Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware
Summary: In “Parsing Cyberwar – Part 3” Marcus Ranum discussed the logistical problems implicit in cyberweapons. We now have a case-study showing how quickly a new cyberweapon technology obsoletes itself. This, coupled with the tendency of one cyberweapons’ getting burned and potentially burning others in its family tree, will to tend to keep cyberweapons in the tactical domain, where they’ll be part of a churning arms-race that happens in “internet time.”
War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.
This series by Marcus Ranum shows us the frontier of war (and crime), helping us prepare for the future instead of polishing myths about trendy but now only niche forms of war. You children might consider this the primary form of State-to-State war, seeing tanks and fighters only as toys on the playroom floor.
- About Gauss, new malware
- Building Gauss
- A Timeline of Quick Burn
- Pallida Narrow
- With Tweezers and Microscope
- Other chapters in the Parsing Cyberwar series
- For more information
(1) About Gauss, new malware
The latest-breaking piece of malware in the Stuxnet/Duqu/Flame saga is called “Gauss.” According to researchers at Kaspersky Labs (global IT security), it appears that all 4 of these state-sponsored pieces of malware were written by the same contractors, or by contractors who had access to a common code-base to build upon.
What did Gauss cost to develop and how long was its run? How cost-effective was this weapon? How effective will its techniques be in the hands of commercial malware writers? We have learned that Gauss appears to have infected about 2500 machines (known to date) — if only we knew how much some government paid for Gauss’ development, we could figure out what it cost per target. I’d bet that it’s in “pentagon hammer” territory.
(2) Building Gauss
How much would we expect something like these trojan horses to cost to build? A great deal depends on the engineer(s) doing the development, and their skills. I’ve known programmers who would be able to work for years and not produce something like Stuxnet, but I’ve also known programmers who could build a framework for something like Stuxnet in a couple weeks, and flesh it out fully over the course of a couple months. The important thing about programmers is that bad programmers are cheap and great programmers aren’t — so either way, you wind up spending a goodly chunk of money.
Since the work was being done for the government, in secret, handling secret information about the centrifuge cascade at Natanz, you can bet that the very tip top of top dollar billing rates were factored into the cost of Stuxnet. I’m guessing that someone paid $1 – $3 million for each of the major branches, and that stringing out the development time-line had more to do with justifying a fee than the overall difficulty of the work involved.
If the Kaspersky folks are right (and I see no reason to doubt them) the code-sharing represents a pretty quickly developed code framework with subsequent enhancements and retargeting; it wasn’t a complete re-write each time. I’d guess that the programming team that built these was 2 or 3 coders and a support/test engineer. This is well within the ballpark of what a criminal organization could accomplish, but they wouldn’t bother – their model is to go after targets of opportunity rather than targets of choice.
(3) A Timeline of Quick Burn
I hope that someday someone does an evolutionary tree of this set of programs; it would be interesting to use the textual analysis methods used by biblical scholars to see what can be learned about what changes happened, and when, and perhaps why. A couple of million dollars here and there isn’t a lot for a government to spend for a weapons-system, but the Stuxnet family and the exposure of Gauss ought to serve as a good example of how quickly the cyberweapons arms-race is going to move, and how expensive it could get.
- (t= -?) June – Kaspersky Labs becomes aware of Gauss (elsewhere we see “known about for nearly a year”)
- (t= 0) Aug 9 – News breaks about the “New Gauss trojan”
- (t +2) Aug 11 – Symantec publishes chart of Gauss outbreak
- (t +2) Aug 11 – CrySys pallida narrow font detection web page
- (t +5) Aug 14 – Pallida Narrow hook disclosed
- (t +5) Aug 14 – Microsoft rolls out patch for some of the vectors used by Gauss
- (t +5) Aug 14 – detection fingerprint for Gauss used by a variety of tools to profile systems for infection
- What next?
During the time (call it 3 months) between when Kaspersky labs got their hands on Gauss and the announcement of its existence on August 9 Kaspersky’s team, several innovative features of Gauss are blown, or are on their way to being blown. Researchers are having a field day trying to figure out the reasons why Gauss does some of the things it does, while other researchers are working to find clear “fingerprints” that they can use to profile a Gauss infection.
Within 3 months, only an incompetent security practitioner will not have identified any systems infected with Gauss, and within 2 months any good ideas embodied in Gauss’ methods will be appearing in commercial malware. In other words: the “good guys” and the “bad guys” will both react quickly and the value of the techniques used by Gauss will drop to near zero.
(4) Pallida Narrow
If you google for “Pallida” you’ll find it’s the name of a spirochete – someone has a vestigial sense of humor.
The current point of interest regarding Gauss is its use of the “pallida narrow” font. Apparently, it drops a font into some infected systems’ font libraries. Researchers are currently determining why; there are two popular theories:
- It’s part of an exploit against Windows’ font-rendering system
- It’s a signalling mechanism for passively determining if a client machine going to a website is infected; it may be part of a command/control mechanism
Here’s the fascinating thing: from the defender’s standpoint both hypotheses may as well be completely correct! Because, now, attention is going to be paid to auditing for unusual fonts appearing in font folders, as well as the fonts that browsers offer to servers as part of a CSS stylesheet.
This is all very interesting; the security community is deriving new detection methods, hypothesizing new command/control channels, and will now be looking for them. As I pointed out in Part 3, security discoveries are retroactive. Once Gauss is fully dissected anyone who has Gauss or who has had Gauss may be able to detect it.
In the future, anyone with decent security will be able to detect anything that uses Gauss-like methods. It’s not just that “Pallida narrow” is burned; font dropping in general is burned. You can bet that smart firewall designers are sitting up and taking notice; a few of them will come up with the clever idea of white-listing typical http transaction elements and flagging anything new that suddenly appears. Then research labs will look at it, and if it’s new malware, it’ll be burned, too.
(5) With Tweezers and a Microscope
When Robert Morris, Jr.’s internet worm broke out on the relatively tiny internet of 1989, it took a day or so before teams of software engineers from University of Maryland and MIT rushed to publish its mechanisms, attack vectors, and how to detect and block it.
Since then, that’s been pretty much how internet security has worked because it’s had to. Malware designers — whether state-sponsored, commercial, or recreational — are opposed by well-practiced teams of engineers who have labs outfitted for dissecting and analyzing their work.
Since any cyberweapon is going to have to work over the internet, it will have to fit itself into a relatively narrow set of parameters. It’s going to have to generate/receive some kind of traffic. There’s no such thing as “undetectable traffic”, there’s only “slightly harder than usual to detect traffic.” Clever engineers may spend days or weeks coming up with techniques for their attack tools, which can be accidentally burned en masse in a matter of days.
Gauss illustrates perfectly what I was talking about when I explained how, every time a cyberweapon (whether it’s commercial, amateur, or state-sponsored) gets burned, it burns entire classes of other cyberweapons. If someone else had used the font dropping technique in their code, their cyberweapon is going to be discovered fairly soon, because the security community is now looking intensely at font dropping. Imagine how unfortunate it would be if some top-secret military cyberweapon — that cost a fortune to develop and had slowly infiltrated critical targets – used the same technique that has now been turned from a “clever idea” to a “red flag” that gives its presence away.
I look forward to watching the rest of Gauss’ expensive secrets laid bare, as they inevitably will be.
(6) Other chapters in the Parsing Cyberwar series
- The Battlefield
- The Logistical Train
- Synergies and Interference
- Patch #1 – Lessons from the Gauss malware
- The Best Defense is a Good Defense
In the final part, we will conclude with an assessment of what practical actions are available to corporations and governments in the cyberwar environment.
(7) For More Information
(a) On the FM website
See the FM Reference Page about Cyber-espionage and Cyber-war!, with links to Marcus Ranum’s other posts and a wide range of other resources.
(b) Articles about malware
- Mysterious Font Left by Malware Befuddles, PC World, August 2012
- While Origin Unclear, Gauss Indicates Malware Tool Boom, CSO Online, August 2012
- On the Pallida Narrow Mystery and Remote Detection, CrySys Blog, August 2012
- With Microscope and Tweezers: the Worm from MIT’s Perspective, Communications of the ACM, June 1989 — Classic paper describing the rapid analysis of the Morris Internet Worm. The worm was dissected and details were published in a matter of days after its release, resulting in the complete blocking of its main attack vectors internet-wide. Admittedly, the internet was small back then.