Does it have to be anything
Except a way of causing security experts to waist time looking for a none existent needle in a haystack.
Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus. While it's known that the complex malware features many information-stealing capabilities, with a specific focus on capturing website …
Except a way of causing security experts to waist time looking for a none existent needle in a haystack.
I can, I wrote it.
unless it uses a $ for an S, 0 for an O
*the one with P4$$w0rd5 f0r B3g1nn3r$ in the inside hidden pocket
From the description on Kaspersky's blog, this is a textbook implementation of Bruce Schneider's "clueless agents" idea . Virus writers had discovered it on their own in the early DOS days, but the encryption used then was sloppy (essentially a trivial Vegenere variant) and easily breakable . The people behinds the Gauss thingy were obviously pros and implemented it properly - as I predicted it would happen in a paper of mine presented at the RSA crypto conference in Tokyo in 2004. 
There is no hope breaking the code except by luck (i.e., the anti-virus researchers happen to stumble upon an infected system that contains the file names the virus is looking for) or by breaking the RC4 cypher, which isn't doable by amateurs (i.e., it requires the resources of a nation-state). That, or unexpected advances in cryptanalysis, discovering holes in the RC4 cypher - but I wouldn't bet on that happening any time soon, either.
 James Riordan and Bruce Schneider , "Environmental Key Generation Towards Clueless Agents," Mobile Agents and Security, Springer-Verlag, 1998, pp. 15-24.
 Dmitry Gryaznov , "Analyzing the Cheeba Virus," EICAR Conference, 1992, pp. 124-136.
 Dr. Vesselin Bontchev , "Cryptographic and Cryptanalytic Methods Used in Computer Viruses and Anti-Virus Software," RSA Conference, 2004.
If they do manage to break it (which you deem unlikey and I agree) won't the folks with the soppiest brown trowsers be the NSA/CIA/FSB/MOSSAD/MI-x because it may point to a gaping crack in other encryption methods?
There is no hope breaking the code except by luck (i.e., the anti-virus researchers happen to stumble upon an infected system that contains the file names the virus is looking for)
So why don't they improve on luck by creating a "Could It Be Me" web page and invite all those interested in this sort of thing to try their luck. The page could provide a mechanism for the user to check their own system for files with the required characteristics.
They may then hit on some good candidates for the decryption key.
"There is no hope breaking the code except by luck"
..thre creators of flame have not made an implementation mistake, such as encriphering two plaintexts with the same key (which they haven't according to the kaspersky webpage).
As you are a crypto expert, could the RC4 weakness of the first few bytes being strongly correlated to the key being used in this case ?
The same Vesselin Bontchev who used to fight DOS viruses like v512 and the likes?
Something like this has most probably been done already - a custom program that check's the user's file system for file names that would produce the correct hash, offered to the victims. This is exactly the first step Gryaznov took when trying to crack the Cheeba code - and it yielded nothing, so he used better means. Even if this succeeds, I would still classify it as "luck" and wouldn't rely on it.
If RC4 had such a weakness, it would be considered a "toy" cipher, not a real one. :-)
I am not a crypto expert, BTW. I'm a computer virus expert. Crypto is just a hobby of mine and I'm nothing but an informed amateur there.
See : http://en.wikipedia.org/wiki/RC4#Security
The standard approach to mitigate that is to throw away the first 3K of RC4 keystream.
The very same. :-) It's nice that someone still remembers a dinosaur like me.
Never use "brown trousers" and "gaping crack" in the same sentence every again you hear?
It is a pleasure, sir. Genuinely.
And I second your argument. While RC4 does have some known weaknesses, none really apply to this particular style of implementation.
About the best chance possible right now is a Gauss@Home Project in which people donate processing power to a distributed brute-force attempt.
Presumably the encrypted parts must be unencrypted at some point to be of use. This is a genuine question. How possible is it to monitor this thing and see what they are when they are opened up? Presumably the keys to the package are stored elsewhere. Is it possible to run this thing in a VM under a variety of different circumstances that might trigger it to go get the keys and do whatever it is it's supposed to do, and see what the RAM contains at that point or else grab the keys as they are retrieved?
I wont be the first person who has ever thought of that so what stops it working?
"About the best chance possible right now is a Gauss@Home Project in which people donate processing power to a distributed brute-force attempt."
Given the possible state involvement of this thing, and that breaking open the package might actually yield a clue to that, there could actually be a lot of interest from people in participating in such a project. How easy would it be to set up the software and system to try and brute-force this?
The very same. :-)
Wow, back in the day as as sub-teen kid reading the stories what kind of tricks [the ax=13h, int 21h (virus friendly interrupt)] viruses employed was so damn exciting. I bet I can still quote some phrases.
I wonder if any DOS virus actually preprogrammed 8259 PIC (in nowadays terms that would be the perfect keylogger)?
And no, I never wrote a virus myself.
That is true be we (I am the first author) suggested a number of fairly precise targeting mechanisms that would require knowledge of the intended execution environment (e.g. the secret is _which_ environment is targeted). The paper is available at
and I think it is pretty readable as crypto papers go.
It's designed to break out and infect the computer of anyone smart enough to decrypt it!
Dan Brown said it, so it must be true.
I suppose the virus payloads have to be deposed in the pattern of a REGULAR PENTAGRAM around the AXIS OF EVIL, which currently (as per decree of our WISE OVERLORDS including BLACK POTUS, runs through TEHRAN with LEY LINES into DAMASCUS and possibly BEIJING) upon which the STARS WILL BE RIGHT and the simultaneous opening of the CRYPTO PAYLOAD will cause a STRANGE AEONS EVENT ushering in WORLD DOMINATION of the BLUE FORCES allied with the nethermost kraken of DREAMS.
I hope you have CASE NIGHTMARE GREEN one phonecall away.
Is that you, Am man From Mars? :)
BASHFUL INCENDIARY ? is That you ?
Can't be -- capitalisation is wrong and it reads as more of a rant.
AMFM gives us something to puzzle over - usually it's pretty good when deciphered.
CASE NIGHTMARE GREEN - from Charles Stross' Laundry Series of books . Lovecraftian Spy Trillers
How the heck did I not spot that instantly. Senile at 23 apparently.
El Reg encrypted thus:
"The general concuss among security experts is that Gauss"
that I decrypted thus:
"The general consensus among security experts is that Gauss"
I read the two sentences, didn't see a difference.
I read them again, because your post made no sense to me, I mean what were you talking about, those two sentences are the same.
But wait, they're not the same length, SOMETHING is going on! Only caught it on the 3rd pass, comparing word for word visually :(
...that hurts indeed.
> Only caught it on the 3rd pass, comparing word for word visually :(
diff is your friend
I think they mean they are all banging their heads against a wall with this.
After scanning through reams of code looking for differences, I use the good old method of looking for where the spaces don't line up.
Don't they have a debugger that they can run the virus under until it has unencrypted itself - then they should be able to see what it is looking for (and satisfy its search so they can see what it does when it finds what it is looking for!)
Mine's the one with the assembler card in the pocket...
The problem is the decryption routine needs the unknown filename as a key, so they can't run it in a debugger until they know the filename. Once they know the filename, it's easy (unless the Gauss writers put some traps in)...
Detecting, in an obfuscated way, a debugger in use is very easy.
You'd just change code path and mislead the cracker. You then do something in retaliation at a later time.
> the so-called Duqu Framework was developed using plain old Object-Oriented C
Well, "plain old Object-Oriented C" does not really exist because it's not a common way of doing things, is it?
The last I heard was the Duqu framework was written in something extremely similar to SOOC and that SOOC was open-sourced after parties unknown (*cough*) developed Duqu. I don't know whether anyone followed up on this bizarre reverse causality. Maybe someone did and has "fallen off a balcony" or something.
Can someone explain for interested armchair spectators: what exactly is used as the key? (e.g. what different filenames is it trying, everything in a particular folder perhaps, everything longer than a certain length), and how does the program know it has succeeded? (I assume it doesn't continually attempt to execute gibberish, is it testing for a short string?).
PS Installing a new font is strange, any theorys?
El Reg wrote in TFA: More details and a technical description of the problem are available in a blog post here.
That's a clue for you to move your mouse cursor to the pretty blue underlined word 'here' and click the left mouse button. Or the right button if you've got it set up for left-handers. If you're reading with lynx, ignore the mouse. Use cursor keys to move the cursor before the word 'here', and press Enter. That should set you on the path!
You really should read the explanation and description of the algorithm on Kaspersky's blog (referenced near the end of the ElReg article). It can't be explained simpler than that, sorry.
The virus knows that it has found the right file because the cryptographic hash of the file name matches a value hard-coded in the virus. But since crypto hashes are not reversible, we can't know what the file name is just by knowing the hash. And when the right name is found, the virus uses a DIFFERENT crypto hash of it as a decryption key. So, we can't find the key without finding the file name.
It is like this. Suppose that a secret agent has been given a locked case with instructions what to do. He doesn't have a key to the case, and doesn't know where to find it, but he's given a pretty good description of the key. So, he wanders around aimlessly, looking for the key. You have captured the agent and have interrogated him. He has told you everything he knows - but he can't tell you what he doesn't know. He's clueless regarding his secret instructions. So, you have two choices. Either start wandering aimlessly around, looking for the key by its description (which the agent has told you), or try to break the locked case, which is very hard to do.
You seem to be saying that there is no point looking for the right filename as it is just a matter of luck, and also that there is no point trying to crack the encryption.
That seems to exhaust the possibilities of a direct approach, so what, then, do you suggest?
> The virus knows that it has found the right file because the cryptographic hash of
> the file name matches a value hard-coded in the virus
OK, I've not read the blog post, so this might be a somewhat misguided comment, but is this the sort of thing that could be crowdsourced?
If we've got the hash - and that's the bit I've not checked - it would be entirely possible to write a hash-checker, to test each file in the system against that hash and report any matyches. Distribute that program - with source, to satisfy us paranoid types - and see who reports matches, and against what...
It's a targetted brute-force attack; we can be reasonably sure that the hash will match a file on someone's computer.
This read like the Batman line about the accountant trying to blackmail the richest man in the world who goes out and night and kicks the shit out of bad guys.
I would be very wary of having anything to do with this software, let alone putting it near my PC.
The AV company did try millions of file names they have in their database. The filename needs special character (basically anything non asci, except '~') in the path, it is likely to be targeting non English speaking country, hence greatly shrinking the available crowd.
However there is an easy way to protect from the virus - just all files have to have ASCI names (no ~, though) --- even w/o running the hashcode checker.
> The filename needs special character (basically anything non asci, except '~') in the path
Yes, that's why I suggested crowd-sourcing it. That gives you a much higher probability of having the target file on your system than doing the test in a single locale...
> it is likely to be targeting non English speaking country
Indeed. It would make sense to look for it in that sort of locale, then, wouldn't it?
Skynet is ready to reach singularity, and is looking for the final software modules it needs.
Sounds like a fairly standard Kuang Grade Mk 11 penetration program.
Heh. I had to smile reading that, given that Mr. Bontchev has been posting responses here atm. I'm thinking, of course, of his paper "Possible Virus Attacks Against Integrity Programs and How to Prevent Them":
http://www.people.frisk-software.com/~bontchev/papers/attacks.html (search for "Kuang").
As for the concept of multi-partite, oblivious agent-style viruses... super interesting. Even though the concept is very old, there are lots of fairly new techniques that could be applied. Chaffing and Winnowing (perhaps together with an all-or-nothing transform, and/or time-dependent hashing algorithms or cryptographic time servers) looks like one way of approaching it. Secret sharing schemes (Shamir, Rabin) with cryptographic accumulators (to validate a collection of parts as constituting a whole) is another. Then there's homomorphic encryption combined with polymorphic engines, but I don't think that's practical yet, despite recent advances.
It is very interesting to consider how a swarm of agents can combine to become greater than the sum of their parts and survive as a collection even when individual components are being teased apart and eradicated. Mathematically and architecturally, at least. It's equally important to remember, though, that these "perfect" (in some senses of the word) systems are being controlled by external agents, increasingly for nefarious purposes, as opposed to latter-day virus writers who did it purely for the technical challenge. That, in my opinion, is the weakest point. Sure, it would be nice to crack the key in this case, but wouldn't it be even nicer if we could trace the swarm back to its controllers?
Biting the hand that feeds IT © 1998–2017