Kaspersky crowdsources malware encryption cracks

Security vendor Kaspersky Lab is hoping to crowdsource solutions to help crack the encryption around the newly discovered Gauss malware used to steal people's banking details.

Kaspersky Lab's Global Research and Analysis Team (GReAT) conceded ongoing "mysteries" around the malware, discovered by Kaspersky and thought to target financial institutions largely in the Middle East.

It also remained unsure of how computers became infected and the logic behind some of the Gauss malware's actions, such as installing the Palida Narrow font on infected systems.

The team published some of the information it has about the encrypted payload, dubbed 'Gödel', asking people with an interest in cryptology and mathematics to help find a solution.

GReAT said it was so far unable to open the payload, which is stored in three sections, as the code that decrypts these is "very complex compared to any regular routine we usually find in malware".

Kaspersky Lab has tried millions of combinations of known names in the system directory path without success.

"Of course, it is obvious that it is not feasible to break the encryption with a simple brute-force attack," the team said in a blog post.

"We are asking anyone interested in breaking the code and figuring out the mysterious payload to join us."

The payload is big enough to contain Stuxnet-like code designed to attack critical infrastructure, GReAT said. It indicated the target is likely a high-profile one, similar to the Iranian nuclear enrichment programme hit by malware jointly developed by the United States and Israel last year.

Gauss, a sophisticated malware rootkit, was discovered to have stolen data from Lebanese banks, but also targetted Citibank and Paypal. Over 2500 infections have been recorded since May, with tens of thousands of victims estimated. 

According to Kaspersky Lab, Gauss bears a striking resemblance to the Flame and Duqu malware, with a design that emphasises stealth and secrecy.