dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4787
share rss forum feed


Spy
Premium
join:2001-09-22
NE
reply to FF4m3

Re: Can YOU Crack The Gauss Uber-Virus Encryption?

I can crack it in 20 seconds or less. And if not less than 20 seconds maybe less than 10. And if not less than 10, I'll run the nyc marathon.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to Name Game

said by Name Game:

..."Both CrySys and Kaspersky sniff out Gauss by looking for a custom-built font, dubbed "Palida Narrow," that the malware adds to infected machines.

CrySys first posted a detection tool that relied on the Palida Narrow strategy; Kaspersky took the same approach, but simplified it by inserting an IFRAME element into a Web page. The IFRAME uses JavaScript to check for the presence of the font."

Puzzling. Why would a piece of malware go to such lengths of encryption and avoidance of certain specific AVs, but at the same time install a readily-detectable font (Palida Narrow) that immediately can betray its presence to any AV or the user? Although placing the font on an infected system probably makes the malware's presence more readily detectable remotely at infected websites run by the malware authors, it undercuts part of the point of the encryption. Something still doesn't seem to quite match up...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Name Game

Perfectly happy with what I have for an A/V



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to norwegian

said by norwegian:

You should know by now sijaline is pro ESET. Any time there is a new big nasty, it is all ESET. We get called fanboyz for being one-eyed and narrow minded it doesn't help the users out there looking for info......you will have to just get used to the new ESET clan, better late than never, as it was a lot better program once; but then we say that about a lot of A/V's over time.

Yes..well I have been a member of Wilder's since September 21st, 2002 under a different handle...as Security Expert..and I think it is a great forum..nice people..fair minded with the content..there is no fanboyz stuff that I see..forums are there for a purpose..laid out very well..and everyone is always helpful and courteous.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Name Game

said by Name Game:

In the end many people then used the tools from panda..and for years we even had a direct link at the top of this forum to download them.

Did you notice in dwomack See Profile's link
»www.virustotal.com/file/5198c225···nalysis/
that Panda Security 2 days, 22 hours ago analyzed the file as not malicious.
A rescan by Panda Security 4 hours, 9 minutes ago
shows that Panda Security is still giving the file a green light.
»www.virustotal.com/file/d5491b23···nalysis/

Thinking that maybe it's a virustotal glitch a site search of Panda Security produces "No results found"
»www.pandasecurity.com/usa/search···uss.smdk

My point is that you cannot say one AV is better or worse than another because of it's detection of a single file.
It takes a full analysis to accurately determine on average how more or less an AV sucks in relative terms.
e.g.,
My AV is better than yours
is more accurately
"My AV sucks less than yours"


norwegian
Premium
join:2005-02-15
Outback
reply to siljaline

said by siljaline:

I am an ESET user and do ESET support at Wilders as many know, norwegian See Profile. That's not to say ESET is the end-all of A/V's.
Simply because ESET detects Gauss while others don't or I am not aware of does not qualify me as an ESET fanboy

I know, you just have to be careful when gluing yourself to a product you don't get caught out thinking everything is fine.

There has plenty in the past called astrosurfers, fanboys etc, plugging products beyond just helping people.

Suggesting ESET is doing the job, NameGame has pointed items out to you just so you are aware, and Snowy has a good way of expressing what can or cannot happen. I don't think any of the A/V's yet fully understand this malware yet, so to suggest you are protected is still a little pre-mature.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

1 recommendation

reply to Snowy

And you think what I posted about panda stand alone clean tools that were available back in 2001 has anything to do with Gauss or what Panda Cloud Security can detect today...come on..could careless which product detects any badboy...stopped using AV's long ago. A standalone cleaner panda put out back then was for a specific virus/trojan and they worked.. even when all the AV's could not stop or clean the same badboy...just like the bitdefender standalone tool for Gauss..and that was the issue.

Not the detection rate of anyones product today.

And I don't see in this thread that siljaline even said ESET was the best..
Do you?

BTW..even today..our dslr security forum has those panda tools listed with an outside link on the main page
»www.pandasecurity.com/homeusers/···lities/?

no one really needs them anymore..so do you think then dslr security forum promotes or is a fanboy of panda tools ?

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to owlyn

Hi Owlyn,

That stuff from Norton is OK..but if anyone wants to know everything about Gauss..this link is the best..

»www.securelist.com/en/analysis/2···ibution/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


windaz

join:2010-09-23
reply to Snowy

And just because it is not detected at VirusTotal does not mean it won't be detected/protected against on your computer.

AV Comparative Analyses, Marketing, and VirusTotal: A Bad Combination



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

said by windaz:

And just because it is not detected at VirusTotal does not mean it won't be detected/protected against on your computer.

AV Comparative Analyses, Marketing, and VirusTotal: A Bad Combination

Well we went through all that stuff at wilders and even here at dslr years ago...so you do realize what you posted is stuff from 16 abril 2007 or for the yanks and others 16 April 2007 and does not apply anymore unless you are a fanboys of one or the other testing groups.. But I agree to an extent..but knowing Panda's market..and the targeted push of Gauss to a specific region of the world..I doubt they (Panda) are concerned about this one..only 2500 peps infected so far...so this is not a rabid dog try to spread all over the world. I would not be either understand the vector of infection that gauss uses..it's just getting high profile security media news coverage..because of the family it is classified.

Now if this Gauss thingie starts going after things that are important..I am sure everyone will wake up...

»www.youtube.com/watch?v=iD-KExRW···&list=UL


--
Gladiator Security Forum
»www.gladiator-antivirus.com/

windaz

join:2010-09-23

They still state the same in the FAQ. »www.virustotal.com/faq/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

Ok..and I see panda really has no concern at then moment for Gauss spy stuff.

»www.pandasecurity.com/homeusers/···ty-info/



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Name Game

said by Name Game:

And I don't see in this thread that siljaline even said ESET was the best..
Do you?

If I wasn't paying attention I might have even believed that I said something like that.
But since you asked NO, to the contrary I saw siljaline See Profile go out of his way to specifically say the opposite.
Here's the quote just in case you missed it.
said by siljaline:

I am an ESET user and do ESET support at Wilders as many know, norwegian See Profile. That's not to say ESET is the end-all of A/V's.
Simply because ESET detects Gauss while others don't or I am not aware of does not qualify me as an ESET fanboy

If there's anyone talking about ESTE being better or worse than other AV's in this thread it's YOU!
said by Name Game:

exactly..you like what you got and a happy with it. But many others detected and cleaned Gauss even before it was a glint in ESET eye..that is a fact.

Anyway, why beat around the bush?
said by Name Game:

but knowing Panda's market..and the targeted push of Gauss to a specific region of the world..I doubt they (Panda) are concerned about this one..only 2500 peps infected so far...so this is not a rabid dog try to spread all over the world. I would not be either understand the vector of infection that gauss uses..it's just getting high profile security media news coverage..because of the family it is classified.

Now if this Gauss thingie starts going after things that are important..I am sure everyone will wake up...

I doubt guarantee Panda Security does not endorse the ethnic profiling you've attributed them.
I'd rather have an AV be unaware of a threat than have an AV be aware but decide on the basis of race or nationality of the intended targets to not offer protection from it.
But that's just me the head of a multiracial, multicultural family speaking.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

ethnic profiling ? you are some kind of a wacko stretching your imagination...and it is just you... no matter where you think you are coming from or where you want the thought to go.

Behold the map..

»www.pandasecurity.com/img/enc/infection.htm



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

For those who don't fully understand what this is about...

"Since late May 2012, more than 2,500 Gauss-related infections have been recorded by Kaspersky Lab’s cloud-based security system, with the majority of infections found in the Middle East. Many of these infections have appeared in Lebanon, the Palestinian Territories and Iran."
»www.theregister.co.uk/2012/08/14···payload/

As this 'wacko' sees it
"Now if this Gauss thingie starts going after things that are important..I am sure everyone will wake up..."
why do you believe it's not important for computer users in the Middle East to have the same protection as someone from North Myrtle Beach, SC??
You special or something or are Middle Easterners just less 'special' than you??
By definition that's national profiling.

btw, Using cutsie little words such as 'thingie" doesn't make the message anymore pretty or acceptable.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

Because Panda has no sales there..so it is not important to them and if you check their map and understand what parts of the world they have offices still left or even affiliates you would understand.
They are not even back to what there were years ago..and maybe never will be...
»www.theregister.co.uk/2011/09/26···ob_cuts/
and 2500 worldwide total infections calculated by all the AV vendors out there..is not a major eye opener.

Go play your race card with another..your little game sucks.

Are you aware even the slightest how those 2500 got infected in the first place and what is the vector to get a machine infected ? What method was used ?

Might be a good idea to start reading
»www.securelist.com/en/analysis/2···ibution/

--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Because Panda has no sales there..so it is not important to them...

Not that I actually agree your belittling remarks concerning who is & who isn't 'important' were limited to Panda Security but that's just my opinion.
But since you're the one that keeps saying
"Panda has no sales there..so it is not important to them..." - prove it.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to norwegian

I don't believe I stated anywhere that by using ESET you would be a happy camper and good to go.

Where you're digging the innuendo about Fanboy, product plug, etc, it's not via anything I said.

If you have an ESET issue, it's showing

ESET does detect Gauss, should I mail the CEO and reprimand him that they should remove the detection ?

I have some trouble following what Name Game See Profile says, the comments contain content that I have to read a few times to determine if they are an actual statement or a poke.

Snowy See Profile's comments a valued, balanced and welcome.

Nuff Said as far as I'm concerned. Geddit



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Snowy

said by Snowy:

said by Name Game:

Because Panda has no sales there..so it is not important to them...

Not that I actually agree your belittling remarks concerning who is & who isn't 'important' were limited to Panda Security but that's just my opinion.
But since you're the one that keeps saying
"Panda has no sales there..so it is not important to them..." - prove it.

Prove they don't and go play straws with someone else..I am not your gopher..much less a pawn. You go fish.

Now if you have a bank account in Lebanon that this Gauss targets..then worry about gauss and if someone can slip into your ubs..watch out..or if you VPN with folks over there..hmm..other than that..your thoughts that this thing is going after an ethnic group is way off course..it's looking for trafficing and movement of funds in a geographical part of the world..and most likely has all the info it needs since has been out there for a while..so most of this is post mortem.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

said by Snowy:

said by Name Game:

Because Panda has no sales there..so it is not important to them...

Not that I actually agree your belittling remarks concerning who is & who isn't 'important' were limited to Panda Security but that's just my opinion.
But since you're the one that keeps saying
"Panda has no sales there..so it is not important to them..." - prove it.

Prove they don't and go play straws with someone else..I am not your gopher..much less a pawn. You go fish.

I believe you meant to say
"Prove they do" not "Prove they don't"
See, you're the one saying Panda Security hasn't any customers in the Middle East, not me.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Nope you prove they don't since it's you game..and I not playing that you think they do...you are just grabing at straw.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Nope you prove they don't since it's you game..and I not playing that you think they do...you are just grabing at straw.

Have it your way.
I've sent this email
Date: Thu, 16 Aug 2012 11:07:17 -1000
"Hello,
I've been informed that Panda currently does not offer AV protection to customers in Lebanon or Iran.
Is that an accurate statement?"

to
customeradvocate-at-pandasecurity.com
I'll post up any/all replies I receive.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Try do they have sales and how many...then ask why they can't or don't id Gauss at this point in time ...you are still on a general fishing expedition trying to twist words in a area you either refuse to understand or just to lazy to read info about Gauss on your own so you can talk your point.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Try do they have sales and how many...then ask why they can't or don't id Gauss at this point in time ...you are still on a general fishing expedition trying to twist words in a area you either refuse to understand or just to lazy to read info about Gauss on your own so you can talk your point.

hehe, you accuse me of 'graping at straws, being on fishing expedition etc...' when it's actually you that's looking desperate by asking me to disprove what you're saying is fact.
The onus is on the person making the statement to back it up with fact, rather than requiring the person that doubts the factual basis of the original statement to 'disprove' it.
That's how adults agree to disagree over a statement.
ps I haven't even received an auto reply from customeradvocate-at-pandasecurity.com but I'll stay on top of it & see this question brought to a factual conclusion & post it up here.
Meanwhile - there's nothing constructive happening here, later.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to FF4m3

The Mystery of the Encrypted Gauss Payload

»www.securelist.com/en/blog/20819···_Payload



norwegian
Premium
join:2005-02-15
Outback


In the read, it means a character "~", I thought of file shares but that is "$". Can anyone highlight what the "~" is again, was it deleted files or something similar.....I just can't put my finger on it.



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to FF4m3

What makes these researchers think anyone in the world can crack the encryption? If anyone is successful they will surely be famous (and probably win a Field's Medal in mathematics).



norwegian
Premium
join:2005-02-15
Outback

I don't think it specific to cracking the encryption as such, it is about analysis.

They know there is a reference for this packet to %programfiles%, they know the code designated to this references higher than 0x007A.

They has tried thousands of program names but with no luck, so they need help and hopefully someone will pick upp something simple they have overlooked, or something technical, lets not bash on words.
Once they know those specifics the encrypted payload isn't needed to understand targeting.

quote:
1. Make a list of all entries from GetEnvironmentVariableW(“Path”), split by separator “;”
2. Append the list with all entries returned by FindFirstFileW / FindNextFileW by mask “%PROGRAMFILES%\*”, where cFileName[0] > 0x007A (UNICODE ‘z’)

Note: in essence, this means the specific program which is installed in “%PROGRAMFILES%” has a name which starts either with a special char such as “~”, as in our example, or uses an UNICODE special char table, such as Arabic or Hebrew, where all chars are higher than 0x007A.
On a side note SSL for me is broken at the moment, I wonder if it is the A/V cert (turned off), or something else has affected SSL transmissions at present?

Oh well off we go, 7 dwarfs in a row.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Spy
Premium
join:2001-09-22
NE
reply to FF4m3

i would never be able to crack that code in a million years.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to FF4m3

Wouldn't it be a trip if the "encrypted payload" turned out to be purely random code and everything else was just a semi-functional fake, designed to merely infect and occupy the attention of everyone while the 'real deal' was off somewhere else, quitely doing its business in some other way...?
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775