Kaspersky pleads for crypto help to probe Gauss malware
Encrypted warhead stymies investigation of nation-backed cyber snooper
Computerworld - Kaspersky Lab today appealed for help from top-notch cryptographers to help it break the encryption of a still-mysterious warhead delivered by the Gauss cyber-surveillance malware.
"We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload," said the Moscow-based security company in a blog post Tuesday. "Despite our best efforts, we were unable to break the encryption."
The payload is one of the unknowns of Gauss, a sophisticated spying tool uncovered by Kaspersky last week. According to researchers, Gauss monitors financial transactions with Middle Eastern banks and was built by or backed by one or more governments.
While Kaspersky has figured out that the payload is delivered via USB flash drives -- to close the 'air gap' between the Internet and PCs not connected to the Web -- it has been stymied in its attempts to decrypt the module, which is encrypted with an RC4 key.
RC4, which was created by RSA Security 25 years ago, is also used in SSL (secure socket layer) to secure communications between websites and browsers.
Kaspersky noted that the decryption key for the payload is generated dynamically by the victimized PC. "[That] prevents anyone except the designated target(s) from extracting the contents of the sections," Kaspersky said today. "It's not feasible to break the encryption with a simple brute-force attack."
Because Gauss has connections to Flame, another cyber snooper that targeted Iranian PCs, and since most experts believe Flame was linked to Stuxnet -- the worm discovered in 2010 that sabotaged Iran's nuclear fuel enrichment program -- Kaspersky has wondered if Gauss' encrypted payload may contain Stuxnet-like code that targets SCADA (supervisory control and data acquisition) systems.
SCADA systems monitor and control critical industrial processes, ranging from oil refineries and factories to power grids and gas pipelines.
"The resource section [of the encrypted payload] is big enough to contain a Stuxnet-like SCADA-targeted attack code and all the precautions used by the authors indicate that the target is indeed high profile," said Kaspersky.
The security company had previously spelled out other similarities between Gauss and Stuxnet, including the use of a now-patched vulnerability in Windows' shortcuts and the reliance on USB drives to deliver attack code to PCs isolated from the Internet.
In its Tuesday blog post, Kaspersky included the first 32 bytes of encrypted data and hashes from the enigmatic payload.
"If you are a world-class cryptographer or if you can help us with decrypting [this], please contact us by e-mail: firstname.lastname@example.org," said Kaspersky. The company also said it would provide more encrypted data on request.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
Read more about Cyberwarfare in Computerworld's Cyberwarfare Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- System and Data Protection, Recovery and Availability This white paper describes how ARCserve works and the benefits it can provide IT environments of all sizes.
- Simplifying Data Protection, Reducing Risk of Data Loss and System Downtime This white paper outlines what IT organizations should look for in a data protection solution, including simplicity and ease of deployment, comprehensive protection,...
- Complexity Ate My Budget When it comes to data protection, having multiple point solutions is not the answer. Find out how to gain a holistic view of...
- Three Best Practices to Help Government Agencies Overcome BYOD Challenges This paper highlightschallenges facing government IT in a BYOD environment and discusses strategies for network preparation, ongoing support, and securing information to enable...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Cyberwarfare White Papers |