Kaspersky Labs Seeks Help From the Community to Crack Gauss

Kaspersky Labs is having a difficult time cracking the encrypted payload that is being delivered by the Gauss malware toolkit. The payload is delivered to machines via an infected USB stick that uses the .lnk exploit to execute the malicious activity. In addition to the encrypted payload, two other files that also contain encrypted sections are delivered to the machine; Kaspersky has been unable to crack these files. “We are asking anyone interested in cryptology, numerology and mathematics to join us in solving the mystery and extracting the hidden payload,” the researchers write in a blog post published Tuesday.

The spyware, dubbed Gauss after a name found in one of its main files, has a module that targets bank accounts in order to capture login credentials for accounts at several banks in Lebanon and also targets customers of Citibank and PayPal. Gauss has been distributed in the Middle East for at least 10 months, It was designed to intercept data required to work with banks and to collect information about systems it infects. However, more than 2,500 unique PCS have been infected with Gauss modules in 25 countries around the world. These include the United States and Germany. Kaspersky Labs suspects that the infections could be much more widespread.

What concerns Kaspersky the most though is the fact that the malware has a mysterious payload, designated resource “100,” which Kaspersky fears could be designed to cause some sort of destruction against critical infrastructure. “The [encrypted] resource section is big enough to contain a Stuxnet-like SCADA targeted attack code and all the precautions used by the authors indicate that the target is indeed high profile,” Kaspersky writes in its blog post.

The genesis of Gauss appears to come from the Flame Malware that was identified in May, This platform has several similarities to Flame, Kaspersky said."There's no doubt Gauss comes from the same factory which produced Flame," Roel Schouwenberg, senior researcher at Kaspersky Lab, told TechNewsWorld. "They're built on the same platform." The first known Gauss infections occurred around September, Kaspersky Lab said. The platform's creators have modified different modules several times and changed command server addresses. The command servers went offline in the middle of July, when Kaspersky Lab scientists were examining Gauss.

Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for EasyLink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.