Gauss: The latest example of malware using identity-based encryption?

Share this article:

Gauss has been described as the latest type of malware to use host identity-based encryption (IBE) that binds the malicious payload to a specific computer by using a unique identifier.

According to Check Point's security evangelist Tomer Teller, this is the latest sign of a growing trend to ensure the malware is precision-targeted, as well as making analysis by anti-virus researchers much more difficult. Following on from the Flashback botnet, which Teller said was the first example of this technique to compromise more than 500,000 Mac OS X computers in April 2012, this was the first piece of malware to implement this technique in the wild.

He said: “When a computer got infected with Flashback (via a Java vulnerability exploit), the payload was not the actual malware, but was instead a small payload that gathered a unique identifier from the compromised machine.  This unique identifier travelled back to the Flashback controller and was used to encrypt, compress and obscure the full version that later infected the computer.

“Similarly, Gauss will only decrypt and run its payload on a computer with a specific system strings. Without knowing what the intended target's file system and system configuration looks like, anti-virus researchers' efforts to analyse and understand Gauss' payload will be frustrated.”

Teller believes the use of host IBE is an evolution in the techniques used by malware authors, making it harder for security companies to analyse and develop countermeasures for malware.

A map from Symantec confirmed the Kaspersky Lab research that revealed that the majority of infections were in Lebanon, with infections also noted in Israel, the Palestinian territory and Turkey. It also reported that 147 infections had been detected in the United States.

Kaspersky Lab has invited cryptographers to contribute to an attempt in breaking the encrypted payload ‘Godel' within Gauss. It said that the encrypted malicious payload is located in Gauss's USB data-stealing modules and tries to decrypt using several strings from the system and executes it once successful.

Aleks Gostev, chief security expert at Kaspersky Lab, said: “The purpose and functions of the encrypted payload currently remain a mystery. The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile.

“The size of the payload is also a concern. It's big enough to contain coding that could be used for cyber sabotage, similar to Stuxnet's SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Attempting to break the encryption, Kaspersky Lab said it had tried millions of combinations of known names in %PROGRAMFILES% and Path, without success and said that it is not feasible to break the encryption with a simple brute force attack, so asked anyone interested in breaking the code and figuring out the mysterious payload to contact it via email: theflame@kaspersky.com.

Share this article: