Kaspersky Lab Discovers 'Gauss' (opens in new tab)

(kaspersky.com)

104 pointssspencer13y ago24 comments

24 comments

From the article: "... the installation of a special font called Palida Narrow, and the purpose of this action is still unknown."

Would this perhaps be a tracking ability, as described at https://panopticlick.eff.org (specifically, the list of "System Fonts")

It would require the users to visit a site that is collecting this tracking information, but it isn't impossible to imagine a popular site among the target audience being strong-armed by a nation-state into installing something to do this.

The tracking is practically invisible to end users.

malenm13y ago

Just read the same thing [1] - that does seem to be a logical use for a 'custom' font

[1] http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-o...

TazeTSchnitzel13y ago

Also, you could make it the default font for documents, meaning you could trace their origins, perhaps.

lallysingh13y ago

My first guess was that system font renderers are probably less hardened against exploits, and that the font is exactly that. The name sounds generic enough to look like it fits in with the rest.

delinka13y ago

Your EFF link says Chrome on iOS is 1 in ~93,000 while a Chrome incognito tab is 1 in ~89,000. Incognito is less unique and more identifiable that a regular tab. Interesting results.

icegreentea13y ago

What? If you are less unique, then you are also less identifiable.

1 more reply

bdittmer13y ago

That is incredibly clever.

apawloski13y ago

"Another key feature of Gauss is the ability to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame."

Do we have to repeat the same debate about this one's origin?

spec_laconic13y ago

That .lnk vulnerability is now in metasploit; I don't think we can safely say that Gauss is from the same org from this one piece of evidence.

duaneb13y ago

The viruses (this and skywiper) appear to be both targeting the middle east... Maybe they're all just chumps and easy targets out there, but it also makes sense that they have the same people behind them.

nvmc13y ago

I like how they call it a "nation-state sponsored cyber-espionage toolkit", and then go on to refer to its unknown creators.

jsannemo13y ago

Reading their analysis of Gauss, it appears 0xACDC is used for XOR encryption when communicating with the C&C servers. Didn't we just read about another security company and AC/DC...? http://news.ycombinator.net/item?id=4286696

duaneb13y ago

Probably just a continuation of the same virus that's been going around for years at this point: http://www.crysys.hu/skywiper/skywiper.pdf

Kaspersky tends to exaggerate how novel these viruses are.

picklefish13y ago

This was a better read for me: https://www.securelist.com/en/blog?weblogid=208193767 saw it on slashdot

sgt10113y ago

Oh ho - and suddenly Standard Chartered is fingered for transactions with Iran!

Yuk Yuk Yuk - I wonder what is going on with this then!

forgotusername13y ago

What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts? Advanced Persistent Phish?

Trying to remember the last time I didn't read about some ultra-dooper-al-quaeda-cyber-virus. Seems any kid with a C compiler these days pumping out cutpasted code qualifies as a complex threat.

Coming up: 50 page white paper on the seemingly "innocuous" font (translation: obviously some previously unknown 0day secret intelligence 007 cyber warhead) and its implications for national security funding.

Torgo13y ago

This virus could be used to track the flow of money in terror networks. It could also be used offensively to surprise-defund them, or to grab off-the-books cash for your own nation's agents in the field.

forgotusername13y ago

Applying Occam's razor we're left with a teenage drop out who has found a way to sell bank account details on the black market, to fund his new car.

But of course not, obviously it's Al Quaeda. How else will the security industry succeed in strangling more cash and evil, preferential, freedom-damaging policies from central government?

1 more reply

ktizo13y ago

What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts?

Well, at least we have a shortlist then. UK, Iceland, Greece, Spain...

Advanced Persistent Phish? - Is that some kind of really annoying halibut, armed with lasers?

j / k navigate · click thread line to collapse

24 comments

sounds13y ago

From the article: "... the installation of a special font called Palida Narrow, and the purpose of this action is still unknown."

Would this perhaps be a tracking ability, as described at https://panopticlick.eff.org (specifically, the list of "System Fonts")

The tracking is practically invisible to end users.

malenm13y ago

Just read the same thing [1] - that does seem to be a logical use for a 'custom' font

[1] http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-o...

TazeTSchnitzel13y ago

Also, you could make it the default font for documents, meaning you could trace their origins, perhaps.

lallysingh13y ago

My first guess was that system font renderers are probably less hardened against exploits, and that the font is exactly that. The name sounds generic enough to look like it fits in with the rest.

delinka13y ago

Your EFF link says Chrome on iOS is 1 in ~93,000 while a Chrome incognito tab is 1 in ~89,000. Incognito is less unique and more identifiable that a regular tab. Interesting results.

icegreentea13y ago

What? If you are less unique, then you are also less identifiable.

1 more reply

bdittmer13y ago

That is incredibly clever.

apawloski13y ago

"Another key feature of Gauss is the ability to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame."

Do we have to repeat the same debate about this one's origin?

spec_laconic13y ago

That .lnk vulnerability is now in metasploit; I don't think we can safely say that Gauss is from the same org from this one piece of evidence.

duaneb13y ago

nvmc13y ago

I like how they call it a "nation-state sponsored cyber-espionage toolkit", and then go on to refer to its unknown creators.

jsannemo13y ago

duaneb13y ago

Probably just a continuation of the same virus that's been going around for years at this point: http://www.crysys.hu/skywiper/skywiper.pdf

Kaspersky tends to exaggerate how novel these viruses are.

picklefish13y ago

This was a better read for me: https://www.securelist.com/en/blog?weblogid=208193767 saw it on slashdot

sgt10113y ago

Oh ho - and suddenly Standard Chartered is fingered for transactions with Iran!

Yuk Yuk Yuk - I wonder what is going on with this then!

forgotusername13y ago

What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts? Advanced Persistent Phish?

Trying to remember the last time I didn't read about some ultra-dooper-al-quaeda-cyber-virus. Seems any kid with a C compiler these days pumping out cutpasted code qualifies as a complex threat.

Torgo13y ago

forgotusername13y ago

Applying Occam's razor we're left with a teenage drop out who has found a way to sell bank account details on the black market, to fund his new car.

But of course not, obviously it's Al Quaeda. How else will the security industry succeed in strangling more cash and evil, preferential, freedom-damaging policies from central government?

1 more reply

ktizo13y ago

What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts?

Well, at least we have a shortlist then. UK, Iceland, Greece, Spain...

Advanced Persistent Phish? - Is that some kind of really annoying halibut, armed with lasers?

j / k navigate · click thread line to collapse