Thursday, August 9, 2012

GAUSS: Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload

The Gauss payload appears to be highly targeted against machines that have a specific configuration i.e. a configuration used to generate a key that unlocks the encryption.

So far the researchers have been unable to determine what configuration generates the key. They’re asking for assistance from any cryptographers who might be able to help crack the code.

“We do believe that it’s crackable; it will just take us some time,” says Schouwenberg. He notes that using a strong encryption key tied to the configuration illustrates great efforts by the attackers to control their code and prevent others from getting a hold of it to create copycat versions of it, something they may have learned from mistakes made with Stuxnet.

According to Kaspersky, Gauss appears to have been created sometime in mid-2011 and was first deployed in September or October of last year, around the same time that DuQu was uncovered by researchers in Hungary.

DuQu was an espionage tool discovered on machines in Iran, Sudan, and other countries around August 2011 and was designed to steal documents and other data from machines.

Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques.

Flame and Stuxnet also shared a component, and now Flame and Gauss have been found to be using similar code as well.

Kaspersky discovered Gauss only this last June, while looking for variants of Flame.

Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload | Threat Level | Wired.com

No comments:

Post a Comment