Now with the Gauss malware, the cat is out of the bag

The Gauss malware contains an encrypted payload. This payload is only activated during specific circumstances and those circumstances are not yet known and it is possible that they may not be found in the near future.

Come to think of it, this gives every malware author out there the idea to do the same for their malware, even though they may have no reason to. Any malware author might decide form now on to include an encrypted payload (that may actually do nothing or be benign) just for the fun of sending experts on a wild goose chase.

It is in the power of any malware author to make us feel scared, even if her encrypted payload contains nothing of importance. It is as sick as holding a scary puppet in front of a child and terrorizing the child with it. Here, we are the children being terrorized and we cannot know whether we should be afraid of not.

It is easy to do this sick trick. All a malware author has to do is create a payload (that may or may not be benign) and encrypt it with a symmetric encryption key. The encryption key will be calculated by the malware program in each computer. What is important is for the key to be difficult to reverse and computationally expensive to calculate. This is easily done by deriving a string from some environmental variables and then hashing it by iterating a hashing algorithm tens of thousands of times.

The number of iterations will of course be fixed, but it may be better for it to not be a round number, just in case there are rainbow tables for that. For example, there might be rainbow tables for 10,000 iterations of a known one-way hash function. Also, the string should be a long one and the environmental variables from which it is derived should be chosen wisely. For example, the systemdrive environmental variable is not a good candidate, because there are only 26 drives. But an environmental variable that is a string like a directory path, is a good candidate. Such an environmental variable may usually be left to its default value, but it can also have an arbitrary value. Such an arbitrary value can be entered as input to the hash function. The output of the hash function is the actual key that will be used for the encryption and decryption of the payload.

So there you have it. Mass terrorization with absolutely no extra cost to the malware author.

Ugly. Nasty. Vicious. Disturbing. Sick.

About Dimitrios Kalemis

I am a systems engineer specializing in Microsoft products and technologies. I am also an author. Please visit my blog to see the blog posts I have written, the books I have written and the applications I have created. I definitely recommend my blog posts under the category "Management", all my books and all my applications. I believe that you will find them interesting and useful. I am in the process of writing more blog posts and books, so please visit my blog from time to time to see what I come up with next. I am also active on other sites; links to those you can find in the "About me" page of my blog.
This entry was posted in Security. Bookmark the permalink.