Kaspersky Lab is appealing to the public to help crack a code embedded in a piece of malware it believes is nation-state sponsored.
Called Gauss, it is the latest in a string of malware that has possible links to Flame, Duqu and Stuxnet. Kaspersky researchers, so far, believe it is an espionage toolkit, designed to steal browser passwords, banking details and other credentials, but what it is meant to do on the intended target's computer is hidden within encrypted code.
According to Kaspersky researchers, in order for the malware to deliver its payload to the intended victim only, the malware looks at certain aspects of the target's system configuration, including certain file or folder names present on the system. This information is then used as part of the decryption key. Unfortunately, it also means that, without knowing what the intended target's file system and system configuration looks like, Kaspersky researchers are unable to determine what orders the malware is meant to be carrying out.
Researchers have already attempted to use millions of combinations of known folder names, but to no success. According to a blog post by the company, the malware does check that the first character of the folder's name is a character in the extended character set. This would indicate that it would either start with a special symbol or that it could be written in a foreign language, such as Arabic or Hebrew.
The company has now released sections of encrypted data, and is appealing for anyone who might be able to break the codes to contact Kaspersky Lab.
It is not the first time the company has reached out to the public. During its analysis of Duqu earlier this year in March, security researchers were stumped after coming across code that appeared to be compiled in a manner unknown to them. After polling the public for help, they found that it was written in C, a common programming language, but likely using a custom object oriented framework.
Those wishing to take up Kaspersky Lab's challenge can find the encrypted segments on its blog.