Slashdot Mirror
Researchers Seek Help Cracking Gauss Mystery Payload
An anonymous reader writes "Researchers at Kaspersky Lab are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the recently discovered Gauss malware toolkit. They're publishing encrypted sections and hashes in the hope that cryptographers will be able to help them out."
Adds reader DavidGilbert99: "The so-called Godel module is targeting a specific machine with specific system configurations, and Kaspersky believes the victim is likely a high-profile target. The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are."
What did you guys put in it, again?
What political party do you join when you don't like Bible-thumpers *or* hippies?
If the DOJ and NSA can't get into an Apple iPhone, what chance is there of cracking this?
Sorry, but gray text on gray background is making my eyes bleed.
Clever of the tech world, to obsolete CRT monitors. Perhaps shaking one's head rapidly from side to side would help solve this mystery.
I just ran the code and something about my system is causing it to decrypt, and it appears be tr***CARRIER LOST***
Place nail here >+
The trick in this case is that the key is already available at the targeted machine - the virus tries to combine various pairs of %PATH% paths and names from %PROGRAMFILES% and if some combination has an expected checksum, that's the key. To make cryptanalysis a bit more difficult, it seems that the second part of the key is not in plain ASCII. Therefore the "key distribution problem" is nicely solved - if the code runs on targeted system, the key will be easily generated. On any other machine you won't obtain any information about the key.
The program doesn't have the key, the target computer does! When it runs, it collects various information about the computer's configuration and uses that to generate a possible key. It tries to decrypt its payload with that, and if the decryption works, the payload runs. If the decryption doesn't, then the key was wrong, and it's not the target computer, and the payload doesn't run.
It's a very clever approach, and depending on how specific the target configuration is, we may never see the decrypted payload in the public world.
I think the answer is in the summary.
Don't quote me on this, but judging from what the summary is saying, the key is derived from a piece or combination of information on the host machine. That is, the key itself could be derived from for example, the currently logged in user, combined with their MAC address, combined with some identifier from the motherboard or whatever.
As such yes, the computer has the key, but you need to know what computer. Presumably you can figure out what the malware is building the key from so you know what information it's extracting from it's host and how it's building a candidate key from that, but you can't figure out the actual key unless your system provides it with the information to generate a candidate key that is actually the correct key. It may be that the malware is reading the logged in user's username and using that as a key such that it only decrypts succesfully if the user is logged in as mahmadinejad or whatever.
It's quite clever really, because it means you can make a targetted virus that only unloads the payload if it detects some parameters that you know about the target user or system (i.e. their e-mail address, and that they use Outlook (e.g. read their e-mail address setting for Outlook from the registry)) and remain harmless for everyone else and as is demonstrated here, no one else even if they find the virus will be able to figure out easily what is actually in the payload.
It sounds like a targetted virus has been uncovered, but all clues as to who or what it is targetting are hidden away in the encrypted payload. It'd be nice to know what the malware is using as the key as that narrows it down somewhat i.e. if it's trying to read something from the registry you know it's targetting Windows PCs which narrows it down to 90% of computers, if it also then tries to combine that with whether the system has a specific piece of software installed (like centrifugre control software ;)) then it narrows it down further and so on, but it's still probably a large search space to find the correct target(s).
According to Kaspersky, the way it works is:
1) Enumerate all directories in the computers PATH variable
2) Enumerate all files in the %PROGRAMFILES% directory whose file name starts with a non-latin-alphabet unicode character (i.e. arabic)
3) Hash every pair from the previous two lists with MD5 and check against a known hash
If the hashes match, then it has found the correct configuration. This means it is looking for a computer with a specific directory or file in the %PROGRAMFILES% directory, in combination with a specific directory in its path variable. This hash is salted and stretched so they obviously knew what they were doing.
Once it knows it has the correct configuration, it rehashes that pair with a different salt to get an RC4 encryption key which unlocks the payload. Different salts are used in the validation and decryption stages so that the validation hash (which is stored in the binary and known to everybody) does not give any information about the target configuration or the encryption key. Given the number of possible combinations of known files that could be in %PROGRAMFILES% and directories that could be in %PATH%, combined with the fact that the target configuration is likely one that is not publicly known, it will be very difficult to break this unless the targeted party comes forth.
No, the key isn't in there. The algorithm to generate the key from specific information on the host system is in there, but the key can only be correctly generated from the host system having the right information for which the algorithm can properly derive the correct key.
This is not at all how it works. Nobody has the key, the key is derived from local configuration values using a cryptographic hash function. Just as your hard drive may be encrypted with a key that is generated from your password, this payload is encrypted with a key that is generated from a very long password which is a combination of specific settings on the machine. If you run it on a machine with the settings exactly right, it will unlock. If you run it on any other machine, it will not and you will get no information about what they key is. Since there are so many possible combinations of settings (particularly it is looking at all the programs in your program files folder in combination with all the directories in your path variable) it is unlikely that people will just stumble across the correct one.
Never overlook the obvious. Want to piss off a small security team? Put a small sample of /dev/urandom into a binary blob and release it. They'll spend all their time trying to decrypt that white noise source and never notice the Really Interesting thing nearby it.
That doesn't even make sense. You're suggesting that the author, instead of actually encrypting the payload, is only pretending to, to distract attention from a different unencrypted portion elsewhere? That makes about as much sense as a 'the moon landing was a hoax' conspiracy theory.
You didn't read carefully. The key is on the target machine and is not part of the attack software.
Dumb old way to do this:
1) Check for certain system configurations.
2) Use some key in the malware to decrypt and run the payload.
New hot way to do this:
1) Use some combination of system configuration to decrypt the payload
2) If that worked, run it.
See that? it hides both the decryption key AND the definition of the system it's meant to attack. Unless you have the target configuration (or can guess it) you can't decrypt the payload or figure out what it's meant to attack. Brilliant.
Its a very clever hack indeed. We always think of encryption keys as something that we make up randomly and need to be transmitted.... but this isn't even an unusual style of use.
This is kind of like... taking some shared knwoledge, using it to make a key, then sending the encrypted data to someone, giving them a riddle only they can solve.
"The key is the date we first met, plus the date you left your first job, plus the name of the resteraunt we went to after your mothers funeral".
Except...its based on system configs. I have to wonder with path elements and program files how well balanced they are between identification of the specific machine(s) they want, against the possibility those configs will change before the payload goes off.
"I opened my eyes, and everything went dark again"
Since when did we start calling a payload a warhead, especially when it hasn't been decrypted?
One of my guesses is that both the PATH element and the Program Files item are linked to a single application. That way, as long as the application is installed, the payload would be decryptable. The name check suggests that the application is some in-house project, probably not publicly released.
But maybe the "trigger" is an application in certain environment. Then the Program File would determine application presence. Then the expected item of PATH could refer to some network share, mapped disk, e.g. T:\Repository\bin. Such combination would be pretty unique and therefore an ideal "trigger", IMHO.
Does somebody know whether there is that font ("Palida Narrow") available?
Notice how in the article it says that the code wants to find a program name with the first letter being over 0x007A (Unicode ‘z’). What possibilities could there be?
Couldn't Kaspersky Labs just post a Gauss detection tool or instructions to determine if your computer has been compromised, then just ask people/companies with infected machines to come forward and contact them? I'm sure the people who Gauss is targeting are probably paranoid of CIA and Mossad plots against them, but if they're infected with Gauss, they probably are already a victim of a CIA or Mossad plot to get them. They're already screwed, so it certainly couldn't hurt much more to trust Kaspersky.
That would make a lot of sense. Of course... while we are speculating... hows this one...
Perhaps there is no payload. The real action is the moles at kaspersky....
"Nope we haven't found it yet.... we have even asked the internet for help. Are you SURE there aren't any more program names/file paths we should be checking against?"
I would count that as unlikely, given the sophistication, but, its a possibility.
The really neat thing here is that.... the payload could have already gone off. Unless someone figures out the key, the chances of catching it "in the act" is pretty slim.
"I opened my eyes, and everything went dark again"
I work in a nuclear plant. Shall I try it?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
If I remember correctly, Stuxnet targeted Windows machines in the first step too. There it infected developer tools and the damage-causing payload did get compiled into programs for those SCADA systems of certain importance. So Windows systems might not have any obvious importance at all, but they play a role of the weakest link surprisingly well.
Not to mention that reverse engineering isn't something most people think about or specialize in.
Nope, not something people think about... not so much. Except Kapersky. Yeah, Kapersky labs - that's pretty much what they think about and specialize in. Reverse engineering malware and viruses, that is. That's pretty much exactly what their core expertise involves. So maybe suggesting that they use reverse engineering is a little silly. Particularly when the accompanying article states that they reverse engineered the program and gives details as to exactly what it is doing based on this reverse engineering.
Let's see, who are we talking about anyway? Hmm... Eugene Kapersky is the top guy over there. It seems he was involved with building AVP back in the early 90's before founding Kapersky labs in the late 90's. He also "graduated from the Institute of Cryptography, Telecommunications and Computer Science, where he studied mathematics, cryptography and computer technology, majoring in mathematical engineering." - so he's got the training. Yup, I'd say advising this guy that executing the code in a virtualized environment might solve his problem just might be enough to make you look a tiny bit ridiculous.
It loops over all path/program pairs so adding will not foil it, only removing or changing the specific one it is looking for.
Of course they figured the bootstrap, now they need help to figure the key to decrypt the real payload. Very simply stated: create key from environment -> if key == 'hard coded key' then decrypt payload -> run payload
The same can be said about US and its weapons.
also posted this on one of the topics on securelist but figured it might get more discussion here...has anyone else noticed that if you move the N in the font name, it becomes "Palidan Arrow"? Does that name mean anything to anyone?
I realize that Palidan should be spelled Paladin, but since "Pali" is a normal shorthand for Paladin, it's not a completely unbelievable mistake. Also Palida sounds more believable for a font name than Paladi.
Anyway, it could be nothing, but it also could be an intentional play on words by the authors...
Since Iran does not have a nuclear weapons program - as concluded by both US and Israeli intelligence agencies (as opposed to their corrupt politicians) - and has every legal right to have its existing nuclear energy program - including full enrichment rights, even to 20% levels - which is fully under supervision by the IAEA, any attempt to attack its program is illegal.
For those seeking the real facts, as opposed to the propaganda crap put out by Fox News, The Washington Post, and the New York Times, go to www.antiwar.com, www.raceforiran.com, www.asiatimes.com and www.campaigniran.com.
In any event, the Gauss malware appears to be targeting Lebanon and not Iran. Some have suggested that it is targets at Lebanese banks which might be handling financial transactions by Hizballah, the Shia national resistance movement in Lebanon. If so, this is likely in preparation for the upcoming Israeli attack on Lebanon, which is scheduled to occur during the upcoming US/NATO/Turkey attack on Syria.
Allow me to explain the purpose of the Syrian crisis...
Back in 2006, Bush and Cheney were pushing for Israel to attack Iran. However, Israeli leaders balked because they believed that attacking Iran would result in
Iranian, Syrian AND Hizballah missiles raining down on Israel, causing Israelis to hide in bomb shelters for most of every day, damaging the economy, and
possibly causing the electorate to vote out the leaders in the next election.
In short, Israel wanted a "cheap" Iran war where they only had to deal with a couple hundred missiles from Iran (if that, once the US air strikes had taken
out most of Iran's missiles or where Iran had used most of its missiles on US assets in the region.)
So Israel decided with US blessing to attack Hizballah in Lebanon, hoping to force them far enough north that their (at that time limited-range) missiles
would be ineffective in an Iran war. As we know, Israel failed miserably due to Hizballah's superior preparation.
At that point, Middle East expert Colonel Pat Lang pointed out that the only way Israel could take out Hizballah in southern Lebanon would be to attack Hizballah
in the Bekaa Valley, which provides Hizballah with "defense in depth".
To do this, however, would require Israeli forces to enter Syrian territory and engage Syrian forces. Not that Israel couldn't do this, but it would result in
Israel forces facing Hizballah guerrilla war in their front while the remnants of Syria's forces engaged in guerrilla war in Israel's rear - not a good
position to be in if you want to minimize casualties and get Israel electorate support.
BUT...IF Syria were ALREADY under attack by the US/NATO/Turkey air strikes for "humanitarian reasons", that would make such an attack feasible because large
concentrations of Syrian forces would be suppressed by air strikes.
And this is why Syria is where it is today. And this is what will happen:
1) The US and NATO and Turkey will find a way to bypass the lack of UNSC Resolution authorization and will attack Syria before the end of this year.
2) In the course of that war, Israel - using the excuse that Syrian weapons are being sent to Hizballah (already floated in the Israel press as an excuse that
Israel "will have to" attack Syria and Lebanon) - will send one armored division into Syria to protect a second armored division which will proceed up the
Lebanese/Syrian border and then turn into the Bekaa Valley, while a third armored division attacks Southern Lebanon as before, in a classic "pincer
movement".
3) IF Israel succeeds in damaging Hizballah enough (which I am not sure is feasible but Israel has to try) and IF the US and NATO can damage enough of
Syria's missile inventory, then in the next year or so Israel and/or the US will attack Iran.
The ENTIRE purpose of the Syrian crisis is to remove Syria and Hizballah as effective actors in an Iran war, and thus to enable the Iran war to proceed.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!