Call for help on Gauss highlights new malware era

Kaspersky Lab is asking for help in unraveling the mysterious payload of Gauss, a task that security experts say would help enterprises determine whether they are potential targets of the highly sophisticated cyber-surveillance virus.

On Tuesday, Kaspersky asked for assistance from cryptographers and mathematicians who could help the security vendor decrypt Gauss' warhead, a module named "Godel." Breaking the payload's code would make it possible to determine what the malware does within an infected system.

"Despite our best efforts, we were unable to break the encryption. So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets," Kaspersky said on its blog. "We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload."

The code to decrypt Gauss is more complex than any Kaspersky usually finds in malware. The company said it had tried millions of combinations without success in trying to find the decryption keys. "If you are a world-class cryptographer or if you can help us with decrypting them, please contact us by e-mail:," the company said.

Gauss and its relatives are at the far end of a trend toward Ã'Â more sophisticated malware. For years, security experts have seen malware grow more complex and gain capabilities surpassing expectations.

"In the long term, what you're going to observe is that more malware will become significantly more complex," Huston said. "It's going to be able to reach across different applications and different computing platforms and have a significantly larger impact than we have today."

[See also: Advanced evasion techniques emerge]

Kaspersky discovered Gauss this month in the Middle East. Security experts believe the malware is a descendant of Stuxnet, Flame and Duqu.

The three spying malware are aimed at specific government and industrial targets. Flame was discovered in May in Iran's oil-ministry computers. Like Flame, Duqu, discovered in October 2011, is related to Stuxnet, which is believed to have damaged control systems within Iranian nuclear facilities in 2010. Duqu used similar code, but was built to steal information.

The New York Times reported in June that Stuxnet was part of a U.S. and Israeli intelligence operation.

Security experts have garnered enough information from Gauss to create signatures for antivirus software and intrusion protection systems (IPS). Therefore, the defense mechanisms are the same as with any other known malware. "Enterprises must have up-to-date antivirus at the endpoint, some type of [antivirus] at the gateway, either network or email, or, if possible, both," said Charles Kolodgy, an analyst for IDC. In addition, he recommended the use of an IPS to identify abnormal traffic within the network.

The value of understanding Gauss' payload is in learning the components targeted after the malware plants itself in a system. "Until we can decrypt or observe that payload in execution, we really don't know what happens after the initial stage of infection," said Brent Huston, chief executive of MicroSolved, a provider of security assessments and penetration testing.

Once that information is made available to chief security officers, they can determine whether their company is a potential target, Huston said. "It keeps you from spending a bunch of resources, if you don't have to."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts