dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4800
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Snowy

Re: Can YOU Crack The Gauss Uber-Virus Encryption?

Nope you prove they don't since it's you game..and I not playing that you think they do...you are just grabing at straw.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Nope you prove they don't since it's you game..and I not playing that you think they do...you are just grabing at straw.

Have it your way.
I've sent this email
Date: Thu, 16 Aug 2012 11:07:17 -1000
"Hello,
I've been informed that Panda currently does not offer AV protection to customers in Lebanon or Iran.
Is that an accurate statement?"

to
customeradvocate-at-pandasecurity.com
I'll post up any/all replies I receive.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Try do they have sales and how many...then ask why they can't or don't id Gauss at this point in time ...you are still on a general fishing expedition trying to twist words in a area you either refuse to understand or just to lazy to read info about Gauss on your own so you can talk your point.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Name Game:

Try do they have sales and how many...then ask why they can't or don't id Gauss at this point in time ...you are still on a general fishing expedition trying to twist words in a area you either refuse to understand or just to lazy to read info about Gauss on your own so you can talk your point.

hehe, you accuse me of 'graping at straws, being on fishing expedition etc...' when it's actually you that's looking desperate by asking me to disprove what you're saying is fact.
The onus is on the person making the statement to back it up with fact, rather than requiring the person that doubts the factual basis of the original statement to 'disprove' it.
That's how adults agree to disagree over a statement.
ps I haven't even received an auto reply from customeradvocate-at-pandasecurity.com but I'll stay on top of it & see this question brought to a factual conclusion & post it up here.
Meanwhile - there's nothing constructive happening here, later.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to FF4m3

The Mystery of the Encrypted Gauss Payload

»www.securelist.com/en/blog/20819···_Payload



norwegian
Premium
join:2005-02-15
Outback


In the read, it means a character "~", I thought of file shares but that is "$". Can anyone highlight what the "~" is again, was it deleted files or something similar.....I just can't put my finger on it.



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to FF4m3

What makes these researchers think anyone in the world can crack the encryption? If anyone is successful they will surely be famous (and probably win a Field's Medal in mathematics).



norwegian
Premium
join:2005-02-15
Outback

I don't think it specific to cracking the encryption as such, it is about analysis.

They know there is a reference for this packet to %programfiles%, they know the code designated to this references higher than 0x007A.

They has tried thousands of program names but with no luck, so they need help and hopefully someone will pick upp something simple they have overlooked, or something technical, lets not bash on words.
Once they know those specifics the encrypted payload isn't needed to understand targeting.

quote:
1. Make a list of all entries from GetEnvironmentVariableW(“Path”), split by separator “;”
2. Append the list with all entries returned by FindFirstFileW / FindNextFileW by mask “%PROGRAMFILES%\*”, where cFileName[0] > 0x007A (UNICODE ‘z’)

Note: in essence, this means the specific program which is installed in “%PROGRAMFILES%” has a name which starts either with a special char such as “~”, as in our example, or uses an UNICODE special char table, such as Arabic or Hebrew, where all chars are higher than 0x007A.
On a side note SSL for me is broken at the moment, I wonder if it is the A/V cert (turned off), or something else has affected SSL transmissions at present?

Oh well off we go, 7 dwarfs in a row.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Spy
Premium
join:2001-09-22
NE
reply to FF4m3

i would never be able to crack that code in a million years.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to FF4m3

Wouldn't it be a trip if the "encrypted payload" turned out to be purely random code and everything else was just a semi-functional fake, designed to merely infect and occupy the attention of everyone while the 'real deal' was off somewhere else, quitely doing its business in some other way...?
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775



Spy
Premium
join:2001-09-22
NE
reply to FF4m3

come on i cracked it already, stop posting here.



Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA
reply to Blackbird

said by Blackbird:

Wouldn't it be a trip if the "encrypted payload" turned out to be purely random code and everything else was just a semi-functional fake, designed to merely infect and occupy the attention of everyone while the 'real deal' was off somewhere else, quitely doing its business in some other way...?

Yes, it would. It's a classic form of deception.
--
Panic is the new patriotism


norwegian
Premium
join:2005-02-15
Outback

said by Rocky67:

said by Blackbird:

Wouldn't it be a trip if the "encrypted payload" turned out to be purely random code and everything else was just a semi-functional fake, designed to merely infect and occupy the attention of everyone while the 'real deal' was off somewhere else, quitely doing its business in some other way...?

Yes, it would. It's a classic form of deception.

What, you mean like this »Saudi oil giant seals off network : mystery malware attack
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Spy
Premium
join:2001-09-22
NE
reply to FF4m3

someone has moderated what i have said here as i am capable of doing based on the united states constitution...I didn't use any swear words...Shall this site be shut down for not abiding by the United States Governments constitution...Should this be considered a terrorist site from now on and be shut down?



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by Spy:

someone has moderated what i have said here as i am capable of doing based on the united states constitution...I didn't use any swear words...Shall this site be shut down for not abiding by the United States Governments constitution...Should this be considered a terrorist site from now on and be shut down?

I get posts whacked all the time..not a big thing and I never ask why..just take it in stride and have a great day.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Spy
Premium
join:2001-09-22
NE

said by Name Game:

said by Spy:

someone has moderated what i have said here as i am capable of doing based on the united states constitution...I didn't use any swear words...Shall this site be shut down for not abiding by the United States Governments constitution...Should this be considered a terrorist site from now on and be shut down?

I get posts whacked all the time..not a big thing and I never ask why..just take it in stride and have a great day.

thank you Name Game, you're allright. But I'm going to let every Government Agency in the United States see what's happening here. It's just my job. I want them to see sites that break our earned rights in this country by our constitution. They don't like people breaking the law.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation


(So-youre-getting-your-posts-deleted-Tell-me-how-it-feels-that-no-one-cares..jpg)
If it's the three letter guys..they are all busy getting microchip implants so they can ride the Metro for Free.


Spy
Premium
join:2001-09-22
NE

Click for full size
yeah, but not this guy..He's looking for people who don't like him.


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Spy

said by Spy:

said by Name Game:

said by Spy:

someone has moderated what i have said here as i am capable of doing based on the united states constitution...I didn't use any swear words...Shall this site be shut down for not abiding by the United States Governments constitution...Should this be considered a terrorist site from now on and be shut down?

I get posts whacked all the time..not a big thing and I never ask why..just take it in stride and have a great day.

thank you Name Game, you're allright. But I'm going to let every Government Agency in the United States see what's happening here. It's just my job. I want them to see sites that break our earned rights in this country by our constitution. They don't like people breaking the law.

said by Spy:

said by Name Game:

said by Spy:

someone has moderated what i have said here as i am capable of doing based on the united states constitution...I didn't use any swear words...Shall this site be shut down for not abiding by the United States Governments constitution...Should this be considered a terrorist site from now on and be shut down?

I get posts whacked all the time..not a big thing and I never ask why..just take it in stride and have a great day.

thank you Name Game, you're allright. But I'm going to let every Government Agency in the United States see what's happening here. It's just my job. I want them to see sites that break our earned rights in this country by our constitution. They don't like people breaking the law.

Not sure if srs or not, but you do know that the 1st amendment only applies to government suppression of speech. A private entity can filter whatever it wants.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999
Expand your moderator at work


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to Snowy

Re: Can YOU Crack The Gauss Uber-Virus Encryption?

As of about 12 hour ago according to virus total Panda can now id guass and they call it trj/Gauss.A but according to their site none of their customers have reported it as an infection. I would assume they got sig/copy of it from the usual sharing source between AV companies..and seems Gauss has all but disapeared from the wild..very low priority and a flash in the pan. Since it was put out to "intercept passwords, steal computer system configuration information and access credential information for banks located in the Middle East", I am not surprised.

Whether Panda can clean it off an infected system..I guess no one will ever know.



norwegian
Premium
join:2005-02-15
Outback

1 edit

At the bottom of the initial link posted by FF4m3 here on page 2 there is a tool to test ans see if your system meets the needs of this malware. As I can't post a link to an .exe, you will have to go look for it your self. Look for the post by lightswitch05 on 2012 Aug 18, 00:48

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Already read that before..US officials like to "racial profile"..they even have hit list.



norwegian
Premium
join:2005-02-15
Outback

2 edits

Bit off topic, but I think your right. Edited that part now, it seems a little far fetched.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by norwegian:

Bit off topic, but I think your right. Edited that part now, it seems a little far fetched.

glad you finally made up your mind..was tongue in cheek in any case.

Gauss was a targeted attack..for a very good reason and it gave results of criminal activity that all of us would want to stop. Just happened to be in that part of the world. I am happy that when it was out there gathering the info..no AV could id or clean it off.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to norwegian

BTW..I also wondered if that stuff in Gauss no one seems to be albe to figure out..has to do with this..

»Prime-factoring quantum computing makes encryption obsolete

The US govt might be there already with uber stuff.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



norwegian
Premium
join:2005-02-15
Outback

1 recommendation

reply to FF4m3

Oops.

»arstechnica.com/security/2012/08···g-flame/

Because of incorrect research contained in the original report, this article previously misidentified a command and control server that was being accessed by computers infected by the Gauss espionage malware. Contrary to that report, the server is operated by researchers with antivirus provider Kaspersky Lab. Such "sinkholes" are used disrupt computer botnets by preventing infected machines from reporting to malicious servers under the control of the malware operator.


--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke