This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Gauss: The latest example of malware using identity-based encryption?

Share this article:

Gauss has been described as the latest type of malware to use host identity-based encryption (IBE) that binds the malicious payload to a specific computer by using a unique identifier.

According to Check Point's security evangelist Tomer Teller, this is the latest sign of a growing trend to ensure the malware is precision-targeted, as well as making analysis by anti-virus researchers much more difficult. Following on from the Flashback botnet, which Teller said was the first example of this technique to compromise more than 500,000 Mac OS X computers in April 2012, this was the first piece of malware to implement this technique in the wild.

He said: “When a computer got infected with Flashback (via a Java vulnerability exploit), the payload was not the actual malware, but was instead a small payload that gathered a unique identifier from the compromised machine.  This unique identifier travelled back to the Flashback controller and was used to encrypt, compress and obscure the full version that later infected the computer.

“Similarly, Gauss will only decrypt and run its payload on a computer with a specific system strings. Without knowing what the intended target's file system and system configuration looks like, anti-virus researchers' efforts to analyse and understand Gauss' payload will be frustrated.”

Teller believes the use of host IBE is an evolution in the techniques used by malware authors, making it harder for security companies to analyse and develop countermeasures for malware.

A map from Symantec confirmed the Kaspersky Lab research that revealed that the majority of infections were in Lebanon, with infections also noted in Israel, the Palestinian territory and Turkey. It also reported that 147 infections had been detected in the United States.

Kaspersky Lab has invited cryptographers to contribute to an attempt in breaking the encrypted payload ‘Godel' within Gauss. It said that the encrypted malicious payload is located in Gauss's USB data-stealing modules and tries to decrypt using several strings from the system and executes it once successful.

Aleks Gostev, chief security expert at Kaspersky Lab, said: “The purpose and functions of the encrypted payload currently remain a mystery. The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile.

“The size of the payload is also a concern. It's big enough to contain coding that could be used for cyber sabotage, similar to Stuxnet's SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Attempting to break the encryption, Kaspersky Lab said it had tried millions of combinations of known names in %PROGRAMFILES% and Path, without success and said that it is not feasible to break the encryption with a simple brute force attack, so asked anyone interested in breaking the code and figuring out the mysterious payload to contact it via email:

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...

Russian-speaking criminals account for £420m of card fraud annually

Russian-speaking criminals account for £420m of card fraud ...

New research claims to quantify the scale of card fraud in Russian speaking circles. And according to Group-IB's analysis over the last year, that fraud clocks in at a hefty ...

Light-based printer attack overcomes air-gapped computer security

Light-based printer attack overcomes air-gapped computer security

Multi-function printers - a route to bypass air-gapped computer security.