Researchers Seek Help Cracking Gauss Mystery Payload

A string pair from the Gauss malware. Image courtesy of Kaspersky Lab

Researchers at Kaspersky Lab in Russia are asking the public for help in cracking an encrypted warhead that gets delivered to infected machines by the Gauss malware toolkit.

The warhead gets decrypted by the malware using a key composed of configuration data from the system it’s targeting. But without knowing what systems it’s targeting or the configuration on that system, the researchers have been unable to reproduce the key to crack the encryption.

“We are asking anyone interested in cryptology, numerology and mathematics to join us in solving the mystery and extracting the hidden payload,” the researchers write in a blog post published Tuesday.

The payload is delivered to machines via an infected USB stick that uses the .lnk exploit to execute the malicious activity. In addition to the encrypted payload, infected USB sticks deliver two other files that also contain encrypted sections that Kaspersky has been unable to crack.

“The code that decrypts the sections is very complex compared to any regular routine we usually find in malware,” Kaspersky writes. Kaspersky believes one of these sections may contain data that helps crack the payload.

Last week, Kaspersky disclosed that it had found a newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware, that has infected at least 2,500 machines so far, primarily in Lebanon.

The spyware, dubbed Gauss after a name found in one of its main files, has a module that targets bank accounts in order to capture login credentials for accounts at several banks in Lebanon and also targets customers of Citibank and PayPal.

But the most intriguing part of the malware is the mysterious payload, designated resource “100,” which Kaspersky fears could be designed to cause some sort of destruction against critical infrastructure.

“The [encrypted] resource section is big enough to contain a Stuxnet-like SCADA targeted attack code and all the precautions used by the authors indicate that the target is indeed high profile,” Kaspersky writes in its blog post.

The payload appears to be highly targeted against machines that have a specific configuration — a configuration used to generate a key that unlocks the encryption. That specific configuration is currently unknown, but Roel Schouwenberg, a senior researcher with Kaspersky, says it has to do with programs, paths and files that are on the system.

Once it finds a system with the programs and files it’s looking for, the malware uses that data to perform 10,000 iterations of an MD5 hash to generate a 128-bit RC4 key, which is then used to decrypt the payload and launch it.

“We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success,” Kaspersky writes in its post. “[T]he attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”.”

Kaspersky has published the first 32 bytes of each of the encrypted sections in the Gauss malware as well as hashes in the hope that cryptographers will be able to help them. Anyone who wants to help, can contact the researchers to obtain more data: [email protected].

Crowdsourcing has worked for Kaspersky before. Earlier this year, the company asked the public for help in identifying a mysterious programming language that had been used in another nation-state-sponsored malware called DuQu. Within two weeks, they had identified the language with help from the public.