Kaspersky Lab Discovers 'Gauss'
kaspersky.comFrom the article: "... the installation of a special font called Palida Narrow, and the purpose of this action is still unknown."
Would this perhaps be a tracking ability, as described at https://panopticlick.eff.org (specifically, the list of "System Fonts")
It would require the users to visit a site that is collecting this tracking information, but it isn't impossible to imagine a popular site among the target audience being strong-armed by a nation-state into installing something to do this.
The tracking is practically invisible to end users.
Just read the same thing [1] - that does seem to be a logical use for a 'custom' font
[1] http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-o...
Also, you could make it the default font for documents, meaning you could trace their origins, perhaps.
My first guess was that system font renderers are probably less hardened against exploits, and that the font is exactly that. The name sounds generic enough to look like it fits in with the rest.
Your EFF link says Chrome on iOS is 1 in ~93,000 while a Chrome incognito tab is 1 in ~89,000. Incognito is less unique and more identifiable that a regular tab. Interesting results.
What? If you are less unique, then you are also less identifiable.
I certainly got my adjectives mixed up. I usually proofread better than that. Oops.
s/less/more/
That is incredibly clever.
"Another key feature of Gauss is the ability to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame."
Do we have to repeat the same debate about this one's origin?
That .lnk vulnerability is now in metasploit; I don't think we can safely say that Gauss is from the same org from this one piece of evidence.
The viruses (this and skywiper) appear to be both targeting the middle east... Maybe they're all just chumps and easy targets out there, but it also makes sense that they have the same people behind them.
I like how they call it a "nation-state sponsored cyber-espionage toolkit", and then go on to refer to its unknown creators.
Reading their analysis of Gauss, it appears 0xACDC is used for XOR encryption when communicating with the C&C servers. Didn't we just read about another security company and AC/DC...? http://news.ycombinator.net/item?id=4286696
Probably just a continuation of the same virus that's been going around for years at this point: http://www.crysys.hu/skywiper/skywiper.pdf
Kaspersky tends to exaggerate how novel these viruses are.
This was a better read for me: https://www.securelist.com/en/blog?weblogid=208193767 saw it on slashdot
Oh ho - and suddenly Standard Chartered is fingered for transactions with Iran!
Yuk Yuk Yuk - I wonder what is going on with this then!
What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts? Advanced Persistent Phish?
Trying to remember the last time I didn't read about some ultra-dooper-al-quaeda-cyber-virus. Seems any kid with a C compiler these days pumping out cutpasted code qualifies as a complex threat.
Coming up: 50 page white paper on the seemingly "innocuous" font (translation: obviously some previously unknown 0day secret intelligence 007 cyber warhead) and its implications for national security funding.
This virus could be used to track the flow of money in terror networks. It could also be used offensively to surprise-defund them, or to grab off-the-books cash for your own nation's agents in the field.
Applying Occam's razor we're left with a teenage drop out who has found a way to sell bank account details on the black market, to fund his new car.
But of course not, obviously it's Al Quaeda. How else will the security industry succeed in strangling more cash and evil, preferential, freedom-damaging policies from central government?
Absolutely no one is even suggesting it's Al Quaeda. Did you read the article at all? It points to the US and/or Israel above all else...
Unless I missed something, the central government referred to is not located in the middle east.
You missed something. forgotusername strongly seems to be suggesting that security experts are falsely claiming this is from Al Qaeda so they can get money from the US government to fight the terrorists. That's what daeken was responding to.
Sarcasm failure? The comment's intention was to suggest that it is directly and unequivocally in the interests of AV and infosec companies to dress up these daft events to make them sound as evil as possible, as the resulting fear drives their bottom line.
I'll walk you through it step by step.
> What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts?
This alludes to the fact the evil hacker espionage ultra-worm targets banking web sites, which is exactly the kind of worm we've had for hundreds of years now, only it's not written by governments, it's written by the kind of people who can sell those details on the black market. My attempt at making seemingly obvious humour in the form of "nationstate so broke it needs to skim its own citizens' bank accounts?" was clearly a failure.
> Advanced Persistent Phish?
Here I allude to a vague concept ("Advanced! Persistent! Threat!") pushed over the past 5 years or so by the AV/infosec community: one of this ill-defined superpower, for which evidence rarely exists, ready to pounce at any moment, spending trillions of Afghani rupees over years on the ability to read your private mail, and therefore obviously in return you should spend a great deal of money on your security (because you never know.. the boogey-man might already have root!).
> Trying to remember the last time I didn't read about some ultra-dooper-al-quaeda-cyber-virus. Seems any kid with a C compiler these days pumping out cutpasted code qualifies as a complex threat.
Well that's just it. This is a virus I could write, and I'm not even a vx guy. As someone else pointed out, the 0day it uses is distributed with Metasploit! This isn't exactly screaming "APT", "nationstate", or 007 is it. More it's screaming a pasty faced 15 year old armed with nothing but wget and the URL "www.phrack.com/my-first-virus-tutorial-1985-edition.txt".
> Coming up: 50 page white paper on the seemingly "innocuous" font (translation: obviously some previously unknown 0day secret intelligence 007 cyber warhead) and its implications for national security funding.
If you've been following along, this clearly references the copious scaremongering white papers produced by AV vendors around the time of Stuxnet.
More nonsense from the article:
> Another key feature of Gauss is the ability to infect USB thumb drives
The first computer viruses spread by floppy disk. I have no clue why this is 'key' to Gauss. I'll walk you through the BS in the article step by step if you really feel it's necessary.
tl;dr I am extremely cynical of the AV community scaremongering, because given time it will result in laws that'll get in the way the freedom to use mine or my childrens' computers. It's obviously already taken root in some of the minds around here, as y'all grasp to cope with this seemingly deadly evil threat, and my making light of it.
What now.. a heavily cybermilitarized nationstate so broke it needs to skim its own citizens' bank accounts?
Well, at least we have a shortlist then. UK, Iceland, Greece, Spain...
Advanced Persistent Phish? - Is that some kind of really annoying halibut, armed with lasers?