Security experts have renewed their call for help in cracking an “encrypted warhead” they believe was unleashed by Gauss virus and may be poised to search and destroy a high-profile target. The Kaspersky Lab has tried and failed to get into encrypted data hidden in three different sections in two Gauss files — “System32.dat” and “System32.bin”, which are 32-bit and 64-bit versions of the same code. Those two files are used for gathering information from an infected machine and writing it back to a file on the system’s USB drive. The Russian company has already tried millions of possible keys to unlock the code, so they are now refocusing their efforts on defeating the cryptography used to conceal the underlying code. They believe the secret code may be designed to disrupt Scada (supervisory control and data acquisition) systems used to control equipment used by dams, gasoline refineries, and other types of critical infrastructure. “Of course, it is obvious that it is not feasible to break the encryption with a simple brute-force attack,” the researchers wrote in a blog post. We are asking anyone interested in breaking the code and figuring out the mysterious payload to join us.” Two of the three sections — exrdat and .exdat — hold data, whilst another — the .exsdat file — is believed to contain the code for decrypting and executing contents of the “warhead”, Kaspersky said. Furthermore, that program has to be written in an “extended character set”, such as Arabic or Hebrew, or one that starts with a symbol such as “~”. It is not an application with an English name. Cryptographers should look to determine what that application is, as it will help unlock the remainder of the encrypted information. Vitaly Kamluk, chief malware analyst at Kaspersky Lab, said it was likely all the targets of Gauss were picked manually. “It must be [going after] something very critical,” he said. The company has now offered cryptographers the first 32 bytes of encrypted data and hashes from known variants of the modules and has called on those who want to take part in uncovering Gauss’ secrets. “It is like a pure mathematical problem,” Kamluk added. “We have a definition of the problem, all the required conditions and there are multiple ways of solving it.” “What we have are just IP addresses, and no contact information,” he said. Until the encryption is cracked, it is difficult to say precisely what Gauss is after. Clues point to a sophisticated computer virus that may have been developed by the same nation state, or group of nation states, that developed Flame, the computer virus that was spying on computers in Iran as recently as last May, and possibly Stuxnet, the virus that disrupted uranium enrichment work in Iran in 2010. “All the precautions used by the authors indicate that the target is indeed high-profile,” the researchers wrote in their blog post. from:gulfnews