Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New State-Sponsored Malware "Gauss" Making the Rounds

timothy posted about 2 years ago | from the just-in-the-neighborhood dept.

Security 106

EliSowash writes "A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to Kaspersky researchers. Gauss is a nation-state-sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations. Just like Duqu was based on the 'Tilded' platform on which Stuxnet was developed, Gauss is based on the 'Flame' platform."

cancel ×

106 comments

Yet another part of the world getting pissed off (-1, Offtopic)

Anonymous Coward | about 2 years ago | (#40935477)

I'M A LEBANESE
      SON OF A BITCH AMERICAN
      AMERICAN IS PIG
      DO YOU WANT A HAMBURGER?
      DO YOU WANT A PIZZA?
      AMERICAN IS PIG DISGUSTING
      GEORGE WALKER BUSH IS A MURDERER
      FUCKING U.S.A
       

Re:Yet another part of the world getting pissed of (4, Funny)

Kenja (541830) | about 2 years ago | (#40935567)

I'M A LEBANESE

Pics or... wait, I misread that.

Re:Yet another part of the world getting pissed of (0)

Anonymous Coward | about 2 years ago | (#40935689)

I'M A LEBANESE

Pics or... wait, I misread that.

I just imagined some very very hairy large women .......*chokes back vomit*

Re:Yet another part of the world getting pissed of (1)

thmsdrew (2608605) | about 2 years ago | (#40944159)

I made that mistake verbally in 4th grade when I didn't really know what the word meant. There was a kid in our class from Lebanon. We were talking about how you can tell where a person is from by the shape of their skull or something, so we were all shouting out different nationalities. I shouted "Lesbian!" Haunts me to this day.

Re:Yet another part of the world getting pissed of (1)

bazald (886779) | about 2 years ago | (#40948335)

Yeah, the island of Lesbos isn't big enough to be considered a nation. Any 4th grader should know at least that much geography.

Names (1, Funny)

Anonymous Coward | about 2 years ago | (#40935483)

I want to name the next Malware Browncoat, because that is what Mal wears.

Re:Names (1)

CanHasDIY (1672858) | about 2 years ago | (#40935939)

*rimshot*

Re:Names (2)

MrSenile (759314) | about 2 years ago | (#40936453)

Yes, I believe he was hoping for a picture of that rim... oh shot...

Sorry. misread that.

FIRST! (-1)

Anonymous Coward | about 2 years ago | (#40935499)

First!

Re:FIRST! (-1)

Anonymous Coward | about 2 years ago | (#40935611)

Fail!

Re:FIRST! (-1)

Anonymous Coward | about 2 years ago | (#40935783)

Fuck!

Re:FIRST! (0)

Anonymous Coward | about 2 years ago | (#40936335)

Flailing!

Re:FIRST! (1, Funny)

SilentStaid (1474575) | about 2 years ago | (#40936971)

C-C-C-C-C-Combo Breaker!

was Re:FROSTY PISS! (0)

Anonymous Coward | about 2 years ago | (#40937499)

surely I will be successful this time!!!

Dirty money not "unknown" to state activites. (0)

Anonymous Coward | about 2 years ago | (#40935563)

Clandestine operation have plenty of use for unofficially raised funds. Remember Iran-Contra?

Re:Dirty money not "unknown" to state activites. (0)

CanHasDIY (1672858) | about 2 years ago | (#40936321)

Clandestine operation have plenty of use for unofficially raised funds. Remember Iran-Contra?

Here's a refresher [youtube.com] for those who don't.

So stupid it's got to be official. (4, Insightful)

MRe_nl (306212) | about 2 years ago | (#40935575)

Governments releasing digital weapons on the internet. Thanks for the R&D!
COPY/PASTE.

Re:So stupid it's got to be official. (1)

zlives (2009072) | about 2 years ago | (#40935649)

yes but when you use it you are a threat to national security/terrorist....
hmm wonder if copy/paste can be declared a wmd

Re:So stupid it's got to be official. (3, Interesting)

CanHasDIY (1672858) | about 2 years ago | (#40936019)

yes but when you use it you are a threat to national security/terrorist....

Unless you run a bank like HSBC.

Then you get a slap on the wrist and stern talkin' to. [bdnews24.com]

Gitmo is reserved for the proles; Party members need not concern themselves.

Re:So stupid it's got to be official. (4, Informative)

antonymous (828776) | about 2 years ago | (#40936373)

I know it's bad form to RTFA, but here's the part where they talk about their current inability to properly decrypt the payload:

The malware uses that configuration to generate a key to unlock the payload and unleash it. Once it finds the configuration itâ(TM)s looking for, it uses that configuration data to perform 10,000 iterations of MD5 to generate a 128-bit RC4 key, which is then used to decrypt the payload. âoeUnless you meet these specific requirements, youâ(TM)re not going to generate the right key to decrypt it,â Schoewenberg says.

Re:So stupid it's got to be official. (1)

ceoyoyo (59147) | about 2 years ago | (#40936907)

Cool. So it just tries whatever configuration it finds itself on and, if it decrypts, bam. That's probably a useful little trick to remember.

Re:So stupid it's got to be official. (1)

Lehk228 (705449) | about 2 years ago | (#40937193)

Nifty trick, but overall near useless, except in cases where sucess is much less important than deniability (sp?). Fatal flaw is that the scan of configuration is plaintext and so potential targets can reflash their systems to read back different configs slightly (append Penis" to version strings, etc. And immunize themselves from the secret payload

Re:So stupid it's got to be official. (1, Interesting)

ceoyoyo (59147) | about 2 years ago | (#40937381)

It takes time to develop and test an update and flash a system (not to mention money). Gauss is certainly time-limited, but that might be a feature. If you wanted to shut down Iranian centrifuges, for example, you could just send out a copy specific to those configurations. The Iranian centrifuge operators get attacked, realized they're the target (but nobody believes them), and spend time and money flashing their systems. Next week, Gauss2 comes out, same as last time but with "Penis" appended to the version strings it's looking for. Repeat. Good deniability, no collateral damage and annoying as hell to your target.

Re:So stupid it's got to be official. (1)

drkstr1 (2072368) | about 2 years ago | (#40939793)

But something doesn't add up there... If they can reverse engineer and spoof the configuration, why are they unable to decrypt the payload?

I was under the impression that if a system has the knowledge to decrypt something, and you have access to that system, you will be able to get to the protected data. If what you say is true, what else is preventing them from busting the crypto?

This certainly has my curiosity bone tickled.

Re:So stupid it's got to be official. (1)

blacklint (985235) | about 2 years ago | (#40941133)

Guessing they haven't figured out what that configuration is.

Re:So stupid it's got to be official. (1)

plover (150551) | about 2 years ago | (#40942397)

They can't decrypt it today because Kaspersky doesn't know who the target is, was, or what their configuration looks like.

Let's think about its predecessor, Stuxnet, for a minute. Stuxnet's authors made several big security mistakes. First they gave away a free copy of "How to attack Iranian nuclear centrifuge systems via SCADA vulnerabilities" to every script kiddy on the planet; plus, they essentially told Iran "it's you." They seriously underestimated the ability of various groups of people to disassemble their attacks. So they want to repeat as few of those mistakes as possible.

Like Stuxnet before it, Gauss discovers some facts about the configuration of the machines it's deployed against, and reports them back to the mothership. Let's say the configuration data they retrieve includes the serial numbers of memory chips, NICs, and eSATA disk drives. The attackers then concatenate that data together and hash it 10,000 times to create a key. So when the payload decryption module is loaded onto a new machine, it scans the memory chips, NICs, and disk drives, and runs the key generating hash algorithm again. If the resulting key can successfully decrypt the payload, we can assume Bad Things will happen to the victim. If it can't decrypt it, nothing happens.

This tries to address two of those original mistakes. First, Kaspersky has no way to identify the victim today. All they know so far is that the target is probably any of the thousands of machines that have already been infected with something that reported their configuration to the attacker. For all we know, it could be configuration data originally harvested by Stuxnet, and not a current Gauss victim. Second, they have no way of decrypting the attack until the specific victim is identified and decides to cooperate.

It's possible that the malware attack on the victim will be engineered such that the victim will suffer grave physical harm; perhaps through planting false evidence of treason, or emptying their bank accounts instead of repaying the kind of debts that Must Be Repaid On Time. After destroying the victim, discovery may be moot. I'd assume in any case that the malware payload will clean Gauss from the machine after completing its mission, leaving nothing for investigators to ever learn they were the targeted victim of Gauss.

My guess is that Kaspersky will include a "victim detector" module as part of an anti-Gauss clean-up package. It would run the same serial number detection mechanism, the same key generation mechanism, and attempt the same decryption test to see if it successfully decrypts. But instead of calling the actual malware routine, it could report the machine's configuration back to Kaspersky, so they could decrypt it.

Re:So stupid it's got to be official. (1)

drkstr1 (2072368) | about 2 years ago | (#40946391)

Ahh, so Gauss doesn't carry the key itself, it gets it from the CC server, and only when the configuration matches a specific pattern (known only by the server). Very interesting indeed. Thank you for the detailed explanation!

Re:So stupid it's got to be official. (1)

plover (150551) | about 2 years ago | (#40949651)

Close, but not quite.

Some time a while ago, Gauss surveyed every victim's computer, reporting their config data to the CC servers.

The attackers identified a specific victim, and used that victim's config data to generate a key. The payload was then encrypted by the attackers with that particular key, and then delivered to every active Gauss zombie by the CC server.

The Gauss zombies don't ever carry the key, they always generate it locally from their own config data.

All zombies get the same payload, but only the zombie with the correct config will generate the correct key, unlocking the payload and unleashing the pain.

Re:So stupid it's got to be official. (1)

plover (150551) | about 2 years ago | (#40949905)

I'm assuming from the article that the configuration data they're talking about are things like MACs from the victim's NICs, serial numbers off of the memory SPD chips, and serial numbers from the SATA drives. If that's true, it would be easy enough to swap a memory stick out to avoid the problem, rather than trying to re-flash something.

If you've got that much knowledge about your potential for being hacked, you've probably already updated your systems with the latest anti-virus programs that would catch Gauss anyway.

My guess is this is trap is set for the personal PC of some top official, like Naim Qassem, the current top guy of Hezbollah. Generally, top people are not known for their l33t haxx0r ski11z, so the chances of his having good defenses being in place are probably fairly low. I doubt that he's going to be the kind of guy to swap RAM sticks, anyway.

one step closer to the world of Neal Stephenson (3, Interesting)

Doubting Sapien (2448658) | about 2 years ago | (#40937259)

In "The Diamond Age", sovereign powers and those with the means engage in (more or less) open conflict using nanomachines colloquially referred to as "mites". Particularly vicious "battles" in these conflicts manifest as smog-like pollution formed by mites of opposing factions destroying each other and leaving inert carcasses hanging in the air and settling over streets, building, etc. like a kind of artificial dust. Those unlucky enough to be caught outside during these times breath them in and have no end of resulting health problems. One of the secondary characters in the story actually ends up in a chronic/palliative care facility as a result of such ill health. Such are the collateral damages in this imagined world. Things like Stuxnet and now the subject of this article appears to be the manifestations of a software form of this type of "armed conflict" (if you can call it that.) Similarly, when non-targeted individuals become infected or otherwise gets caught in the cross-fire, collateral damages result in the form of lost productivity or perhaps just general nuisance. So......

Ask slashdot:

Can you think of an effective way for non-government affiliated denizens of the Internet to respond to such emerging scenarios where geo-politically driven cyber-conflicts have the potential to harm non-participants? For example, would it be appropriate to form an Internet version of the International Red Cross?

"Ask, & YE SHALL Receive"... apk (-1)

Anonymous Coward | about 2 years ago | (#40939335)

"Can you think of an effective way for non-government affiliated denizens of the Internet to respond to such emerging scenarios where geo-politically driven cyber-conflicts have the potential to harm non-participants?" - by Doubting Sapien (2448658) on Thursday August 09, @04:21PM (#40937259)

PROTECTING YOURSELF IS "JOB #1", & if you want to do a job right? Do it yourself... & learn how to during that time, with a little help/guidance!

Read, & apply what's in the link below, to-the-letter, IF you use a Windows-based system!

(CIS tool for Windows 2000/XP/Server 2003 = FREE, & CIS Tool for Windows 7 has a 30 day trial: Trust me, you won't need it for THAT long! It makes it fun, almost like running a system performance benchmark for speed/efficiency tuning, albeit, this is for security-hardening your system instead).

This is a guide I'd written since 1997-2007 that actually works:

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

Here's some opinions on it, from your /. peers here on this website (based on upward moderations):

* THE APK SECURITY GUIDE GROUP 18++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&cid=25093275 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]
APK SECURITY TEST CHALLENGE LINUX vs. WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=267599&threshold=1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://yro.slashdot.org/comments.pl?sid=1638428&cid=32070500 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://books.slashdot.org/comments.pl?sid=168931&cid=14083927 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://news.slashdot.org/comments.pl?sid=1135717&cid=26941781 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://it.slashdot.org/comments.pl?sid=416702&cid=22026982 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&cid=30649722 [slashdot.org]
APK SECURITY GUIDE: 2008 -> http://ask.slashdot.org/comments.pl?sid=970939&no_d2=1&cid=25092677 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&threshold=-1&commentsort=0&mode=thread&cid=30649722 [slashdot.org]
APK SECURE SETUP FOR IP STACK:2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14211084 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14210206 [slashdot.org]
MICROSOFT SECURITY:2010 -> http://news.slashdot.org/comments.pl?sid=1546446&cid=31106612 [slashdot.org]

---

* There you go... it works!

APK

P.S.=> The idea & principles behind it are the best thing we have going out there now for the purposes of securing personal computer systems: "Layered-Security"/"Defense-In-Depth", & you asked what you can do? Protect yourself... that's "JOB #1"!

... apk

Re:"Ask, & YE SHALL Receive"... apk (-1)

Anonymous Coward | about 2 years ago | (#40940721)

It's time to take your meds, APK.

The nurse will be right back. This time don't palm them.

Re:"Ask, & YE SHALL Receive"... apk (-1)

Anonymous Coward | about 2 years ago | (#40941339)

Don't you have anything better to do than being a cowardly dick?

Far beyond the good Neal Stephenson (0)

Anonymous Coward | about 2 years ago | (#40940789)

No the ICRC is an awful example and exactly what one wouldn't want: wasteful global corruption preying on good intentions and shortsighted feel-good ideals, an organization that quickly moved from noble beginnings (including triage by killing, technically murder) into doing far more harm than good when assessed after fairly short time-scales (the total resulting effect a few decades after actions taken). I am not making the argument but the ICRC is led by the kind of people one could reasonably argue should be killed even if one assumes an eventual and unavoidable man-made immortality and the resurrection of all dead sentient life throughout history (bound to happen if sentience survives a billion years, hell it might become reality within this millennium considering the rates of improvements we're already seeing).

However what one does want is already in existence and growing: novel (and still very young) entities akin to Anonymous. There's already a handful of them and that's just the public and "intentional" ones. Yes most people don't get such "disorganizations" yet but within the next few decades most will as they realize by that time that they're already (in the future) part of them. By then it will be even less confined to the "digital world" and might even start to become part of formal societal structure (i.e. part of general society and "governance", which in case people haven't noticed is painfully slowly dying an ugly disease-ridden death all across the world right now --not that disorganizations will replace this but they will likely function as midwifes for whatever does).

Disorganizations don't even need unique names or apparent existence, as an example people who use Tor, I2P or similar are already seeding and sustaining such disorganizations through simple straightforward 'individual reward' without realizing it or the aggregate effect (that's how emergent properties work).

I got the solution (4, Funny)

courteaudotbiz (1191083) | about 2 years ago | (#40935723)

Just De-Gauss the infected hard drive

Re:I got the solution (1)

buchner.johannes (1139593) | about 2 years ago | (#40936327)

I think there is a button on the monitor

Re:I got the solution (1)

efensive (2697763) | about 2 years ago | (#40936575)

You could always hex-edit the code, muck it up, creating a gaussian blur

Re:I got the solution (2)

Steve Baker (3504) | about 2 years ago | (#40937281)

Overkill, you just need to use Gaussian elimination.

Re:I got the solution (1)

evilviper (135110) | about 2 years ago | (#40940891)

Just De-Gauss the infected hard drive

I know cockroaches and mice can become problematic as they commonly make them homes in nice warm computers with convenient openings, but do people really have a problem with 18th-century mathematician infestations?

Stop making malware (1)

stevenh2 (1853442) | about 2 years ago | (#40935789)

We all know who you are... Just STOP.

Re:Stop making malware (0)

Anonymous Coward | about 2 years ago | (#40936249)

You ain't seen nothing yet.

New State-Sponsored WINDOWS Malware. (0)

couchslug (175151) | about 2 years ago | (#40935803)

Yes, it matters.

Would an article about a new APPICATION not reference what OS it runs on?

Re:New State-Sponsored WINDOWS Malware. (0)

Anonymous Coward | about 2 years ago | (#40935847)

WINDOWS is the state sponsored malware

Re:New State-Sponsored WINDOWS Malware. (0)

Anonymous Coward | about 2 years ago | (#40935953)

Correct! Microsoft: Providing NSA backdoors since at least 1995.

Re:New State-Sponsored WINDOWS Malware. (1)

Anonymous Coward | about 2 years ago | (#40936059)

I demand a citation!! Where's your proof? Is it hiding under your tinfoil hat?

Re:New State-Sponsored WINDOWS Malware. (1)

FalconZero (607567) | about 2 years ago | (#40936125)

I see your point, but it's a fair assumption it's Windows - Flavours of Windows account for ~80-85% of PC market, with Flavours of Mac accounting for 10-15% (and nothing industrial runs on a mac). Linux could be the end target, but doesn't make a good vector as it's usually hardened. The upshot of which is, that if you want to do any industrial malware - Windows is the target.

Re:New State-Sponsored WINDOWS Malware. (2)

cant_get_a_good_nick (172131) | about 2 years ago | (#40936363)

I think we all assume massive malware failures on Microsoft. That's a statement, though you can read that as a troll/joke, which is kind of scary in it's own way - MS is so bad that the joke is you assume its the bad one.

Mac OSX is getting enough inroads to make it commercially viable to produce malware, but in a weird way I think people will skip it and move more quickly to Android/iOS.

Re:New State-Sponsored WINDOWS Malware. (1)

rwise2112 (648849) | about 2 years ago | (#40936407)

Yes, and it does. The diagram the top of page 1 of TFA references files in \Windows\System32\

Re:New State-Sponsored WINDOWS Malware. (4, Funny)

xerxesVII (707232) | about 2 years ago | (#40936679)

Well according the helpful lads at 4chan, that folder is usually just filled with malware. They recommend deleting that folder. Seems like a pretty good idea.

Re:New State-Sponsored WINDOWS Malware. (0)

Anonymous Coward | about 2 years ago | (#40936687)

"Besides stealing various kinds of data from infected Windows machines..."

Re:New State-Sponsored WINDOWS Malware. (3, Insightful)

Johann Lau (1040920) | about 2 years ago | (#40937859)

Actually, it doesn't. Had those plants been running Linux workstations, the malware would target Linux. Likely without breaking a sweat.

What? (1)

TonyAldo (2702885) | about 2 years ago | (#40936001)

How do these researchers determine where the code was written? I never understood that.

Re:What? (3, Interesting)

FalconZero (607567) | about 2 years ago | (#40936461)

I think it's a mixed bag of things. Unmangled variables would be a great help - could tell you the native language of the developers. Code style can give hints as well - you can compare the style of code with the style of a known sample to give hints. Machine code structure can tell you which compiler was used (which gives you more hints).

If the developers used pure assembler (which people don't any more *laments*), and scrubbed your code properly you could make it much harder to trace (but doing so in itself gives you clues about the creator.

Re:What? (0)

Anonymous Coward | about 2 years ago | (#40937503)

One example that I saw in an article about how number comparisons compiled. (This is from memory and may not be exactly right. Also, I should mention that this assumes integer operations.) One compiled them exactly as they appeared in the code: this meant if your code said "if x2".

Re:What? (0)

Anonymous Coward | about 2 years ago | (#40937619)

Well I just wasted my time doing that comment (damn HTML entities). And I don't want to type out the examples again. But basically one did only less thans, another did it exactly as it appeared in the code and another would flip the operation to get rid of negations (e.g. ~< becomes >=).

Re:What? (3, Informative)

X0563511 (793323) | about 2 years ago | (#40936533)

While cleaning rootkits off servers and such, you'd be surprised. Half the time they go right out and say who made it and when. Usually with some silly message or statement, too.

Re:What? (1)

Pseudonym (62607) | about 2 years ago | (#40941089)

Example silly message or statement: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Since when (4, Funny)

Black Parrot (19622) | about 2 years ago | (#40936097)

is a gaussian distribution news?

Re:Since when (2)

Gertlex (722812) | about 2 years ago | (#40936331)

Well it's certainly not normal! Oh wait...

(disclaimer: I had to look it up :( )

Re:Since when (1)

treeves (963993) | about 2 years ago | (#40936467)

well, the news is always skewed, so I guess Gaussian would be a big deal.

Re:Since when (2)

kelfink (603517) | about 2 years ago | (#40937403)

The author is biased.

Identifying printed documents? (1)

pathological liar (659969) | about 2 years ago | (#40936229)

If the infections are targeted, perhaps the font is dropped to allow found printed documents to be linked to one of the targets?

Re:Identifying printed documents? (0)

Anonymous Coward | about 2 years ago | (#40937829)

No, probably not. I think the purpose of the font is to identify infected systems when their owners visit bad guys website: all is needed is to query Firefox for installed fonts - totally innocent operation.

Re:Identifying printed documents? (1)

pathological liar (659969) | about 2 years ago | (#40938597)

I hadn't thought of that, that seems much more likely.

Re:Identifying printed documents? (0)

Anonymous Coward | about 2 years ago | (#40940331)

Come to think of it... Now everybody who collects visitor information (for marketing/tracking purposes) can go through all logs and extract the list of all of the infected. And there is a good chance that creators would be on that list too...

Topic : Is this the new 'security' paradigm? (1)

Anonymous Coward | about 2 years ago | (#40936299)

Is state-sponsored malware and having e-spies in all aspects of everything online...

Is this something that's going to 'solve the problem' or 'become the problem' would you say?

warhead?! (1)

X0563511 (793323) | about 2 years ago | (#40936501)

I believe the word you are searching for is "payload."

Re:warhead?! (1)

amicusNYCL (1538833) | about 2 years ago | (#40936613)

No way man, "warhead of unknown designation" sounds way more scarycool.

Re:warhead?! (0)

Anonymous Coward | about 2 years ago | (#40936987)

A note regarding your sig: Since you're providing an obfuscated link, one should assume you're possibly attempting a social engineering attack designed to entice FOSS proponents.

Re:warhead?! (1)

X0563511 (793323) | about 2 years ago | (#40937635)

Or, one could realize that we only have so much space in our signatures for the HTML.

I would have used preview.tinyurl.com if I could. It got trunctated.

State Sponsored... (2, Interesting)

efensive (2697763) | about 2 years ago | (#40936507)

It's amusing to see how much the term "State Sponsored" is thrown around regarding these variants. Sooner or later, everything will be labeled as such to the point where truly "state sponsored" won't even matter. Further disturbing is the annoying mechanisms in which companies like Kaspersky wildly and broadly word their articles often allowing for insane inferences to be made. For example, floating around is news that the US did this to follow the money trail for terrorists. Really? Because a national security letter to Visa, Mastercard and Paypal wouldn't get them the data quicker? Not to mention SWIFT, PROMIS and other controls are in place and have been for years

If you follow the verbiage from Kaspersky over the last few years, one may infer he outright hates the US, is working for the FSB or something way out there. So I quote what I saw on Twitter: World according to Kaspersky: 's:^:US developed (Gauss\|Stuxnet\|Flame):g' || if [ -e $MALICE ]|\then|\ echo USA|\ fi

Oh Yeah, Langley Boy (0)

Anonymous Coward | about 2 years ago | (#40936867)

Whoever interferes with your crappery must be KGB or at least FSB. Or at least French - that is nearly as bad for you.

Re:State Sponsored... (0)

Anonymous Coward | about 2 years ago | (#40937045)

World according to Kaspersky: 's:^:US developed (Gauss\|Stuxnet\|Flame):g' || if [ -e $MALICE ]|\then|\ echo USA|\ fi

cat file | awk '{gsub(/Gauss|Stuxnet|Flame/,"US developed &")}1'

also || would not work as sed would return exit 0

Re:State Sponsored... (1)

jkflying (2190798) | about 2 years ago | (#40943025)

You clearly missed the article in the New York Times...

Cipher Support For Arab Freedom (1)

Anonymous Coward | about 2 years ago | (#40936949)

Instead of doing stupid comments here which only waste bandwidth, why don't we write some software to help the cause of Arab Freedom ? There is still no translation into Arabic for GPG !

I did something minor - a strong paper cipher which can secure combat radio messages: http://alkindicipher.wordpress.com

Wouldn't it be easier (4, Funny)

HexaByte (817350) | about 2 years ago | (#40937023)

Wouldn't it be easier to just send them all an e-mail: "Hello, I am Mrs. Kadafi, wife of the late ruler of Lybia. My husband left me with 300 millions USD in a Swiss account..."

Re:Wouldn't it be easier (0)

Anonymous Coward | about 2 years ago | (#40938027)

Mrs. Kadafi? Wasn't that Condoleezza Rice? In which case, Swiss bank accounts would be hard to get by for her. They went from a hipster thing to mainstream when Inland Revenue caught on. I supose she could always stash the money across the border, but a Canadian bank account doesn't have the same ring to it, does it?

When China strikes back (1)

Anonymous Coward | about 2 years ago | (#40937211)

When China strikes back it will be a lot more interesting. Is US ready? If Israel with US think it's ok to infect computers in friendly and neutral countries they can't blame China on doing this too.

Re:When China strikes back (1)

Grave (8234) | about 2 years ago | (#40938309)

What do you mean "when"? China is already engaged in massive cyber-espionage with us.

Re:When China strikes back (0)

Anonymous Coward | about 2 years ago | (#40939489)

They still didn't do any physical harm, only stealing IP. Cyber and non-cyber -espionage, everybody does it. Including China, Russia, Israel, USA. All of them are hunting for military secrets and technologies. Not sure US is stealing tech-secrets on government level and gives them to own companies.

Why can't they list the OS? (0)

HangingChad (677530) | about 2 years ago | (#40938085)

On virus announcements, why don't they ever mention vulnerable operating systems? Not all malware can infect all operating systems. It would be nice to know the specifics.

Then again, maybe Microsoft wouldn't like the bad PR.

May inspire a Windows exodus... (4, Interesting)

Kazoo the Clown (644526) | about 2 years ago | (#40938221)

If these events cause mass flight from Microsoft products, the NSA or whoever wrote the darn thing might want to think twice before they go to Microsoft asking for any back doors or any other favors, I suspect Ballmer won't take too kindly to the idea of exploiting Windows in the name of national security if it takes a big ding out of their bottom line...

Re:May inspire a Windows exodus... (1)

Anonymous Coward | about 2 years ago | (#40942479)

I really doubt the NSA needs a back door adding. They probably have a list of 0days a mile long.

If the NSA didnt have a AT&T SPY ROOM.. (-1)

Anonymous Coward | about 2 years ago | (#40949033)

they wouldn't be shit.. seriously they don't have a lot of 0 days. They just snoop lines like coward noobs - The don't actually have any real *skills* other than snooping lines and DDOS lmfao... The NSA really are nothing but script kids, but the media makes them look like gods..

C&C traffic is XOR-encrypted (0)

Anonymous Coward | about 2 years ago | (#40938269)

Communication with the command & control servers is encrypted by XORing with 0xACDC (Flame didn't encrypt C&C traffic).

ACDC... now is anybody else wondering what that mysterious encrypted payload could be?

Re:C&C traffic is XOR-encrypted (0)

Anonymous Coward | about 2 years ago | (#40941151)

I know what it is!

It's T.N.T.
It's dynamite.
It's T.N.T,
and it'll win the fight.
It's T.N.T.
It's a power load.
It's T.N.T.
Watch it explode.

Clearly created by the US (1)

qemqemqem (2670007) | about 2 years ago | (#40938425)

Can't we just say sponsored by the US instead of acting like we don't know who created this?

Re:Clearly created by the US (1)

biodata (1981610) | about 2 years ago | (#40939087)

It could be the Israelis, they created Trusteer Rapport, so they have previous here.

Re:Clearly created by the US (0)

Anonymous Coward | about 2 years ago | (#40941771)

Yes you're right. Like the GP said, sponsored by US, made (assembled) in Israel.

Re:Clearly created by the US (1)

tomhath (637240) | about 2 years ago | (#40939101)

Because there's absolutely no evidence that it's anything more than a crude copy/edit of stuxnet or flame. The author speculates because parts were copied, but admits it's not as sophisticated as either.

Re:Clearly created by the US (0)

Anonymous Coward | about 2 years ago | (#40943163)

Can't we just say sponsored by the US instead of acting like we don't know who created this?

The country is already implied. The question is... which state?

Re:Clearly created by the US (1)

ledow (319597) | about 2 years ago | (#40944233)

Stupid thing to do. Because if I wanted to discredit another country, the most ingenious way would be to make it LOOK like they had done something, but that left subtle hints that it was them that created it.

Queue years of wrangling to get to the bottom of who exactly created it, while some other (unknown) entity who actually wrote it just walks away without suspicion.

We're talking international cyber-warfare here, aimed at nuclear processing plants. If I was making something like that, item #1 on my list of things to include would be obvious flaws and subtle hints to hint at another world nation being behind it. Hell, I'd deliberately have it written on machines with US codepages and English pathnames, even if the native language didn't translate into ASCII at all. In fact, especially if it didn't.

In the same way, NEVER believe the US when they manage to link "attacks from China" - how the HELL do they know they originated in China at all if they don't know who wrote them? And what idiot WOULDN'T route their attacks on the US via somewhere like China to try to put the blame on someone else (hell, even the spammers have worked that one out!)?

The US *want* me to think that China attacked them, for some reason. I don't know why. And the creators of Flame et al *want* me to think that it's an American-supported venture. Hell, if I was Iranian / Lebonese and clever enough, I'd attack myself just to make the "enemy" look bad and provide reason for "retaliation".

Don't be naive when it comes to international politics and, let's face it, cyberwarfare / spying. Everyone's so quick to point at the NSA etc. when they think their email is being read or their OS backdoored, but nobody thinks that, actually, an *INTELLIGENCE* agency is likely to be much more sneaky than you give them credit for. And that an Iranian intelligence agency, for example, would be just as good as a US one (if not better).

"Only one infection has been found in Iran" ..hmmm (1)

Swave An deBwoner (907414) | about 2 years ago | (#40939107)

Aside from 1,660 infections in Lebanon, 482 are in Israel and 261 are in the Palestinain territories, and 43 are in the U.S. Only one infection has been found in Iran.

Perhaps that one infection was the source of the other 2,446 infections?

Iran is a major player in Lebanon after all.

Re:"Only one infection has been found in Iran" ..h (0)

Anonymous Coward | about 2 years ago | (#40944411)

That would be nice to hear, that Iran now uses it against the developers.

Internet terrorism (1, Interesting)

bmo (77928) | about 2 years ago | (#40940679)

Countries that release stuff like this into the wild are criminal rogue states. It's like dumping agent-orange not just on the jungles of Vietnam during war, but on the entire planet as a whole.

There are no borders on the Internet. What you release is not limited to your target and affects everyone.

One can only hope that the governments that released Flame, Stuxnet, and now this, become victims of their own weapons.

Yes, I do know who that likely means. I certainly hope it comes back to bite us like a torpedo circling around and targeting its own submarine. Maybe then someone will learn a thing or two about not shitting where you eat.

--
BMO

Re:Internet terrorism (1)

couchslug (175151) | about 2 years ago | (#40943599)

I regard them as healthy, because unless herd resistance to such things is built up by exposure, the herd will be less robust.

"One can only hope that the governments that released Flame, Stuxnet, and now this, become victims of their own weapons."

That would usefully coerce them to adopt better practices.

Re:Internet terrorism (0)

bmo (77928) | about 2 years ago | (#40943691)

I find it interesting that stating facts as they exist on the ground is now "troll" on slashdot.

Re:Internet terrorism (1)

plover (150551) | about 2 years ago | (#40952195)

The behavior of Gauss as described in TFA is made to sound like "socially responsible malware".

By encrypting the payload with a key unique to a specific configuration, they are not providing that payload to anyone else. Not even Kaspersky can decrypt the payload, at least not until the target machine is identified. And by then it's probably too late.

Sure, they're still sending out malware, with USB exploits, root kits, and other bad stuff. It's not that much worse than what is widely available online today. But they're encrypting the very worst part, which is "here's how we're going to cause maximum damage to you." We don't know if the payload is designed to tamper with SCADA systems, initiate wire transfers to a Cayman Island bank, or if it emails compromising pictures of the victim to Al Jazeera. Nobody gets a copy of it, except for one lucky winner. And he doesn't even want it.

So in the attackers' minds, they can say they are distributing a "kinder, gentler virus".

Thunderstruck (0)

Anonymous Coward | about 2 years ago | (#40941571)

Kaspersky's report notes the XOR key used for data encryption is 0xACDC, yet there is only a single reported infection in Iran.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...