Last Friday, Russia-based Kaspersky Lab launched a free tool to detect Gauss, but analysts have yet to uncloak a mysterious component of the trojan.
As a result, the company is inviting the public – particularly those with an interest in cryptography, mathematics or reverse engineering – to help find Gauss’s decryption keys and unlock this hidden payload.
There is a known payload within Gauss as well. It has targeted Lebanese bank accounts, which led Kaspersky to detect the malware after spotting similarities between the program and Flame, a complex virus also responsible for a wave of cyber attacks in the Middle East. So far, the trojan has infected at least 2,500 computers, primarily in Lebanon, and has the ability to steal usernames and passwords from banks, as well as data from emails and social networking sites.
But Gauss’ mystery payload is located in a USB data-stealing module designed to attack specific systems installed on a victim’s computer, like files, programs and directories. Once the USB module connects to its desired system, it runs cryptographic hash function MD5 10,000 times in order to calculate the decryption key and unlock the payload.
What the payload is capable of — whether it is designed to attack critical infrastructure as was the case with the Stuxnet worm — is not yet known, but very possible, Kaspersky researchers have said.
In an email, Kurt Baumgartner, senior security researcher at Kaspersky, told SCMagazine.com that researchers often seek out public assistance.
“Security researchers for both vendors and handlers work in private working groups in addition to public efforts,” Baumgartner wrote. “In the public spectrum, collaboration is very common in both the reverse engineering and anti-malware communities.”
“The practice is done in a safe and secure way,” Baumgartner wrote. “Experts often share and exchange information on certain projects with relevant pieces of code or samples.”