Mysterious font left by malware befuddles

The most famous -- and mysterious -- font (yes, we're talking typeface) in the information security world right now is Palida Narrow.

Palida Narrow is a new font that the recently discovered Gauss malware installs on machines it infects. And as Dennis Fisher, writing on Kaspersky Lab's Threatpost blog, noted late last week, "Researchers have been unable to figure out yet what the purpose of the font is, but ... its presence on a PC is a good indicator of a Gauss infection."

So far there are only theories about its purpose. The most popular is that it is a brand mark for the command and control servers. But those have been offline since last month.

CrySys Lab, which along with Kaspersky has released a Gauss detection tool, says the theory is that "Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages."

Joel Harding, a retired intelligence officer and information operation expert who has been following the investigation into Gauss, agrees, with the caveat that everything so far is speculation. Noting that the various modules in Gauss are all named for philosophers, he said, "It is the [Joseph-Louis] LaGrange module that is installing the Palida font onto the previously uninfected systems, allowing remote detection of an infected computer without compromising a probe."

[See also: While origin unclear, Gauss indicates malware tool boom]

Kevin McAleavey, cofounder and chief architect of the KNOS project and a veteran malware researcher, said the purpose of Palida Narrow might go beyond tracking visits. "It could be that the custom font may have special value to the character sets within which might not be 'printable characters' but useful nonetheless to whatever intent Gauss has," he said.

"But the missing piece here could very well be that although the current font being installed hasn't been found to be malicious, it could be a 'placeholder' in this code," McAleavey said. "Quite possibly this mysterious font install, which proves to be harmless, might have replaced the original payload in order to avoid disclosure of the original code that accompanied Gauss. That would certainly lead to the current outcome, in which the mysterious font has been found to be inert."

Chris Sanders, a senior security analyst at InGuardians, an information security consultancy, also said the "marker" theory is plausible. "Any time any type of purposeful malware is installed on a system, the attacker has to have a mechanism that allows him to ensure that the malware was installed, and that it was installed with the appropriate level of access to the system," he said, adding that Palida Narrow is "an eloquent solution for a malware author, as it doesn't require the installation of any additional browser components such as a JavaScript interpreter."

But his InGuardians colleague John Sawyer, also a senior security analyst, said it is misleading to say that the Palida Narrow font is a definitive infection marker for all Gauss-infected machines. "Kaspersky's own research paper shows the LaGrange module that installs the font was configured on only three of approximately 1,700 infections that they analyzed," he said.

There is general consensus that it is unusual. "The installation of the Palida font is unique, it's a first," said Harding. "This is a font that did not previously exist, it was customized for this tool. We have never seen a font installed by malware before."

And John Sawyer said that while including a marker of some type in malware is common, "the use of a font is particularly clever as it makes web-based detection incredibly easy."

Still, why would the Gauss creators mark it with a new font? Wouldn't that make it much easier to detect the presence of Gauss on a machine? Not necessarily, experts say.

Roger Thompson, chief emerging threats researcher at ICSA Labs, thinks Palida Narrow may have simply been a careless mistake. "I often joke that programmers, especially good ones, are likely to look for short cuts and time savers," he said.

"What this means is that when they write a program, they rarely start from scratch, but instead think to themselves, 'OK, I know I wrote some code like that once before,' and they copy and paste the old code into the new code. I think that time will show that Palida Narrow was simply accidentally left over from a previous project."

Others believe it was more purposeful than that, but say it won't necessarily make Gauss easier to detect. John Sawyer noted again that the LaGrange module was found on only a small number of infected machines.

And Joel Harding said while the font will definitely be a tipoff that Gauss is present, "the beauty of this technique is that it has never been used before."

"Before 9/11, few in the world considered a commercial airplane as a possible weapon. Now we will start considering a font, and hopefully other items possibly detected by network management tools, as possible indicators of an infection," Harding said.

Harding said he suspects that by the time Gauss is decrypted and fully understood, its creators will be using something else. "Don't forget that Stuxnet used four brand new zero day exploits and Gauss is using techniques that never previously existed," he said. "This design team not only is comfortable operating outside the box, they excel in it. Now the challenge is to continue developing new tools by thinking further outside the box."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place