Gauss malware: My take on its mystery components

The Gauss worm appears to share a common purpose with the Stuxnet and Flame malware in suspected computer espionage. But two of its elements have been baffling experts.
Written by Adam Kujawa, Contributor

The recently discovered Gauss malware is the latest element in a captivating story that is being picked over by security software researchers everywhere.

What started out with Stuxnet and Flame seems now to have moved on to Gauss. Many have argued that the previous two pieces of malware showed that governments are using sophisticated software to disrupt systems and steal information — and that Gauss is the latest example. Its targeting of Middle Eastern systems and suspected shared provenance with Stuxnet and Flame give it immediate interest.

However, Gauss has developed an intriguing character all of its own. This mystique is down to two specific elements that have yet to be explained. One is an encrypted file that seems impossible to break. The other is the mystery Palida Narrow font installed on three of the 1,600-odd infected systems.

To provide a possible explanation of these two unknowns, it is important to outline how software apparently designed for computer warfare differs from common-or-garden malware.

Smash-and-grab approach

Criminal malware takes a smash-and-grab approach, spreading as fast as possible to as many systems as possible in an attempt to steal data. Stealth takes second place to information stealing and proliferation.

Special forces the world over use reconnaissance platoons and specially trained helicopter pilots — a similar approach but in this case apparently used by malware

Software such as Stuxnet, Flame and Gauss have a narrower scope. First, it must remain invisible for long periods of time, only performing an action when absolutely necessary.

A piece of malware that can steal intel is useful, but one that can build a picture over a long period of time is invaluable. For this reason the obfuscation techniques are highly elegant. In addition, this type of malware needs to be deniable, so even when identified it should yield as little information as possible.

For these reasons, it makes sense that this type of malware comes in separate parts designed to do distinct jobs. Something that transmits information is going to make a lot of noise, and unauthorised processes will trip alarms. In a tightly locked-down environment, this activity will be noticed quickly.

The best way round this issue is to have two separate pieces of malware. The first piece acts as a scout, marking and monitoring the target, while the second is an extraction device.

The scout will slip in quietly, watch the target and gather intel for long periods while lying deeply submerged. At the appropriate time, a separate piece of malware is introduced to locate the scout, moving as quickly as possible to remove the gained intel.

Special forces the world over use reconnaissance platoons and specially trained helicopter pilots — a similar approach but in this case apparently used by malware.

Extraction is the high-risk element of the operation. Having two separate pieces of malware means, if detected, the deeply hidden scout remains unnoticed, allowing it to continue its job until an alternative method of extraction can be arranged.

Not only this, but the now-alert response team only has a fraction of the puzzle, causing confusion and allowing for deniability.

This is what I believe the Palida Narrow font to be. It is the scout malware, marking the target and awaiting for extraction. That the font was only found on three of the 1,600 systems infected with Gauss may support this interpretation.

These three machines could have been marked as targets of note, having access to valuable information. Why a font? Well, these are lightweight, hide easily and are the kind of thing that your target could install without it screaming, "Malware".

Crowbarring open a locked chest

The yet-to-be-broken encryption key is more of a mystery and the actual payload can only be guessed at. Kaspersky is a well-resourced company, which employs some bright people, and even their attempts to crack the code are the equivalent of crowbarring open a locked chest.

I believe the encrypted key is also awaiting activation by a secondary piece of malware, a warhead of unknown purpose that will only be triggered when the appropriate software has been introduced.

This type of malware is forcing the security industry to start thinking in different ways. People have become comfortable with the traditional Swiss-army-knife approach to malware, but the world of Stuxnet, Flame and Gauss poses a different set of demands.

Adam Kujawa is a malware researcher at security firm Malwarebytes and has worked for a number of US federal and defence agencies.

Editorial standards