Tool Detects Gauss Font

Wednesday, August 15, 2012 @ 02:08 PM gHale


Research continues on the Gauss malware as one mystery is the virus installs a new font called Palida Narrow on infected machines.

Researchers don’ know what the purpose of the font is, butits presence on a PC is a good indicator of a Gauss infection. As a result of this new information, CrySyS Lab and Kaspersky Lab released a tool to detect it.

RELATED STORIES
Stuxnet Cousin Can Hit ICSes
Stuxnet Fears: Iran Ministries Air Gap
Iran: ‘Massive Cyber Attack’ Detected
India on Stuxnet Alert
Flame Out: Certificate Management Changed
Flame Keeps Security Wags on Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents

The detection tool is on the Securelist site and also on the CrySyS Lab site. The two main questions surrounding Gauss are why Palida Narrow ends up installed and what’s inside the encrypted payload that Gauss installs on infected machines. While it may be some time before anyone learns of the contents of the payload, researchers have a number of theories about why the font installs on newly infected machines.

Perhaps the most intriguing of these theories is that Palida Narrow is a kind of brand to mark infected PCs for the command-and-control servers.

“A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how. If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system,” CrySyS Lab said in a blog post.

The other possibility is that the Gauss attackers are simply typeface enthusiasts and were proud of their creation and wanted to share it with the world.



Leave a Reply

You must be logged in to post a comment.