Help Sought for Gauss Decryption

Thursday, August 16, 2012 @ 05:08 PM gHale

There is a call for an industry movement to help break the encryption of the Gauss cyber-surveillance malware.

Kaspersky Lab is leading the charge as it is appealing for help from top-notch cryptographers to help it break the encryption of Gauss.

Tool Detects Gauss Font
Stuxnet Cousin Can Hit ICSes
Stuxnet Fears: Iran Ministries Air Gap
Iran: ‘Massive Cyber Attack’ Detected
India on Stuxnet Alert
Flame Out: Certificate Management Changed
Flame Keeps Security Wags on Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents

“We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload,” said the Moscow-based security company in a blog post. “Despite our best efforts, we were unable to break the encryption.”

The payload is one of the unknowns of Gauss, a sophisticated spying tool uncovered by Kaspersky last week. According to researchers, Gauss monitors financial transactions with Middle Eastern banks and appears built by or backed by one or more governments.

While Kaspersky has figured out the payload gets in via USB flash drives — to close the air gap between the Internet and PCs not connected to the Web — it remains stymied in trying to decrypt the module, which the developers encrypted with an RC4 key.

RC4, created by RSA Security 25 years ago, sees use in SSL (secure socket layer) to secure communications between websites and browsers.

Kaspersky noted the decryption key for the payload generates dynamically by the victimized PC. “[That] prevents anyone except the designated target(s) from extracting the contents of the sections,” Kaspersky said. “It’s not feasible to break the encryption with a simple brute-force attack.”

Because Gauss has connections to Flame, another cyber snooper that targeted Iranian PCs, and since most experts believe Flame linked to Stuxnet — the worm discovered in 2010 that sabotaged Iran’s nuclear fuel enrichment program — Kaspersky wondered if Gauss’ encrypted payload may contain Stuxnet-like code that targets SCADA (supervisory control and data acquisition) systems.

“The resource section [of the encrypted payload] is big enough to contain a Stuxnet-like SCADA-targeted attack code and all the precautions used by the authors indicate that the target is indeed high profile,” said Kaspersky.

Leave a Reply

You must be logged in to post a comment.