Anti-virus maker and web security firm Kaspersky Lab, has begun reaching out to the world wide community with a plea for help. It’s looking for those interested in cryptology, numerology and maths, with the hope that someone will be able to help it crack an encryption key for a warhead delivered by the Gauss malware toolkit.
Hidden within Gauss is a module known as “Godel,” that features an encrypted payload. Using strings from the infected system, Gauss itself decrypts and activates it. The problem is: Kaspersky hasn’t been able to break the encryption itself. In order to fully understand how this malware works, it needs to crack it, and that’s where you could come in.
Kaspersky described how Gauss uses the .lnk exploit to execute itself, when an infected USB stick is attached to a machine. Two files then begin gathering various information from the target, specifically looking for some sort of configuration, though Kaspersky has no idea what that is. If the right setup is found, from this data, the decryption key is generated dynamically, making it incredibly difficult to read or extract the contents of the malware payload.
“We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success,” Kaspersky writes in its post. “[T]he attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”.”
KitGuru Says: Considering Gauss is a nasty bit of code that targets bank account details, stripping it bare and understanding how it works is important. Got an idea or simply want to read a bit more? You can contact the researchers and they’ll provide you with everything they know so far. Just email [email protected]