The mystery wrapped inside a riddle that is the Gauss malware’s encryption scheme may be closer to falling. Late last week, researcher Jens Steube, known as Atom, put the wraps on a tool that should bring experts closer to breaking open the encryption surrounding the espionage malware’s payload.
The tool, called oclGaussCrack, accelerates the process of calculating the hash value of Gauss’ known cipher scheme, Steube said.
“If it matches, we know we have used the correct key and we can use it to decrypt the encrypted payload,” Steube said. “This process is very time-consuming since it takes a lot of calculations. It is so many that we cannot simply brute-force the key. We need a targeted attack to crack it.”
Gauss, along with Flame, Wiper, MiniFlame and other malicious code used in state-sponsored espionage campaigns, was one of the most concerning stories of 2012. What separated Gauss from Flame, et al, was its focus on attacking financial services organizations.
Gauss is a banking Trojan targeting Windows machines in the Middle East; it also can infect USB sticks in order to spread to other machines. It steals data such as system and network information, browser cookies, passwords and more. It also installs a custom Palida Narrow font on infected systems, for reasons still unknown, and also includes an encrypted payload that is awakened only on systems configured in certain ways.