Kaspersky Labs Looks to The Public To Help with Gauss Malware
The Gauss malware, discovered last month, contains an encrypted module called Godel which security experts have been unable to decrypt – and are now seeking the public’s help to crack.
Kaspersky Labs, the Russian-based security firm which first discovered the Gauss malware, has just posted all the information about the encrypted ‘payload’ on its website “in the hope that someone can find a solution and unlock its secrets.”
The company is seeking help from those interested in mathematics and cryptography to join them in solving the mystery.
Gauss is a piece of malware which is targeting financial systems in Lebanon, as well as PayPal and Citibank customers, and was created by the same people who created the FLame and Stuxnet malware, the latter targeting the Natanz nuclear facility in Iran.
Stuxnet was created under the auspices of the secret cyber-espionage Olympics Games project initiated by US President George W. Bush and continued by his successor, Barack Obama. It has been shown that the creators of Stuxnet and Flame collaborated at one stage in their development, and Kaspersky believes the same group is behind Gauss.
While Kaspersky has discovered a lot about the new malware, it has been unable to crack one specific module, or “encrypted warhead”, which is named Godel.
What this module does or who its intended target is, remains unknown. What is known however is that the Godel module is targeting very specific machines which have specific configurations.
Decryption key
The decryption key, Kaspersky believes, will be derived from these specific system configurations, and so far it has been unable to find out what they are.
Kaspersky says that the code that decrypts the sections is very complex “compared to any regular routine we usually find in malware.” While Kaspersky has tried “millions of combinations of known names” in program files, it has been unsuccessful to date.
“The attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as ‘~’” Kaspersky said in its blog.
While the specific target is unknown, the lengths the creators of the malware have gone to in order to encrypt this module suggests, it is a very high profile target.
If you are interested in helping Kaspersky crack the code, the information is available on its Securelist blog and you can contact them by emailing: flame@kaspersky.com
