Over at Ars Technica Dan Goodin has a nice article analyzing the Gauss malware. Gauss appears to be related to Stuxnet and internal code signatures suggest that its provenance is the same1. Although Gauss was discovered last year, very little is known about its purpose or capabilities.
That’s because its payload—or more accurately, its warhead—is encrypted. Gauss appears to be looking for computers used for a specific application. It concatenates PATH and program directory names, adds a salt and hashes the results. If the resulting (key stretched) hash matches a compiled-in constant, Gauss has found the program it’s looking for. Then it hashes the same PATH and program name with a new salt and uses the result as a key to unencrypt the payload. Despite significant and sustained effort, researchers have not been able to find the key and thus have no idea what the payload is intended to do.
Goodin’s article is interesting and informative. If you have an interest in security, or just want to see how someone might go about protecting a piece of software from prying eyes, you’ll enjoy it.
Footnotes:
1 Said to be the United States and Israel.