Kaspersky wants your help cracking malware payload

Posted by Emma Woollacott

Kaspersky Lab is asking for help cracking an encrypted 'warhead' in the Gauss malware which it identified last week.

The state-sponsored cyber-espionage toolkit is designed to steal browser passwords, online banking account credentials and the system configuration of infected machines.

Since late May, says the lab, more than 2,500 infections have been recorded, with the majority in the Middle East.

But while Kaspersky’s analyzed Gauss's primary functions and characteristics, as well as its architecture, modules, communication methods, and infection statistics, its encrypted payload remains a mystery.

"The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile. The size of the payload is also a concern," says Aleks Gostev, chief security expert of Kaspersky's Global Research and Analysis Team.

"It’s big enough to contain coding that could be used for cyber-sabotage, similar to Stuxnet’s SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat."

The payload's located in Gauss’s USB data-stealing modules and is designed to surgically target certain systems with a specific program installed.

Once an infected USB stick is plugged into a vulnerable computer, the malware is executed and tries to decrypt the payload by creating a key to unlock it. The key is derived from specific system configurations on the machine. If the malware identifies the appropriate system configurations, it will successfully unlock and execute the payload.

So now Kaspersky wants your help - as long as you know a bit about cryptography, reverse engineering or mathematics.

"We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success. The check for the first character of the folder in %PROGRAMFILES% indicates that the attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”," says the company.

"Of course, it is obvious that it is not feasible to break the encryption with a simple brute-force attack. We are asking anyone interested in breaking the code and figuring out the mysterious payload to join us."

There's more information here.