This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Gauss: The latest example of malware using identity-based encryption?

Share this article:

Gauss has been described as the latest type of malware to use host identity-based encryption (IBE) that binds the malicious payload to a specific computer by using a unique identifier.

According to Check Point's security evangelist Tomer Teller, this is the latest sign of a growing trend to ensure the malware is precision-targeted, as well as making analysis by anti-virus researchers much more difficult. Following on from the Flashback botnet, which Teller said was the first example of this technique to compromise more than 500,000 Mac OS X computers in April 2012, this was the first piece of malware to implement this technique in the wild.

He said: “When a computer got infected with Flashback (via a Java vulnerability exploit), the payload was not the actual malware, but was instead a small payload that gathered a unique identifier from the compromised machine.  This unique identifier travelled back to the Flashback controller and was used to encrypt, compress and obscure the full version that later infected the computer.

“Similarly, Gauss will only decrypt and run its payload on a computer with a specific system strings. Without knowing what the intended target's file system and system configuration looks like, anti-virus researchers' efforts to analyse and understand Gauss' payload will be frustrated.”

Teller believes the use of host IBE is an evolution in the techniques used by malware authors, making it harder for security companies to analyse and develop countermeasures for malware.

A map from Symantec confirmed the Kaspersky Lab research that revealed that the majority of infections were in Lebanon, with infections also noted in Israel, the Palestinian territory and Turkey. It also reported that 147 infections had been detected in the United States.

Kaspersky Lab has invited cryptographers to contribute to an attempt in breaking the encrypted payload ‘Godel' within Gauss. It said that the encrypted malicious payload is located in Gauss's USB data-stealing modules and tries to decrypt using several strings from the system and executes it once successful.

Aleks Gostev, chief security expert at Kaspersky Lab, said: “The purpose and functions of the encrypted payload currently remain a mystery. The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile.

“The size of the payload is also a concern. It's big enough to contain coding that could be used for cyber sabotage, similar to Stuxnet's SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Attempting to break the encryption, Kaspersky Lab said it had tried millions of combinations of known names in %PROGRAMFILES% and Path, without success and said that it is not feasible to break the encryption with a simple brute force attack, so asked anyone interested in breaking the code and figuring out the mysterious payload to contact it via email: theflame@kaspersky.com.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Turn off WPS on routers for WiFi security

Turn off WPS on routers for WiFi security ...

A Swiss researcher is advocating turning off WPS to secure routers after finding a flaw that eliminates the randomness of codes generated by some routers when WPS is switched on...

Apple's iCloud hacked, nude celeb photos posted

Apple's iCloud hacked, nude celeb photos posted

Questions have been raised about the security of Apple's iCloud service, after a hacker posted nude pictures of celebrities to the 4Chan forum, claiming they were obtained after a hack ...