Skip to main content

Kaspersky seeks helpers for breaking Gauss malware encryption

Think you have what it takes to crack some malware? Kaspersky Lab wants your help.

The security firm last week uncovered Gauss, a cyber threat targeting users in the Middle East that is intended to steal personal details, like banking information. Gauss, however, includes a module - known as Godel - that has an encrypted payload. Despite their best efforts, Kaspersky analysts have been unable to break the encryption.

"So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets," Kaspersky said. "We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload."

Gauss can infect USB thumb drives using the same vulnerability seen in the Stuxnet and Flame viruses. Kaspersky said today that infected USB sticks contain two files with several encrypted sections.

"These files are loaded from infected drives using the well-known LNK exploit introduced by Stuxnet," according to Kasperky. "Their primary goal is to extract a lot of information about the victim system and write it back to a file on the drive named '.thumbs.db.'"

The security firm said it has "tried millions of combinations" to break the code, but to no avail.

"Of course, it is obvious that it is not feasible to break the encryption with a simple brute-force attack. We are asking anyone interested in breaking the code and figuring out the mysterious payload to join us," Kaspersky said.

Kaspersky said it would provide the first 32 bytes of encrypted data and hashes from known variants of the modules. "If you are a world class cryptographer or if you can help us with decrypting them, please contact us by e-mail:," the firm said.

If you want to see if your machine has been hit by Gauss, Kaspersky teamed up with Hungarian research lab CrySyS for an online tool that detects if your device is infected with Gauss malware.