
The Mystery of the Encrypted Gauss Payload - jgrahamc
http://www.securelist.com/en/blog/208193781/The_Mystery_of_the_Encrypted_Gauss_Payload
======
jgrahamc
The core of this is 'find X' such that

    
    
      md5(md5(...10,000 times...(md5(X + salt)...)) = hash
    

where salt and hash are known. X is derived from the names of programs
existing on a Windows machine with a particular format.

Or, find a way to calculate

    
    
      md5(md5(...10,000 times...(md5(X + salt')...))
    

given that hash is known and salt' but X is not.

Or alternatively, attempt a known plain text attack against RC4. Given that a
certain amount of plain text is known (4 bytes) at the start of the RC4
payload then it's likely that the first few bytes of the keystream are known
and an attack could be mounted via weakness in the RC4 key schedule.

~~~
raverbashing
Well, wasn't MD5 broken?

It should be possible to do a brute force search using a couple of days of EC2
or (insert your favorite cloud provider) here. And by bruteforce you can try
text search, or just go for the raw bytes. Not sure a collision can work in
this case as well.

~~~
jgrahamc
To recover X + salt you'd be looking at a preimage attack of MD5. I am only
aware of one preimage attack against MD5 and it's only theoretical.

The input to the RC4 key generator is an MD5 hash which means you'd be looking
at doing a brute force attack against an input of 2^128 bits. Assuming you
find the answer on average in 2^127 and you are looking at an enormous search
space.

According to a recent article EC2 has about 500,000 machines. Now assume that
I buy them all and I am able on each machine to check 1,000,000,000 values as
inputs to RC4 per second then I should have the answer in 800,000 times the
age of the universe. But I think my credit card will have been cancelled
first.

~~~
raverbashing
I'd try to bruteforce X (to match the hash), not RC4 at first (though it may
be easier)

PBKDF2 is SHA-1 and 4096 rounds, this shouldn't be impossible

Bonus points if you use FPGAs to calculate MD5s

~~~
jgrahamc
The question is how large that search space is. If you can get a reliable list
of directory names and file names then it might be small, but if you are left
iterating characters in filenames (and this appears to be Unicode) then I'd
imagine you'd run into the same situation.

I'd be much more tempted to look at the fact that the first four bytes of the
RC4 key stream appear to be recoverable and look at key recovery from that.

------
ceautery
The article mentions "~" as a possible starting point, but "{" is also greater
than 7A, which would match all the "InstallShield Installation Information"
subfolders.

~~~
eli
Great point... are those uniquely named based on the application installed?
That might be a nice, oblique way of checking if a particular program is
installed.

~~~
lt
Yes, these are GUIDs in the following format:

{931373E2-3DA4-4631-930C-F59510630DA3}

It seems to me that's a good theory of what it might be looking for, as GUIDs
should make good triggers. I wonder if this reduces the search space enough to
make brute force feasible now.

~~~
Scaevolus
128 bit GUIDs give pairs of 256 bits -- too large to mount an efficient brute
force.

~~~
sp332
But checking _all known_ GUIDs might be more feasible.

~~~
eli
Well, yeah, but where do you get a list of known GUIDs for InstallShield?
Might as well just gather a list of all known Program Files directories.

------
orenmazor
I just imagined the author reading that post and smirking to themselves.

~~~
tjic
My thought exactly - how weird it must be to be inside looking out.

Public key crypto was discovered on the inside long before it was rediscovered
on the outside, and I figure that the insiders must have been amused by
Diffie, Hellman, R, S, and A.

\--------

<http://en.wikipedia.org/wiki/Public-key_cryptography#History>

In 1997, it was publicly disclosed that asymmetric key algorithms were
developed by James H. Ellis, Clifford Cocks, and Malcolm Williamson at the
Government Communications Headquarters (GCHQ) in the UK in 1973.[4] These
researchers independently developed Diffie–Hellman key exchange, and a special
case of RSA. The GCHQ cryptographers referred to the technique as "non-secret
encryption". This work was named an IEEE Milestone in 2010.[5]

------
mkup
It looks like it would be easier to bruteforce fixed RC4 key than 10000
iterations of MD5, especially due to known weaknesses of RC4 key schedule.

Name of target software in Program Files is interesting nevertheless. Probably
it's mentioned in the encrypted code/data.

------
mjs
So whilst the malware will infect machines more or less indiscriminately, the
payload itself can only be successfully decrypted (and therefore activated and
executed), on machines that have a specific set of programs installed?

~~~
dkokelley
I think it's actually just one specific program, who's name starts with a
special character or high UNICODE character.

------
kayge
"the attackers are looking for a very specific program with the name written
in an extended character set, such as Arabic or Hebrew, or one that starts
with a special symbol such as “~”."

I suppose µTorrent is too obvious... Anyway, these kinds of mysteries help re-
ignite my interest in Cryptography. I'd love to hear feedback from a fellow
HNer about the course from Udacity (perhaps via email since it will probably
be considered off-topic here).

~~~
Achshar
I thought about uTorrent too, but Mu has a hex of 0x03BC. Plus it is a popular
software and in windows, it's folder in program files uses 'u' instead of Mu.

<http://www.fileformat.info/info/unicode/char/3bc/index.htm>

------
fryguy
So does this mean that if you're a high profile target, you should immediately
add a random folder to all of your computers in the program files directory?

~~~
ragmondo
No..it means if you are running a specific program which unlocks the code you
are going to have a bad time (I suppose you could rename all of your program
directories though... would that defeat this ?)

~~~
sounds
The full implications of this code are that the attacker already has another
channel to access your machine.

It's not much consolation that you now know that you're being targeted by the
Program Files entries (they're a major pain to rename). It's likely there are
one or more plants inside your operation and they have physical access to the
machine, which is considered game over.

~~~
danielweber
Getting a certain filename onto your computer doesn't sound like a hard
problem. Just send them a mail with an attachment of "398rgf90rej243rf.htm"
that their email client helpfully extracts for them, or have a file with that
name in their web cache when they browse the internet.

~~~
eli
Why would you need to trick someone into saving a file with a particular name?
You already have malware running on their machine!

Seems much more likely that the check is there to confirm that the payload
only runs on specific targets. And, perhaps more importantly, to make recovery
and dissection of the payload very difficult for someone without access to the
target(s).

~~~
rdtsc
If you are a virus and you are too obvious, you are quickly found and and
eliminated by the "immune" system. So it is import to stay low on hosts where
there is no benefit in attacking and only using them for vectors of infection
and only go into full blown activation mode when some specific trigger is
found.

------
meatsock
a good point raised in the comments is that the "arabic or hebrew" part really
meant to say a "non-letter us-ascii value including curley brackets, tilde,
and pipe". not sure why anyone would want to jump the gun on narrowing down
geography in this way.

~~~
tjic
> not sure why anyone would want to jump the gun on narrowing down geography
> in this way.

Because it's a tool designed to take out Iranian uranium refining tools.

~~~
lifeisstillgood
I think it is fair to say it is a general purpose tool, that was configured at
least once, to take out Uranium refining tools.

So, I would be surprised to find this was not also using, say the parts of
Unicode with Chinese characters as well.

------
trebor
I'd like to see Kaspersky bust one of the Russian government-made viruses. I
see them protecting customers from everyone else...

~~~
DividesByZero
Do you have any examples of such a virus? So far only the US and Israel have
been implicated in the creation of 'weaponised' malware.

------
fleitz
Any chance that the Paladia Narrow font is designed to infect printers?

------
sunyc
checking prog directory might mean they are looking for specific machin with
specific system image

