{"id":1389,"date":"2013-03-15T12:26:33","date_gmt":"2013-03-15T16:26:33","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1389"},"modified":"2013-03-15T12:26:33","modified_gmt":"2013-03-15T16:26:33","slug":"puzzle-box-the-quest-to-crack-the-worlds-most-mysterious-malware-warhead","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/03\/15\/puzzle-box-the-quest-to-crack-the-worlds-most-mysterious-malware-warhead\/","title":{"rendered":"Puzzle box: The quest to crack the world\u2019s most mysterious malware warhead"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/arstechnica.com\/security\/2013\/03\/the-worlds-most-mysterious-potentially-destructive-malware-is-not-stuxnet\/\"><img data-recalc-dims=\"1\" height=\"500\" width=\"640\" decoding=\"async\" alt=\"\" src=\"http:\/\/nccomputertech.files.wordpress.com\/2013\/03\/uncrackable-gauss-640x500.jpg?resize=640%2C500\" \/><\/a><\/p>\n<p>It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran&#8217;s totalitarian-esque government and its budding nuclear program. If this initiative wasn&#8217;t stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations.<br \/>\nWhen Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they&#8217;re finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that&#8217;s more destructive than anything the world has seen before.<br \/>\nGauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran&#8217;s nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans.<br \/>\nGauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich G\u00f6del, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It&#8217;s also programmed to collect a dizzying array of information about the computers it infects\u2014including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives.<br \/>\nBut the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the G\u00f6del module, the secret warhead is loaded onto USB sticks and removable drives when they&#8217;re connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed\u2014but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran&#8217;s high-security Natanz enrichment facility. Certainly not your everyday malware.<br \/>\n&#8220;Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude,&#8221; Costin Raiu, director of Kaspersky Lab&#8217;s global research and analysis team, told Ars. &#8220;Given how careful the attackers were to make sure the Gauss payload doesn&#8217;t fall into the &#8216;wrong&#8217; hands, we can assume it is very special.&#8221;<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/arstechnica.com\/security\/2013\/03\/the-worlds-most-mysterious-potentially-destructive-malware-is-not-stuxnet\/\"><img data-recalc-dims=\"1\" height=\"392\" width=\"640\" decoding=\"async\" alt=\"\" src=\"http:\/\/nccomputertech.files.wordpress.com\/2013\/03\/gauss-architecture-640x392.png?resize=640%2C392\" \/><\/a><\/p>\n<p>Full Story: <a href=\"http:\/\/arstechnica.com\/security\/2013\/03\/the-worlds-most-mysterious-potentially-destructive-malware-is-not-stuxnet\/\" target=\"_blank\">Puzzle box: The quest to crack the world\u2019s most mysterious malware warhead | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran&#8217;s totalitarian-esque government and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9,10],"tags":[411,655,1048],"class_list":["post-1389","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-gauss","tag-malware","tag-stuxnet"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-mp","jetpack-related-posts":[{"id":6294,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/27\/research-team-creates-undetectable-malware-bound-to-legitimate-software-downloads\/","url_meta":{"origin":1389,"position":0},"title":"Research team creates undetectable malware bound to legitimate software downloads","author":"NCCT","date":"August 27, 2014","format":false,"excerpt":"Most cyber attacks from your typical home hacker, come by way of techniques used 10 years ago or more like phishing scams, poor password management, and things of that nature. But now it seems as though a research team from Germany has developed on all new strain of malware. The\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6960,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/25\/stealthy-sophisticated-regin-malware-has-been-infecting-computers-since-2008\/","url_meta":{"origin":1389,"position":1},"title":"Stealthy, sophisticated &#8216;Regin&#8217; malware has been infecting computers since 2008","author":"NCCT","date":"November 25, 2014","format":false,"excerpt":"Symantec researchers have identified a particularly sophisticated piece of malware, called \u201cRegin\u201d that was likely developed by a nation state and has been used to spy on governments, infrastructure operators, businesses, researchers and individuals since at least 2008. \u201cRegin displays a degree of technical competence rarely seen,\u201d Symantec said in\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8210,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/05\/05\/this-terrifying-malware-destroys-your-pc-if-detected\/","url_meta":{"origin":1389,"position":2},"title":"This terrifying malware destroys your PC if detected","author":"NCCT","date":"May 5, 2015","format":false,"excerpt":"A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6142,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/06\/department-of-homeland-security-warns-retailers-of-backoff-pos-malware-techspot\/","url_meta":{"origin":1389,"position":3},"title":"Department of Homeland Security warns retailers of &#8216;Backoff&#8217; POS malware &#8211; TechSpot","author":"NCCT","date":"August 6, 2014","format":false,"excerpt":"The Department of Homeland Security yesterday issued an alert about a point-of-sale malware that was used in a string of recent attacks by cyber criminals. Dubbed Backoff, the malware has been witnessed on at least three separate forensic investigations since late 2013 and continues to operate today. According to US-CERT,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8453,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/07\/zeusvm-malware-building-tool-leak-may-cause-botnet-surge\/","url_meta":{"origin":1389,"position":4},"title":"ZeusVM malware building tool leak may cause botnet surge","author":"NCCT","date":"July 7, 2015","format":false,"excerpt":"The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":1389,"position":5},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1389"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1389\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}