dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4776
share rss forum feed


FF4m3

@bhn.net

Can YOU Crack The Gauss Uber-Virus Encryption?

From The Register:

Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus.

“The purpose and functions of the encrypted payload currently remain a mystery,” explained Aleks Gostev, chief security expert at Kaspersky Lab. “The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile. The size of the payload is also a concern. It’s big enough to contain coding that could be used for cyber-sabotage, similar to Stuxnet’s SCADA [industrial machine controller] code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Antivirus experts at the Russian security outfit launched an appeal today for anyone with an interest in cryptography, reverse engineering or mathematics to help find the decryption keys and unlock the hidden payload. More details and a technical description of the problem are available in a blog post here.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

Some AV Vendor have Gauss detection in place



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

ESET seems to be the only one listed. Do you happen to know if others have caught up and added Gauss to their repertoire and what they might be?



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to siljaline

Click for full size
said by siljaline:

Some AV Vendor have Gauss detection in place

Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm. But what are gsava.exe, gssm32.exe and abcd.exe? pic.twitter.com/b9aL8rEQ

»Gauss: Nation-state cyber-surveillance meets banking Trojan


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

I don't know what your graph represents but I can say with some certainty that ESET does protect from Gauss

There are stand-alone removal tools floating around that I know of but this malware requires a full-bore AV to detect and fully remove.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

That is not a graph it is the name of AV's and their .exe file..when Gauss sees them installed on a PC...it backs off and will not infect your PC or system just because they are present...and it is built into Gauss to do that..now do you understand ?

That is why I also posted...Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm.

Your other comment is wrong.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to FF4m3

Mikko Hypponen, chief research officer of Finnish security firm F-Secure, noted that "Gauss won't start if it finds Kaspersky, GData, F-Secure or ZoneAlarm" on a system, according to an array of filenames that the malware checks for.

»www.securitynewsdaily.com/2159-g···ion.html


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to FF4m3

To detect Gauss on you system just go to these sites in the first link below...it is easy to dectect....and the sites will let you know immediately since...

"Both CrySys and Kaspersky sniff out Gauss by looking for a custom-built font, dubbed "Palida Narrow," that the malware adds to infected machines.

CrySys first posted a detection tool that relied on the Palida Narrow strategy; Kaspersky took the same approach, but simplified it by inserting an IFRAME element into a Web page. The IFRAME uses JavaScript to check for the presence of the font."

http://www.computerworld.com/s/article/9230170/Security_experts_push_free_Gauss_detection_tools

And for removal..Bit Defender has a good tool and there are others out there...

http://www.bitdefender.com/news/gauss-removal-tool-powered-by-bitdefender-2556.html
--
Gladiator Security Forum
http://www.gladiator-antivirus.com/


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Name Game

My other comment that there are stand-alone tools to remove Gauss ? I've yet to see one that works.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to FF4m3

Researchers Seek Help Cracking Gauss Mystery Payload

The Mystery of the Encrypted Gauss Payload

Gauss malware - What you need to know

Kaspersky Lab Needs Help Decrypting Gauss

Researchers seek help decoding "encrypted warhead"



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

3 edits
reply to siljaline

Troajn.Gauss.Spy.Gen Removal Tool 2.2.0.6

said by siljaline:

My other comment that there are stand-alone tools to remove Gauss ? I've yet to see one that works.

which ones have you tried ?

Also..

Kaspersky updated its free Virus Removal Tool 2011 to deal with Gauss.
»support.kaspersky.com/viruses/av···?level=2

They call it" setup_11.0.0.1245.x01_2012_08_13_13_37.exe" and updated it on Aug 13, 2012

windaz

join:2010-09-23

1 recommendation

reply to jaykaykay

Symantec products detect it »www.symantec.com/connect/blogs/c···w32gauss



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Name Game

Nope, ain't gonna be running anything non ESET.

I've used ESET's ESET Rogue Application Remover with some success.

As cited elsewhere, ESET detects Gauss, anyway.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

said by siljaline:

Nope, ain't gonna be running anything non ESET.

I've used ESET's ESET Rogue Application Remover with some success.

As cited elsewhere, ESET detects Gauss, anyway.

guess you don't have a copy of the badboy to test then...oh well..it just reminded me of some years ago here at dslr when I started praising the Panda removal tools and many of the self styled security gurus and even wildcatboy took me to task on their standalones. I told them they were good tools..I had even tested them..and besides they cleaned in the "MSDOS" mode and did a very clean job...no reboot needed.

In the end many people then used the tools from panda..and for years we even had a direct link at the top of this forum to download them.

Glad you like your ESET tool..did it clean all the Gauss for you ? Glad ESET cleans this one ..since Gauss won't back off and not install if you are running it.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback

You should know by now sijaline is pro ESET. Any time there is a new big nasty, it is all ESET. We get called fanboyz for being one-eyed and narrow minded it doesn't help the users out there looking for info......you will have to just get used to the new ESET clan, better late than never, as it was a lot better program once; but then we say that about a lot of A/V's over time.



owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast
reply to FF4m3

From Norton:

Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Gauss is a worm that opens a back door and collects confidential information from the compromised computer.

Antivirus Protection Dates

Initial Rapid Release version August 9, 2012 revision 016
Latest Rapid Release version August 9, 2012 revision 039
Initial Daily Certified version August 9, 2012 revision 018
Latest Daily Certified version August 10, 2012 revision 001
Initial Weekly Certified release date August 15, 2012

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals system information, browser history, passwords, and cookies.

Distribution

Distribution Level: Low
Shared Drives: Spreads through removable drives.

Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the worm is executed, it creates the following files:

%System%\wbem\wmihlp32.dll
%System%\wbem\wmiqry32.dll
%System%\dskapi.ocx
%System%\winshell.ocx
%System%\devwiz.ocx
%System%\lanhlp32.ocx
%System%\mcdmn.ocx
%System%\smdk.ocx
%System%\windig.ocx
%UserProfile%\Local Settings\Temp\~shw.tmp
%UserProfile%\Local Settings\Temp\~gdl.tmp
%UserProfile%\Local Settings\Temp\~mdk.tmp
%Temp%\s61cs3.dat
%Temp%\~ZM6AD3.tmp
%System%\fonts\pldnrfn.ttf
%Temp%\ws1bin.dat

The worm creates the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wbemsvc.dll"
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wmihlp32.dll"

The worm is modular and has the following functionalities and components:

Loads other components and contains connection functionality (%System%\wbem\wmiqry32.ocx, %system32%\wbem\wmihlp32.ocx)
Collects hardware information about the CMOS and the BIOS (%System%\devwiz.ocx)
Spreads through removable drives and collects removable drive information (%System%\dskapi.ocx, contains 32 and 64-bit components)
Collects network related information (%System%\lanhlp32.ocx)
Collects information about the user domain (%System%\mcdmn.ocx)
Collects information on computer drives (%System%\smdk.ocx)
Installs a custom Palida Narrow font (%System%\windig.ocx)
Collects browser and cookie information from Firefox and Internet Explorer (%System%\winshell.ocx)

The worm steals the following from Internet Explorer:

Browsing history
Passwords
Text in data fields from loaded pages

The worm installs its own Firefox plugin that performs the following actions:

Extracts browsing history
Extracts passwords
Extracts cookies

The worm (%System%\winshell.ocx) searches for cookies from the following list:

maktoob
ebay
hotmail
gmail
facebook
amazon
creditlibanais
yahoo
fransabank
citibank
byblosbank
blombank
eblf
bankofbeirut
americanexpress
aisa
eurocard
mastercard
paypal

Note: Collected cookies are encrypted and saved to:
%Temp%\ws1bin.dat

The worm is associated with the following command-and-control servers:

gowin7.com
secuurity.net
datajunction.org
bestcomputeradvisor.com
dotnetadvisor.info
guest-access.net


dwomack

join:2012-07-03
San Diego, CA
reply to FF4m3

It looks like a majority of AV vendors already detect it:

»www.virustotal.com/file/5198c225···nalysis/

So far it seems to only be directed at the Middle East but why wait for it to hit elsewhere before creating tools and/or methods to clean it?



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

1 edit
reply to windaz

Kind of a shame that so few have figured out how to do and include it.

Guess many more cover it than I knew.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to norwegian

I am an ESET user and do ESET support at Wilders as many know, norwegian See Profile. That's not to say ESET is the end-all of A/V's.
Simply because ESET detects Gauss while others don't or I am not aware of does not qualify me as an ESET fanboy



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

exactly..you like what you got and a happy with it. But many others detected and cleaned Gauss even before it was a glint in ESET eye..that is a fact.



Spy
Premium
join:2001-09-22
NE
reply to FF4m3

I can crack it in 20 seconds or less. And if not less than 20 seconds maybe less than 10. And if not less than 10, I'll run the nyc marathon.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to Name Game

said by Name Game:

..."Both CrySys and Kaspersky sniff out Gauss by looking for a custom-built font, dubbed "Palida Narrow," that the malware adds to infected machines.

CrySys first posted a detection tool that relied on the Palida Narrow strategy; Kaspersky took the same approach, but simplified it by inserting an IFRAME element into a Web page. The IFRAME uses JavaScript to check for the presence of the font."

Puzzling. Why would a piece of malware go to such lengths of encryption and avoidance of certain specific AVs, but at the same time install a readily-detectable font (Palida Narrow) that immediately can betray its presence to any AV or the user? Although placing the font on an infected system probably makes the malware's presence more readily detectable remotely at infected websites run by the malware authors, it undercuts part of the point of the encryption. Something still doesn't seem to quite match up...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Name Game

Perfectly happy with what I have for an A/V



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to norwegian

said by norwegian:

You should know by now sijaline is pro ESET. Any time there is a new big nasty, it is all ESET. We get called fanboyz for being one-eyed and narrow minded it doesn't help the users out there looking for info......you will have to just get used to the new ESET clan, better late than never, as it was a lot better program once; but then we say that about a lot of A/V's over time.

Yes..well I have been a member of Wilder's since September 21st, 2002 under a different handle...as Security Expert..and I think it is a great forum..nice people..fair minded with the content..there is no fanboyz stuff that I see..forums are there for a purpose..laid out very well..and everyone is always helpful and courteous.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Name Game

said by Name Game:

In the end many people then used the tools from panda..and for years we even had a direct link at the top of this forum to download them.

Did you notice in dwomack See Profile's link
»www.virustotal.com/file/5198c225···nalysis/
that Panda Security 2 days, 22 hours ago analyzed the file as not malicious.
A rescan by Panda Security 4 hours, 9 minutes ago
shows that Panda Security is still giving the file a green light.
»www.virustotal.com/file/d5491b23···nalysis/

Thinking that maybe it's a virustotal glitch a site search of Panda Security produces "No results found"
»www.pandasecurity.com/usa/search···uss.smdk

My point is that you cannot say one AV is better or worse than another because of it's detection of a single file.
It takes a full analysis to accurately determine on average how more or less an AV sucks in relative terms.
e.g.,
My AV is better than yours
is more accurately
"My AV sucks less than yours"


norwegian
Premium
join:2005-02-15
Outback
reply to siljaline

said by siljaline:

I am an ESET user and do ESET support at Wilders as many know, norwegian See Profile. That's not to say ESET is the end-all of A/V's.
Simply because ESET detects Gauss while others don't or I am not aware of does not qualify me as an ESET fanboy

I know, you just have to be careful when gluing yourself to a product you don't get caught out thinking everything is fine.

There has plenty in the past called astrosurfers, fanboys etc, plugging products beyond just helping people.

Suggesting ESET is doing the job, NameGame has pointed items out to you just so you are aware, and Snowy has a good way of expressing what can or cannot happen. I don't think any of the A/V's yet fully understand this malware yet, so to suggest you are protected is still a little pre-mature.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

1 recommendation

reply to Snowy

And you think what I posted about panda stand alone clean tools that were available back in 2001 has anything to do with Gauss or what Panda Cloud Security can detect today...come on..could careless which product detects any badboy...stopped using AV's long ago. A standalone cleaner panda put out back then was for a specific virus/trojan and they worked.. even when all the AV's could not stop or clean the same badboy...just like the bitdefender standalone tool for Gauss..and that was the issue.

Not the detection rate of anyones product today.

And I don't see in this thread that siljaline even said ESET was the best..
Do you?

BTW..even today..our dslr security forum has those panda tools listed with an outside link on the main page
»www.pandasecurity.com/homeusers/···lities/?

no one really needs them anymore..so do you think then dslr security forum promotes or is a fanboy of panda tools ?

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to owlyn

Hi Owlyn,

That stuff from Norton is OK..but if anyone wants to know everything about Gauss..this link is the best..

»www.securelist.com/en/analysis/2···ibution/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


windaz

join:2010-09-23
reply to Snowy

And just because it is not detected at VirusTotal does not mean it won't be detected/protected against on your computer.

AV Comparative Analyses, Marketing, and VirusTotal: A Bad Combination



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

said by windaz:

And just because it is not detected at VirusTotal does not mean it won't be detected/protected against on your computer.

AV Comparative Analyses, Marketing, and VirusTotal: A Bad Combination

Well we went through all that stuff at wilders and even here at dslr years ago...so you do realize what you posted is stuff from 16 abril 2007 or for the yanks and others 16 April 2007 and does not apply anymore unless you are a fanboys of one or the other testing groups.. But I agree to an extent..but knowing Panda's market..and the targeted push of Gauss to a specific region of the world..I doubt they (Panda) are concerned about this one..only 2500 peps infected so far...so this is not a rabid dog try to spread all over the world. I would not be either understand the vector of infection that gauss uses..it's just getting high profile security media news coverage..because of the family it is classified.

Now if this Gauss thingie starts going after things that are important..I am sure everyone will wake up...

»www.youtube.com/watch?v=iD-KExRW···&list=UL


--
Gladiator Security Forum
»www.gladiator-antivirus.com/