of a single application could ruin the key. So we are probably searching for a computer that will NOT be regularly updated. I remember that ATMs run Windows. So I expect the target to be some "embedded" device. OR a device in a company where every update is tested for two years before it is allowed be proven ancient.

Re:Minimizing options

[cryptizard]

It loops over all path/program pairs so adding will not foil it, only removing or changing the specific one it is looking for.

When it runs...

The trick is to get the code to run. Then do a dump of the RAM where the code will be unencrypted.

Perhaps they can PAY George Hotz and Jon Lech Johansen to work on the problem:
http://en.wikipedia.org/wiki/Jon_Lech_Johansen
http://en.wikipedia.org/wiki/George_Hotz

Maybe not an encrypted warhead?

Everyone is assuming that the payload is a warhead and that it will destroy a specific target.

But what if it isn't? What if it is an encrypted message only for the eyes of a mole/spy in the middle east? Maybe I've been reading too much spy novels and watching 007 movies, but I think a payload with such strict restrictions to decrypt might not be what everyone is thinking of.

If it's a warhead, the attacker must know what is the exact configuration of the directories of the victim (hey! I would like to wipe your hard drive, would you show me you files please? Thx!). Almost impossible to pull off.

What if you are a mole that does not want to receive an encrypted mail or download an encrypted file directly from a link because someone will notice it? Let's do it via a virus! You only need to get "infected" as millions of other users and then configure your files to decrypt the message.

Like I said, maybe I'm reading too much John le Carre novels...

Elegant solution

[coinreturn]

I found an elegant solution to the problem, but it doesn't fit in the slashdot comment box.

Re:Elegant solution

I see what you did there.

I GOT IT!

[Firemouth]

The password is: 1 2 3 4 5 Same as my luggage!

Single Stepping...

Even if the program generates a key from context information on the target system, there must be a boot strap which is not encrypted to get the process started. Just run that under a debugger and step through it to find how it is generating the key.

If the authors were good, this could be a laborious process, but it is doable and there is nothing that they can do to prevent this approach. They can make it painful, but they cannot make it impossible.

Re:Single Stepping...

[drobety]

Of course they figured the bootstrap, now they need help to figure the key to decrypt the real payload. Very simply stated: create key from environment -> if key == 'hard coded key' then decrypt payload -> run payload

Re:Why can't Kaspersky just ask for infected machi

[Cid+Highwind]

If Kaspersky doesn't know what the "warhead" does, it's going to be very difficult to write a tool (or instructions) to detect it!

Re:Why ask cryptographers when the key is in there

[Cytotoxic]

Not to mention that reverse engineering isn't something most people think about or specialize in.

Nope, not something people think about... not so much. Except Kapersky. Yeah, Kapersky labs - that's pretty much what they think about and specialize in. Reverse engineering malware and viruses, that is. That's pretty much exactly what their core expertise involves. So maybe suggesting that they use reverse engineering is a little silly. Particularly when the accompanying article states that they reverse engineered the program and gives details as to exactly what it is doing based on this reverse engineering.

Let's see, who are we talking about anyway? Hmm... Eugene Kapersky is the top guy over there. It seems he was involved with building AVP back in the early 90's before founding Kapersky labs in the late 90's. He also "graduated from the Institute of Cryptography, Telecommunications and Computer Science, where he studied mathematics, cryptography and computer technology, majoring in mathematical engineering." - so he's got the training. Yup, I'd say advising this guy that executing the code in a virtualized environment might solve his problem just might be enough to make you look a tiny bit ridiculous.

simple

instead of said known programs run an algorithm to string out(not use) all the possibilities of programs NOT known....
have fun cya later ...much later....and thanks for all the fish

sure, give Iran free tech support

Some of the difficult to detect malware that Kaspersky (Russian) has found, has been going after Iranian computers used in Uranium enrichment. If one wants to hinder Iran's Uranium enrichment program, one should not help Kaspersky crack the sophisticated malwares.

Re:sure, give Iran free tech support

[Master+of+Transhuman]

Since Iran does not have a nuclear weapons program - as concluded by both US and Israeli intelligence agencies (as opposed to their corrupt politicians) - and has every legal right to have its existing nuclear energy program - including full enrichment rights, even to 20% levels - which is fully under supervision by the IAEA, any attempt to attack its program is illegal.

For those seeking the real facts, as opposed to the propaganda crap put out by Fox News, The Washington Post, and the New York Times, go to www.antiwar.com, www.raceforiran.com, www.asiatimes.com and www.campaigniran.com.

In any event, the Gauss malware appears to be targeting Lebanon and not Iran. Some have suggested that it is targets at Lebanese banks which might be handling financial transactions by Hizballah, the Shia national resistance movement in Lebanon. If so, this is likely in preparation for the upcoming Israeli attack on Lebanon, which is scheduled to occur during the upcoming US/NATO/Turkey attack on Syria.

Allow me to explain the purpose of the Syrian crisis...

Back in 2006, Bush and Cheney were pushing for Israel to attack Iran. However, Israeli leaders balked because they believed that attacking Iran would result in
Iranian, Syrian AND Hizballah missiles raining down on Israel, causing Israelis to hide in bomb shelters for most of every day, damaging the economy, and
possibly causing the electorate to vote out the leaders in the next election.

In short, Israel wanted a "cheap" Iran war where they only had to deal with a couple hundred missiles from Iran (if that, once the US air strikes had taken
out most of Iran's missiles or where Iran had used most of its missiles on US assets in the region.)

So Israel decided with US blessing to attack Hizballah in Lebanon, hoping to force them far enough north that their (at that time limited-range) missiles
would be ineffective in an Iran war. As we know, Israel failed miserably due to Hizballah's superior preparation.

At that point, Middle East expert Colonel Pat Lang pointed out that the only way Israel could take out Hizballah in southern Lebanon would be to attack Hizballah
in the Bekaa Valley, which provides Hizballah with "defense in depth".

To do this, however, would require Israeli forces to enter Syrian territory and engage Syrian forces. Not that Israel couldn't do this, but it would result in
Israel forces facing Hizballah guerrilla war in their front while the remnants of Syria's forces engaged in guerrilla war in Israel's rear - not a good
position to be in if you want to minimize casualties and get Israel electorate support.

BUT...IF Syria were ALREADY under attack by the US/NATO/Turkey air strikes for "humanitarian reasons", that would make such an attack feasible because large
concentrations of Syrian forces would be suppressed by air strikes.

And this is why Syria is where it is today. And this is what will happen:

1) The US and NATO and Turkey will find a way to bypass the lack of UNSC Resolution authorization and will attack Syria before the end of this year.

2) In the course of that war, Israel - using the excuse that Syrian weapons are being sent to Hizballah (already floated in the Israel press as an excuse that
Israel "will have to" attack Syria and Lebanon) - will send one armored division into Syria to protect a second armored division which will proceed up the
Lebanese/Syrian border and then turn into the Bekaa Valley, while a third armored division attacks Southern Lebanon as before, in a classic "pincer
movement".

3) IF Israel succeeds in damaging Hizballah enough (which I am not sure is feasible but Israel has to try) and IF the US and NATO can damage enough of
Syria's missile inventory, then in the next year or so Israel and/or the US will attack Iran.

The ENTIRE purpose of the Syrian crisis is to remove Syria and Hizballah as effective actors in an Iran war, and thus to enable the Iran war to proceed.

Re:sure, give Iran free tech support

The Syrian crisis is currently an internal crisis and outright civil war. It is not perpetrated or caused by either the US or Israel, so stop trying to blame them for it. However, they may attempt to benefit from the crisis and/or influence the outcome just as Iran and other regional powers are doing.

The reason for the crisis is that the majority of the population does not want the current regime in power, while the current regime does not wish to relinquish the throne.

what happens if the user installs a new program?

[circletimessquare]

seems like the payload is not only for a specific machine, but it has a limited window of time in order to work. unless it knows it is some locked up industry or government box used by someone who will never install programs, i guess

Re:Really?

[fredprado]

The same can be said about US and its weapons.

Re:what happens if the user installs a new program

[cryptizard]

No because it loops over all path/program pairs so adding things will not break it. Only removing or renaming the target program will work.

Re:what happens if the user installs a new program

[circletimessquare]

thanks, i thought it was hashing all programs together

if you move the N...

[phlowbieuq]

also posted this on one of the topics on securelist but figured it might get more discussion here...has anyone else noticed that if you move the N in the font name, it becomes "Palidan Arrow"? Does that name mean anything to anyone?

I realize that Palidan should be spelled Paladin, but since "Pali" is a normal shorthand for Paladin, it's not a completely unbelievable mistake. Also Palida sounds more believable for a font name than Paladi.

Anyway, it could be nothing, but it also could be an intentional play on words by the authors...

Re:if you move the N...

[mellyra]

"Palida" is a traditional Bohri dish (e.g. see this recipe).

Seeing how the Bohras are an islamic sect that did originate in Yemen that reference is probably intentional-

Re:if you move the N...

[Swave+An+deBwoner]

Aaahhhhh!!!

That's it!!!

It's a cookbook!!!

Aaahhhhh!!!

Silly question for Kaspersky

Caveat I once purchased Kaspersky for my PC. Unfortunately it did not catch a virus caught by Virus Buster and therefore had a very embarassing situation a few years ago, so I stopped using them.

So anyway reading the posts here it sounds like Kaspersky is trying to defeat a NSA/Mossad attack on a target of interest in the Arab or maybe Chinese world with extremely valuable, sensitive information on a networked PC.

Why?

Is it because only a Russian company has the balls to do it?

Personally I have no faith in Windows antivirus after reading over 10% of viruses are not being caught by antivirus software (sorry this is just anecdotal). So I use a mac with firewall, once in a while a sandbox, a free antivirus (sophos, meh), some backups, and crossed fingers. Just wondered if this is the most interesting thing Kaspersky sees to spend resources on, I guess it is. Just the distributed cracking net they supposedly had is not being used for the general public, just high profile cyberwar things like this.

It's a zombie virus!

[robotkid]

Obviously it's looking for the DAYZmod files. Because, as I learned from watching Johnny Mnemonic, defeating military grade encryption is very much like winning a death match in a third-person shooter.

The insanely slow login times? That's your connection being tunneled through a secret proxy server in Qatar.

Every time you kill a bandit, somewhere in Iran a centrifuge explodes.

Zombie AI amazingly stupid? Turns out the Iranian Revolutionary Guards suck at video games, but you have to admire their persistence. . .

Would this be usefull in reverse?

[splatter]

/Puts on my black crypto-anarchy hat

My understanding is the first thing LEO does when it encounters encryption or drive analysis, is pull the drive & make a copy. Then take the drive and analyzes it on a separate machine or using forensic hardware.

Would something like this be useful in reverse, because without the original computer that contains the correct configurations, the key could be given out but the since the hash needs internal qualifications to match it would not jive because they wouldn't plug the drive back into the old computer.

of course there is always rubber hose crypt, and permanent lockup, NOT obligatory xkcd, blah blah blah yeah I know all that & doesn't add to this conversation. /black Hat

Re:Would this be usefull in reverse?

[cryptizard]

As it is now, not really because the hash is based only on OS and filesystem information which would all be copied when the drive is cloned. If, however, the key were instead derived from a hash of all your hardware IDs and what not then it would work. This is sort of what TPMs do for trusted boot and remote attestation. Unfortunately, those things are not hard for a determined adversary to spoof via virtual machine so you don't gain too much.

Re:Would this be usefull in reverse?

[splatter]

Of course sorry that was silly of me. If the hash is made of arabic character directory names & registry paths your right.

So what identifiable parts could be used? MAC I suppose although as you said that could be spoofed if known. What about the processor clock, are there any uniquely identifiable parts besides the network card?

Re:Really?

[X0563511]

Yea, because we're totally like to attack a peaceful, human-rights-respecting nation.

Call Bruce Schneier!

[Master+of+Transhuman]

Bruce doesn't need to decrypt anything - any encrypted item becomes clear text immediately on viewing by him!

Maybe You Should READ THE FUCKING ARTICLE

..then you would understand that the key is (essentially) something like c:\ProgramFiles\MullahSuperCrypto. Except that we don't know the real value of $MullahSuperCrypto.

You Are Such A Smart Ass

..that you should not get closer than 10 meters to computers. Surely you will contract a Linux virus by surfing porn as UID 0. Seriously, go to the next construction site and get hired as the brick carrier. But please don't kill yourself in the process and never ever try to use cement. It is above your IQ.

I think you Are a Crypto N00b

..and you should get yourself a proper education and a copy of Schneier's book. Not sure this will help, as some basic rationality must be in place before. And some rigorous ways of *own* thinking, which many people lack. Start with not looking shitty videos every night; that will be the first step.

Re:Why ask cryptographers when the key is in there

[Arancaytar]

The key is just 'in the algorithm' that derives the key.

This isn't just a check that compares values against other values; it's an actual encryption. The algorithm doesn't know and cannot derive the correct key.

The algorithm can only read certain attributes from the environment (eg. serial numbers), calculate a hash sum, and then attempt to use that as a key. If the attributes match the target system, the hash will be the correct key, and the decryption will succeed. Otherwise, the decryption will fail. There is no way to crack this without either trying all possible hashes or all possible attribute values (whichever is easier). Serial numbers, MAC and a few other attributes could together be hundreds of bits long, making brute force infeasible.

Because you could use your Calculator

..to calculate 2^128. That is about 1000000000000000000000000000000000000. Which is a fscking large number. So large that if all the atoms of earth were converted into transistors, ONLY THEN you would stand a chance to break it. Understand ?

Re:Really?

[fredprado]

Yes you are. Whenever need arises justifications are soon to follow.

Re:Why ask cryptographers when the key is in there

I don't think you get exactly what I'm getting at here. Whenever someone n00bs out over, say, not understanding OO properly people don't attack him like goddamn vultures. But when it comes to computer security every goddamn geek with some insight wants to bash his skull in. Why is someone being wrong on the internet about security so much more important? I get that being into computer security might require one to have a less that shiny personality, I've got that "problem" myself, but I still think it leads to a lot of hot air and miscommunication.

Funnily enough I don't see much of this behaviour over at the security mailing lists.

Re:Why ask cryptographers when the key is in there

[KZigurs]

Which, for me, is the scariest bit. Having such a precise knowledge of a target system, yet still bothering to target it with a release-in-the-wild trojan does imply a few things...

Re:Why can't Kaspersky just ask for infected machi

[KZigurs]

And it wouldn't be likely the target computers would be running it.

Did I do that?

Sorry, folks, my fault.
I was writing a Pascal program on my TRS-80 and things got out of hand.
It turned out to be a strong AI program, which is busy taking over the world.
I advise you all to stock up on supplies.

Re:Why ask cryptographers when the key is in there

Nobody has the key, the key is derived from local configuration values using a cryptographic hash function

Well, you could sorta-kinda argue that the key **is** the local configuration values, and that all the system-inspecting code is part of the overall decryption algorithm. It all depends on where you want to draw the boundary lines.

Godel numbers

Godel numbers are the product of a sequence of prime powers of specific numbers encoding a message's letters and numbers. To decode them, you need to have a really good (fast) prime factoring algorithm, and a infinite (almost) digit math package. I played with them about 27 years ago, but only with numbers up to about 15 digits using 80-bit numbers programmed directly into an Intel 8087 math chip. I could pretty much encrypt my name... :-) The point is, that any text can be so encrypted into a single sequence of digits, and they aren't difficult to generate, but they are HARD to decode.

Anyway, I don't know if this is what they are referring to as the "Godel module", but if so, then I would have to say that only the NSA or someone like that has the capabilities to do this effectively, due to the costs involved.

Since the cat's out of the bag..

I considered this method a few years ago to try to find a stolen wireless router. I would have just needed to develop amazing malware that spread like wildfire, but undetectably, and queried ARP tables until it found the MAC address of the router. Encrypting the payload (a rootkit or other tracking software) would disguise what the true intent was, and the trial keys would be derived from the MAC addresses visible in the ARP cache. Of course there wasn't really enough entropy to truly protect a payload with a MAC (so heavily iterated hashing was my tentative solution) and then Google decided to make semi-open location-finding APIs based on visible wifi MAC addresses without the need to violate the computer abuse laws, so that solved the original problem. Now I realize that I don't care so much about a $50 router that probably got pawned off a few times already (it's still in the same city as me unless Linksys decided to re-issue MAC addresses).

Re:Really?

Care to cite any proof?

Re:Really?

[X0563511]

Doubtful. Just pushing shame on the US to make themselves feel better.

High Value Target?

[HArchH]

Oh gosh...I hope it's not me.

Re:Why can't Kaspersky just ask for infected machi

[plover]

The Gauss malware includes a built in config tester, which is how it works. It parses the config, feeds it into a key generating algorithm with a test Initial Value; if the output of the key generating algorithm matches the included hash, then it reruns the algorithm with a different IV and generates the real key. The real key is used to decrypt the payload and do the as-yet-unknown damage.

  All Kaspersky really has to do is include the first part of the test with the test IV in their next anti-virus update and have any potential victims phone home with the winning ticket.

Re:Why ask cryptographers when the key is in there

[plover]

What if they examined the computers of known or captured Hezbollah operatives, and found that several had the same "c:\program files\SuperSecretHezbollahDecoder" program installed? The encrypted payload might be a combination of things, like "grab the SuperSecretHezbollahDecoder key," and "Use the WiFi card and Bluetooth dongle to identify every phone and device in the room" and it reports all data back to the mothership. The RF stuff could be triangulated by a system like Apple's WiFi location API, or via wigle.net, or even the WiFi data that the Google StreetView cars were scraping. Phones could be traced back to a specific IMEI and tracked.

Airport and other public WiFi installations could be constantly scanning for devices on the hot list. If the Israeli government offered local businesses free "terrorist detectors" (picture some reprogrammed access points that passively scan and report WiFi and Bluetooth MACs back to the IDF), about 80% of businesses would quickly install them in their lobbies.

That would actually turn out to be very disruptive to terrorist organizations. By making every member of the organization suspicious of every electronic component, they would completely deny them the ability to communicate wirelessly. Without those communications, they have to go back to hand-passed notes, dead drops, brush passes, and other old school spy tradecraft. And the Israelis are very good at tracking those kinds of people.