Kaspersky pleads for crypto help to probe Gauss malware

Encrypted warhead stymies investigation of nation-backed cyber snooper

Kaspersky Lab today appealed for help from top-notch cryptographers to help it break the encryption of a still-mysterious warhead delivered by the Gauss cyber-surveillance malware.

"We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload," said the Moscow-based security company in a blog post Tuesday. "Despite our best efforts, we were unable to break the encryption."

The payload is one of the unknowns of Gauss, a sophisticated spying tool uncovered by Kaspersky last week. According to researchers, Gauss monitors financial transactions with Middle Eastern banks and was built by or backed by one or more governments.

While Kaspersky has figured out that the payload is delivered via USB flash drives -- to close the 'air gap' between the Internet and PCs not connected to the Web -- it has been stymied in its attempts to decrypt the module, which is encrypted with an RC4 key.

RC4, which was created by RSA Security 25 years ago, is also used in SSL (secure socket layer) to secure communications between websites and browsers.

Kaspersky noted that the decryption key for the payload is generated dynamically by the victimized PC. "[That] prevents anyone except the designated target(s) from extracting the contents of the sections," Kaspersky said today. "It's not feasible to break the encryption with a simple brute-force attack."

Because Gauss has connections to Flame, another cyber snooper that targeted Iranian PCs, and since most experts believe Flame was linked to Stuxnet -- the worm discovered in 2010 that sabotaged Iran's nuclear fuel enrichment program -- Kaspersky has wondered if Gauss' encrypted payload may contain Stuxnet-like code that targets SCADA (supervisory control and data acquisition) systems.

SCADA systems monitor and control critical industrial processes, ranging from oil refineries and factories to power grids and gas pipelines.

"The resource section [of the encrypted payload] is big enough to contain a Stuxnet-like SCADA-targeted attack code and all the precautions used by the authors indicate that the target is indeed high profile," said Kaspersky.

The security company had previously spelled out other similarities between Gauss and Stuxnet, including the use of a now-patched vulnerability in Windows' shortcuts and the reliance on USB drives to deliver attack code to PCs isolated from the Internet.

In its Tuesday blog post, Kaspersky included the first 32 bytes of encrypted data and hashes from the enigmatic payload.

"If you are a world-class cryptographer or if you can help us with decrypting [this], please contact us by e-mail: theflame@kaspersky.com," said Kaspersky. The company also said it would provide more encrypted data on request.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place