Gauss malware: My take on its mystery components

Gauss malware: My take on its mystery components

Summary: The Gauss worm appears to share a common purpose with the Stuxnet and Flame malware in suspected computer espionage. But two of its elements have been baffling experts.

SHARE:
TOPICS: Security, Malware
11

The recently discovered Gauss malware is the latest element in a captivating story that is being picked over by security software researchers everywhere.

What started out with Stuxnet and Flame seems now to have moved on to Gauss. Many have argued that the previous two pieces of malware showed that governments are using sophisticated software to disrupt systems and steal information — and that Gauss is the latest example. Its targeting of Middle Eastern systems and suspected shared provenance with Stuxnet and Flame give it immediate interest.

However, Gauss has developed an intriguing character all of its own. This mystique is down to two specific elements that have yet to be explained. One is an encrypted file that seems impossible to break. The other is the mystery Palida Narrow font installed on three of the 1,600-odd infected systems.

To provide a possible explanation of these two unknowns, it is important to outline how software apparently designed for computer warfare differs from common-or-garden malware.

Smash-and-grab approach

Criminal malware takes a smash-and-grab approach, spreading as fast as possible to as many systems as possible in an attempt to steal data. Stealth takes second place to information stealing and proliferation.

Special forces the world over use reconnaissance platoons and specially trained helicopter pilots — a similar approach but in this case apparently used by malware

Software such as Stuxnet, Flame and Gauss have a narrower scope. First, it must remain invisible for long periods of time, only performing an action when absolutely necessary.

A piece of malware that can steal intel is useful, but one that can build a picture over a long period of time is invaluable. For this reason the obfuscation techniques are highly elegant. In addition, this type of malware needs to be deniable, so even when identified it should yield as little information as possible.

For these reasons, it makes sense that this type of malware comes in separate parts designed to do distinct jobs. Something that transmits information is going to make a lot of noise, and unauthorised processes will trip alarms. In a tightly locked-down environment, this activity will be noticed quickly.

The best way round this issue is to have two separate pieces of malware. The first piece acts as a scout, marking and monitoring the target, while the second is an extraction device.

The scout will slip in quietly, watch the target and gather intel for long periods while lying deeply submerged. At the appropriate time, a separate piece of malware is introduced to locate the scout, moving as quickly as possible to remove the gained intel.

Special forces the world over use reconnaissance platoons and specially trained helicopter pilots — a similar approach but in this case apparently used by malware.

Extraction is the high-risk element of the operation. Having two separate pieces of malware means, if detected, the deeply hidden scout remains unnoticed, allowing it to continue its job until an alternative method of extraction can be arranged.

Not only this, but the now-alert response team only has a fraction of the puzzle, causing confusion and allowing for deniability.

This is what I believe the Palida Narrow font to be. It is the scout malware, marking the target and awaiting for extraction. That the font was only found on three of the 1,600 systems infected with Gauss may support this interpretation.

These three machines could have been marked as targets of note, having access to valuable information. Why a font? Well, these are lightweight, hide easily and are the kind of thing that your target could install without it screaming, "Malware".

Crowbarring open a locked chest

The yet-to-be-broken encryption key is more of a mystery and the actual payload can only be guessed at. Kaspersky is a well-resourced company, which employs some bright people, and even their attempts to crack the code are the equivalent of crowbarring open a locked chest.

I believe the encrypted key is also awaiting activation by a secondary piece of malware, a warhead of unknown purpose that will only be triggered when the appropriate software has been introduced.

This type of malware is forcing the security industry to start thinking in different ways. People have become comfortable with the traditional Swiss-army-knife approach to malware, but the world of Stuxnet, Flame and Gauss poses a different set of demands.

Adam Kujawa is a malware researcher at security firm Malwarebytes and has worked for a number of US federal and defence agencies.

Topics: Security, Malware

Adam Kujawa

About Adam Kujawa

Adam Kujawa is a malware researcher at security software company Malwarebytes. He has also previously worked for a number of US federal and defence agencies.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • "Infinite-length key" encryption

    There are two types of encryption, "finite-length key" and "infinite-length key". Mostly we use finite-length keys. While the people at Kaspersky are very good, they are use to finite-length keys, mostly because that's what everyone is use to. Finite-length keys are much easier to use, and easier to disseminate. However, they all rely on intractability to remain intact, and as technology develops, intractability is not a viable lock. For example, Public Key is finite-length. If you're using a 256-bit long key, the key is 256 bits long and is the product of two prime numbers. Using a conventional computer of today, it could take the better part of forever to figure out the factors which is what you need to decrypt. However, a quantum computer can solve it in the blink of an eye. There have also been some proposals for using other unconventional systems that are in many ways, more conventional than a quantum computer, to break it, albeit at a slower rate, but no evidence yet that any of these will work.

    From a military perspective, if you wanted to encrypt something with a 100% guarantee that it would never be decrypted except by the desired recipient, you would use an "infinite-length key". "Infinite-length keys" are of course, not really infinite in length. More often, they are simply as long and sometimes longer than the data being encrypted. Such systems, when properly implemented, are very simple, and 100% uncrackable. As an example, here's the algorithm for XOR0, an infinite-length key encryption system developed over 25 years ago:

    do{
    k = fgetch(keyfile);
    d = fgetch(datafile);
    e = k ^ d; /* XOR key and data */
    putch( e);
    }while( datafile != EOF);

    The key must be as long or longer than the data. As long as the key file is a suitable stream of truly pseudo-random bits, say a specific digital version of the Empire Strikes Back, then the result is 100% uncrackable.

    So assuming your hypotheses is correct, and there will be a second malware entity, the decryption key would be in that second entity. Indeed, the second entity might be a second scout. When the second scout and the first scout combine their encrypted areas together, they both then convert into something else. And that will be when the fun begins.
    mheartwood
    • Umm, No

      You are confusing symmetric keys for asymmetric ones. A public key of 256 bits is extremely weak (public keys of over 600 bits have been brute forced publicly already). A public key will have a much larger keylength than, say, a block cipher (AES) or a stream cipher (RC4). AES typically uses 256 bit keys, which is equivalent to about a 16000 bit RSA key.

      #2 Quantum computers will be effective against public key systems but will only marginally affect block ciphers. That is, the best they can do is cut the key complexity by a factor if its square root. Thus, sqrt(2^256) = 2^128.

      #3 The cipher you described as "being invented 25 years ago" is actually much older than that. It's called a One-Time-Pad (aka Vernam cipher) and saw wide use during WWII and the cold war. It's very simple, you XOR the bitstream (or use modular arithmetic) with one bit of random key. And, the key must be truly random, not pseudo-random! It is indeed information-theoretically-secure as proved by Shannon and others way back in the 1940's. However...

      The problem is OTP's suck in most use cases. The key must be as long as the message, and this is highly impractical in the computer age where large data transfers are common. Second, key exchange is highly impractical unless face-to-face meetings take place. Third, key management is very hard because the key (pad) is long and must be *stored* somewhere. This is why governments do not use OTP's very often even though the method has been known about since at least the end of the 19th century (Vernam put his name on it in 1917).

      So do I think NSA is using a OTP for Gauss/Flame et al? No. Why? There are much more practical modern ciphers out there (both type I and type II).
      KodiacZiller
      • Fact is we still do not have the key

        MHeartWood & Kodiac,
        Thanks for your comments and your interesting input. I think that regardless of the encryption method used by Gauss, the fact still remains that we do not have the key and therefore might not know for some time what is included in the encryption sections. However I am sure that the encryption, the missing folder/file name and a yet to be found malware are all involved in this.

        If my theory about the Palida Narrow font is correct, I think that if Kaspersky keeps an eye on that network and especially the systems which the font was found on, we might find that missing malware soon enough and hopefully be able to determine what other functions Gauss has.

        Thanks again for your comments!

        -Adam
        Adam Kujawa
      • If you must nit-pick, please don't misquote me.

        As everyone can see, I did NOT say "being invented 25 years ago". What I said was "developed OVER 25 years ago". I'd say 1917 is definitely over 25 years ago. However, I didn't learn about it until 25 years ago and didn't really pay much attention to its history either. (How many of you paid that much attention to cryptographic history back in University.)

        As for my use of the phrase pseudo-random, that you are correct about. That was a mis-use of the term by me. What I was trying to say is that it needs to be a re-creatable random stream of bits. While in 1917 that would have been difficult because of storage and transfer, now it's just a matter of going to your collection of DVDs, picking one that is in pan-and-scan (letter box has too many repeating black spaces), and making sure the other end has a copy. The storage, availability, and transfer issues of the Vernam cipher and similar uncrackable encryption systems are no longer a problem today.

        But it's quite clear that while you did provide many wonderful details, you ignored the thrust of my argument entirely.

        The length of a public key is irrelevant to this discussion. It doesn't matter how long the key is, or even what the encryption system is, intractable simply means hard-to-break, and anything that is hard-to-break will eventually be broken. 15 years ago, I was STILL being told that public key was impossible to break. I called B.S. back then. As you have shown, it's now proven that I was right, which thus furthers the point I was making.

        Do I think Gauss is using Vernam's cipher or similar? Not really. I used it only as an example of unbreakable because it's so easy. Not everyone who hangs here is going to be fluent.

        And my point was that unbreakable does exist in cryptography. It's very possible that the key used in Gauss is not merely hard-to-break, but actually impossible-to-break. Therefore, Kaspersky should not be faulted for not breaking it.

        I will certainly be curious to see what comes out of this.
        mheartwood
        • Well..

          " While in 1917 that would have been difficult because of storage and transfer, now it's just a matter of going to your collection of DVDs, picking one that is in pan-and-scan (letter box has too many repeating black spaces), and making sure the other end has a copy. "

          Umm, no. That is equivalent to a book cipher and is trivial to break if the adversary knows which "book" you're using. (In this case it would be if he knows which DVD). To correctly use a OTP, it requires truly *random* keys. Keys created with fair dice, card shuffles or quantum noise (Johnson noise, shot noise, radio-active decay, etc.) The problem with the latter case is, while quantum mechanics ensures such noise is indeed random, sampling it is difficult to get right. For instance, sampling radio-active decay is hard to do without introducing measurement error and bias. And there's always a chance of silent failure of the hardware, etc.

          Designing "true" random number generators is very hard and lot's of people out there get it wrong. This is why most cryptographers prefer designing RNG's based on strong primitives like block ciphers or hash functions. That way they know how difficult it would be to break (if done right, it should be as difficult to break as the cipher/hash it is built on). These are usually called CSPRNG's (Cryptographically Secure Pseudo-Random Number Generators). They aren't truly random in the quantum sense, but they are strong enough to be unbreakable by all known theory.

          The problem is, you can't use CSPRNG's for generating one-time-keying material. Why? Because for a OTP to be effective, you need a truly random source. Otherwise the pad would be as difficult to break as the CSPRNG. And if that's the case, you might as well use a good block cipher to encrypt your data instead of the OTP.

          "When public key was introduced to much fan-fare, it was described as unbreakable. It was described that it would take a computer of the day using the methodologies of the day, more time than the universe was old to break it. How times have changed. The algorithm for public key has always been theoretically mathematically solvable. However, using traditional techniques, the process of factoring was intractable, that is, too hard to solve, thus leading to the belief it was uncrackable. However, technology and methodologies have moved on from then. What was once "too hard to solve", is now quite solvable. A 4096-bit public key can be solved in a reasonable time by a 16 PS2 beouwulf cluster."

          RSA is based on the intractability of factoring a large composite (known as the modulus) into its two prime factors. The inventors never claimed this was impossible, they merely claimed it was "hard" to do and would take an inordinate amount of time. So far this has proved to be true. There is debate whether factoring in polynomial time is possible on a classical computer (we know it's possible on quantum computers using Shor's algorithm).

          The security of RSA depends on the keylength. The largest key to be factored publicly is 768 bits. 4096 bit keys are nowhere near being broken, so I don't know where you heard that.
          KodiacZiller
      • Symmetric/Asymetric has nothing to do with key length

        @KodiacZiller
        And just before I go, it's clear you must have skimmed because you seemed to have gotten confused by terms. Just for the non-fluet here, symmetric and asymmetric refer to mathematical functions. For example, a=b*k is symmetric. For a given value of b there is only one value for a and for a given value of a, there is only one value for b. a=abs(b) is a sample of an asymmetric function. For any given value of b, there is only one value for a, but for any given value for a, there are TWO values for b (a and -a).

        A finite-length key is exactly as it sounds. It's a key of specified finite length. If you want to playfair or be an enigma, it's 5 letters. An AES key of 256-bits is a finite-length key, one that happens to be 256 bits in length obviously. I've already described an infinite-length key so I won't bother again.

        When public key was introduced to much fan-fare, it was described as unbreakable. It was described that it would take a computer of the day using the methodologies of the day, more time than the universe was old to break it. How times have changed. The algorithm for public key has always been theoretically mathematically solvable. However, using traditional techniques, the process of factoring was intractable, that is, too hard to solve, thus leading to the belief it was uncrackable. However, technology and methodologies have moved on from then. What was once "too hard to solve", is now quite solvable. A 4096-bit public key can be solved in a reasonable time by a 16 PS2 beouwulf cluster.

        All of the finite-length key encryption algorithms that I AM AWARE OF, (and there may be many which I am not aware of) are theoretically mathematically solvable (although many are incredibly difficult). Therefore, given the advancement of time, technology, and human ingenuity, I suspect they will eventually be solved and become obsolete. This has been the nature of cryptographic history. I don't expect it to change.

        Therefore, encryption techniques need to be designed with a life time. How long do we expect this encryption system to be useful?

        The only encryption algorithms which have proven to be unbreakable, have been infinite-length key systems. Some use complicated algorithms, but when unbreakable can be done easily with a simple algorithm, why bother? And as I pointed out earlier, it's no longer difficult. What's the FBI going to tell a judge? "She must be a terrorist. She has a copy of Ferris Bueller's Day Off." Right.

        We do not know for certain that the NSA is responsible for Gauss, but assuming it is, they would have chosen an encryption system that is either impossible to break, or one which they feel cannot be broken within a time span that would lead to repercussions. Given the length of the encrypted code, they may have chosen an infinite-length key, but not likely OTP. Or perhaps the encrypted code isn't encrypted at all, but is actually the key. It might even be a signature beacon. There are a lot of possibilities here. It will be very interesting to see how it plays out.
        mheartwood
  • Re you posited that Palida Narrow font is scout malware

    Hi
    You wrote "This is what I believe the Palida Narrow font to be. It is the scout malware, marking the target and awaiting for extraction. That the font was only found on three of the 1,600 systems infected with Gauss may support this interpretation.

    Wouldn't the other 1597 sites also need marking (and potential extraction)?

    Since the malware is highly targeted, one could reasonably assume that each infected system has certain features, and conforms to certain criteria, and so are infected because they are of some use to the attackers (or they would not have been infected) and all of them would therefore have information that would need extraction .

    What do you think?
    kennyd1
    • Coffee Shops and Vacuum Cleaners

      Hi Kenny,
      Think of this as an information collection operation using human operatives. You might have a dozen or more operatives set up in specific locations, coffee shops, spas, political buildings, etc. Who blend in and wait for something interesting to happen. They send back regular reports of the goings on of their assigned place of duty. Then, one of the operatives reports that a high-ranking political figure with lots of useful information has been frequenting their area. Not only that but the operative observed habit behavior with the official and this particular area, let us say it is the coffee shop.

      The spy agency (or the C&C) now knows that this particular coffee shop is visited by the official every other day at 8:00 AM, without fail. The agency instructs the operative (the malware) to mark the specific areas where the official sits or stands or whatever, so the operative makes a certain tick under the table where the official sits. The operative leaves his post and during the night, another team is called in by the agency to install monitoring devices into the coffee shop in specific areas. The team comes in and finds the ticks (since they know how to look for it) and installs the software there.

      Think of the ticks the operative put under the tables as Palida Narrow. When performing certain clandestine operations, it is important to segment the work to different operatives or teams in order to evade suspicious behavior and scare off any would-be targets.

      As far as why the malware was also installed in the other 1597 sites, I propose two possible explanations:

      1. If you have an infection spread out among a wide area, yet you have specific targets in mind, it is harder for someone to determine that the malware was installed for that specific target.
      2. If Gauss is truly state-sponsored, it will want to collect massive amounts of data from various sources (or different areas where operatives are installed), then parse through this data and look for something specific. In this case I imagine that the malware was installed on so many systems which all reported back the log-in information for banks and social media, which were parsed through by the C&C and analyzed for trends of specific targets. When a site is found that has frequently log-ins by a specific target, the C&C instructs the malware to mark that system for another team or malware to move in and install even more sophisticated and intrusive measures.
      Then of course, there is the possibility of Gauss being installed on a system not connected to the internet and therefore not able to send data to the C&C, this problem was addressed in Flame with the use of USBs and being able to pass data from system to system.

      I hope this answered your questions. I think of Gauss as a vacuum cleaner, moving all over the place and sucking up all kinds of data. The malware that will check for ‘Palida Narrow’ is more like a specialized carpet treatment that you end up using multiple chemicals for and special devices in order to remove a stain in the carpet (extract specific data/maintain persistence/obtain more control over the system/etc.)

      Thanks for the comment and I am glad you enjoyed the article =).

      -Adam
      Adam Kujawa
  • Waving the Palida Narrow flag

    Adam postulates an interesting and plausible scenario for the function of the Palida Narrow typeface as a marker for Gauss infected sites waiting for extraction. A font flag has an advantage in being easily detected by any website browsed from an infected installation but a disadvantage of being visible to anyone with curiosity. It is possible that all the other sites either had already been extracted or had not yet collected enough to be picked up. However, the "I have stuff for you" message is so much more easily delivered by other means. An isolated, occasional coded ping to a CnC site could be very hard to spot, for example (part of the scenario in the novel Web Games). Waving a font flag seems clumsy by comparison. A full forensic analysis of the unencrypted code in Gauss might reveal clues to the function of the font flag, but the purpose might well be hidden in the encrypted part or even in the CnC facilities.

    To add to the fun, the font may just be a fickle finger flipped at Middle Eastern banks. Even the stealthy Stuxnet worm had proud little clues to its origins embedded in file names and registry entries. Even government hackers and military programmers like to sign their work--so long as they do not get caught out by their own supervisors.

    --Prof. Larry Constantine (pen name Lior Samson)
    ProfessorLarry
  • It all comes down to perception.

    Professor Constantine,
    Thank you for reading and enjoying my article. I agree that someone with curiosity might detect the font as being out of the norm. However, since most of the systems infected with Gauss were connected to the internet and used for things like banking and social networking, there is a high possibility that numerous fonts were installed on the system by the user’s actions beyond what the default set. I have never installed a custom font on my system and yet I have dozens that were installed by other applications such as Word or Photoshop.

    The method of hiding in plain sight has always been a common trend when dealing with government-sponsored espionage operations. Who would ever suspect the font? As you suggest, the use of a beacon is an effective and common way for malware to signal the "Interesting Stuff Here" flag. However, I think that for redundancy purposes as well as keeping a separation between the operations of the various malware, using a beacon would be too vulnerable to sabotage and be a clear sign of a connection between two types of malware.

    Using a beacon approach would allow the flagging operations to be sabotaged in two possible ways:

    1. If the beacon were included with the data being sent back to the C&C, the large amount of traffic being sent would most likely eventually be detected. That being said, the C&C addresses could be blocked at the border and it would be a complete failure in part to Gauss.

    2. If the beacon were sent at a different interval than the other data and to a different C&C address, it would reveal another possible link to the identity of the creators of Gauss, or even worse, a connection between Gauss and another piece of yet to be discovered malware.

    However using the font installation would be effective regardless of what happened to the C&C connection for the installed malware. In addition, Gauss is attempting to masquerade as your average run-of-the-mill bank login malware and anything out of the ordinary might threaten that cover. Albeit, all these points become moot when in-depth analysis is performed on the malware and the analyst notices the font being installed. However, Gauss or Flame or any other similar malware was most likely never intended to be completely unstoppable, but rather continue its operations uninterrupted just long enough to accomplish a goal and in the meantime try to either hide or make it seem less than what it actually was. What would be more alarming, a common criminal captured for stealing or an undercover agent of a foreign power conducting espionage operations? It all comes down to perception.

    You mention that the font may be a way for the creators of Gauss to sign their work. I agree that is a plausible explanation, however, there is a big difference between setting a file name or a registry entry to a specific value and including a large function to install a custom created font on a system. In my opinion, it just seems like too much effort to get a little credibility.

    I really appreciate your comments Professor, thank you again for reading the article and I hope to hear any further theories or feedback you might have on the topic.

    Thanks!

    -Adam
    Adam Kujawa
  • Truth in Time

    All your arguments are plausible and reasonable, but only time and further analysis can expose what Palida Narrow is really about. One can hope that enterprising security analysts or persistent journalists will get the fuller story out their. Of course, nothing is guaranteed. It's been 2 years since Stuxnet was outed, but even David Sanger's thoroughly researched book is full of misinformation (see http://spectrum.ieee.org/podcast/computing/embedded-systems/stuxnet-leaks-or-lies).

    --Professor Larry Constantine (pen name Lior Samson)
    ProfessorLarry