Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware

Summary: In “Parsing Cyberwar – Part 3” Marcus Ranum discussed the logistical problems implicit in cyberweapons. We now have a case-study showing how quickly a new cyberweapon technology obsoletes itself.  This, coupled with the tendency of one cyberweapons’ getting burned and potentially burning others in its family tree, will to tend to keep cyberweapons in the tactical domain, where they’ll be part of a churning arms-race that happens in “internet time.”

War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.

This series by Marcus Ranum shows us the frontier of war (and crime), helping us prepare for the future instead of polishing myths about trendy but now only niche forms of war.  You children might consider this the primary form of State-to-State war, seeing tanks and fighters only as toys on the playroom floor.


  1. About Gauss, new malware
  2. Building Gauss
  3. A Timeline of Quick Burn
  4. Pallida Narrow
  5. With Tweezers and Microscope
  6. Other chapters in the Parsing Cyberwar series
  7. For more information

(1)  About Gauss, new malware

The latest-breaking piece of malware in the Stuxnet/Duqu/Flame saga is called “Gauss.”  According to researchers at Kaspersky Labs (global IT security), it appears that all 4 of these state-sponsored pieces of malware were written by the same contractors, or by contractors who had access to a common code-base to build upon.


What did Gauss cost to develop and how long was its run? How cost-effective was this weapon? How effective will its techniques be in the hands of commercial malware writers? We have learned that Gauss appears to have infected about 2500 machines (known to date) — if only we knew how much some government paid for Gauss’ development, we could figure out what it cost per target. I’d bet that it’s in “pentagon hammer” territory.

(2)  Building Gauss

How much would we expect something like these trojan horses to cost to build? A great deal depends on the engineer(s) doing the development, and their skills. I’ve known programmers who would be able to work for years and not produce something like Stuxnet, but I’ve also known programmers who could build a framework for something like Stuxnet in a couple weeks, and flesh it out fully over the course of a couple months. The important thing about programmers is that bad programmers are cheap and great programmers aren’t — so either way, you wind up spending a goodly chunk of money.

Since the work was being done for the government, in secret, handling secret information about the centrifuge cascade at Natanz, you can bet that the very tip top of top dollar billing rates were factored into the cost of Stuxnet. I’m guessing that someone paid $1 – $3 million  for each of the major branches, and that stringing out the development time-line had more to do with justifying a fee than the overall difficulty of the work involved.

If the Kaspersky folks are right (and I see no reason to doubt them) the code-sharing represents a pretty quickly developed code framework with subsequent enhancements and retargeting; it wasn’t a complete re-write each time. I’d guess that the programming team that built these was 2 or 3 coders and a support/test engineer. This is well within the ballpark of what a criminal organization could accomplish, but they wouldn’t bother – their model is to go after targets of opportunity rather than targets of choice.

(3)  A Timeline of Quick Burn

I hope that someday someone does an evolutionary tree of this set of programs; it would be interesting to use the textual analysis methods used by biblical scholars to see what can be learned about what changes happened, and when, and perhaps why. A couple of million dollars here and there isn’t a lot for a government to spend for a weapons-system, but the Stuxnet family and the exposure of Gauss ought to serve as a good example of how quickly the cyberweapons arms-race is going to move, and how expensive it could get.

  • (t= -?) June – Kaspersky Labs becomes aware of Gauss (elsewhere we see “known about for nearly a year”)
  • (t= 0) Aug 9 – News breaks about the “New Gauss trojan”
  • (t +2) Aug 11 – Symantec publishes chart of Gauss outbreak
  • (t +2) Aug 11 – CrySys pallida narrow font detection web page
  • (t +5) Aug 14 – Pallida Narrow hook disclosed
  • (t +5) Aug 14 – Microsoft rolls out patch for some of the vectors used by Gauss
  • (t +5) Aug 14 – detection fingerprint for Gauss used by a variety of tools to profile systems for infection
  • What next?

During the time (call it 3 months) between when Kaspersky labs got their hands on Gauss and the announcement of its existence on August 9  Kaspersky’s team, several innovative features of Gauss are blown, or are on their way to being blown. Researchers are having a field day trying to figure out the reasons why Gauss does some of the things it does, while other researchers are working to find clear “fingerprints” that they can use to profile a Gauss infection.

Within 3 months, only an incompetent security practitioner will not have identified any systems infected with Gauss, and within 2 months any good ideas embodied in Gauss’ methods will be appearing in commercial malware. In other words: the “good guys” and the “bad guys” will both react quickly and the value of the techniques used by Gauss will drop to near zero.

Gauss outbreak as of August 2012 (Source: Symantec)

(4)  Pallida Narrow

If you google for “Pallida” you’ll find it’s the name of a spirochete – someone has a vestigial sense of humor.

The current point of interest regarding Gauss is its use of the “pallida narrow” font. Apparently, it drops a font into some infected systems’ font libraries. Researchers are currently determining why; there are two popular theories:

  • It’s part of an exploit against Windows’ font-rendering system
  • It’s a signalling mechanism for passively determining if a client machine going to a website is infected; it may be part of a command/control mechanism

Here’s the fascinating thing: from the defender’s standpoint both hypotheses may as well be completely correct! Because, now, attention is going to be paid to auditing for unusual fonts appearing in font folders, as well as the fonts that browsers offer to servers as part of a CSS stylesheet.

This is all very interesting; the security community is deriving new detection methods, hypothesizing new command/control channels, and will now be looking for them. As I pointed out in Part 3, security discoveries are retroactive. Once Gauss is fully dissected anyone who has Gauss or who has had Gauss may be able to detect it.

In the future, anyone with decent security will be able to detect anything that uses Gauss-like methods. It’s not just that “Pallida narrow” is burned; font dropping in general is burned. You can bet that smart firewall designers are sitting up and taking notice; a few of them will come up with the clever idea of white-listing typical http transaction elements and flagging anything new that suddenly appears. Then research labs will look at it, and if it’s new malware, it’ll be burned, too.

(5)  With Tweezers and a Microscope

When Robert Morris, Jr.’s internet worm broke out on the relatively tiny internet of 1989, it took a day or so before teams of software engineers from University of Maryland and MIT rushed to publish its mechanisms, attack vectors, and how to detect and block it.

Since then, that’s been pretty much how internet security has worked because it’s had to. Malware designers — whether state-sponsored, commercial, or recreational — are opposed by well-practiced teams of engineers who have labs outfitted for dissecting and analyzing their work.

Since any cyberweapon is going to have to work over the internet, it will have to fit itself into a relatively narrow set of parameters. It’s going to have to generate/receive some kind of traffic. There’s no such thing as “undetectable traffic”, there’s only “slightly harder than usual to detect traffic.” Clever engineers may spend days or weeks coming up with techniques for their attack tools, which can be accidentally burned en masse in a matter of days.

Gauss illustrates perfectly what I was talking about when I explained how, every time a cyberweapon (whether it’s commercial, amateur, or state-sponsored) gets burned, it burns entire classes of other cyberweapons. If someone else had used the font dropping technique in their code, their cyberweapon is going to be discovered fairly soon, because the security community is now looking intensely at font dropping. Imagine how unfortunate it would be if some top-secret military cyberweapon — that cost a fortune to develop and had slowly infiltrated critical targets – used the same technique that has now been turned from a “clever idea” to a “red flag” that gives its presence away.

I look forward to watching the rest of Gauss’ expensive secrets laid bare, as they inevitably will be.

(6) Other chapters in the Parsing Cyberwar series

  1. The Battlefield
  2. The Logistical Train
  3. Synergies and Interference
  4. Patch #1 – Lessons from the Gauss malware
  5. The Best Defense is a Good Defense

In the final part, we will conclude with an assessment of what practical actions are available to corporations and governments in the cyberwar environment.

(7)  For More Information

(a) On the FM website

See the FM Reference Page about Cyber-espionage and Cyber-war!, with links to Marcus Ranum’s other posts and a wide range of other resources.

(b)  Articles about malware

  1. Mysterious Font Left by Malware Befuddles, PC World, August 2012
  2. While Origin Unclear, Gauss Indicates Malware Tool Boom, CSO Online, August 2012
  3. On the Pallida Narrow Mystery and Remote Detection, CrySys Blog, August 2012
  4. With Microscope and Tweezers: the Worm from MIT’s Perspective, Communications of the ACM, June 1989 — Classic paper describing the rapid analysis of the Morris Internet Worm. The worm was dissected and details were published in a matter of days after its release, resulting in the complete blocking of its main attack vectors internet-wide. Admittedly, the internet was small back then.

13 thoughts on “Parsing Cyberwar, part 3: Patch #1 – Lessons from the Gauss malware

  1. It seems like there will be pressure going forward to develop new types of cyber weapons cheaper and more quickly. Building things cheaper and more quickly is the antithesis of how the Pentagon and the American intelligence community has historically worked. It looks like non-state actors, and the states who manage to use non-state actors, will have the edge in any coming cyber-warfare.


    1. Building cheaper/faster cyberweapons will probably not work, for the same reason that building viruses faster hasn’t worked: the security companies that produce tools against them will innovate against broad classes of attacks and block entire gene-lines of cyberweapons at a time. The last time I talked to Kaspersky he said they had several hundred engineers working full time to write signatures against tens of thousands of new malware variants a day. They’ve got their processes so refined that they can deal with a load like that!! Cyberweapons builders will not be able to build innovative attack tools at such a rate – which means they’ll have to “cookie cutter” them, and they’ll fall to the companies like Kaspersky and Symantec.

      As I said, I don’t think this particular “shiny thing” is going to be very shiny for very long.


  2. Your a good writer, interesting article. In the stuxnet family, could there have been over lap in the time lines? The speed in which each was deployed means #1 On the shelf awaiting burn of predecessor? #2 Anticipated burn date & issued new before discovery, #3 Have found 4 out of 7, 3 still await discovery? #4 These guys are really good, 3 mos devel,test,deploy?

    $3 million is peanuts, GOP gave billionaires $700 billion in tax cuts. & 11 yr Afghan war cost $517 billion. $3 million per strike on Iran maybe worth it in psyops value alone.

    “Can I have some more please”

    Gerald. Internet Anthropologist


    1. I don’t believe it’s relevant to compare the development costs of a cyberweapon to tax cuts, or even fighting a war. Instead compare the cyberweapon’s cost to that of a high-tech conventional weapons — like the X-51A Waverider hypersonic missile. Three tests, three failures, three hundred million dollars. See Wired for details.
      X51!A Waverider Hypersonic Missile


    2. There seems to have been considerable overlap.

      Most likely what happened is that someone wrote a code-framework into which new “exploits” (the component that compromises the system) could be plugged, along with a command/control module that supported pluggable communications systems and any mission-specific payload. The pluggable parts would then be improved at varying rates depending on what the customer was asking for at the time. So, for example, the code that attacked the centrifuges at Natanz might have been a separate payload module developed by a different engineer with the classified knowledge about how Natanz was laid out, and the malware was wrapped, tested, and launched by a different group. So you’d get some overlap that way, in features, code, and time.

      $3 million is peanuts

      Yep. The pool of easy victims is going to dry up before the cash will.


  3. Godel, Gauss & Lagrange were named for scientists/mathematicians. However, Flame was a different type of name, and DuQu paid homage to e.e. (doc) smith and his writings.


    1. Thanks for that background. I didn’t see the e e smith connection. Interestingly, DuQuesne was the bad guy in the Skylark novels. Although of the somewhat nobel but power-seeking kind.


  4. RE: “War fascinates us. Magazines, books, clubs, and a thousand websites discuss every aspect, every weapon. But most often looking backwards, because the romance and excitement of war lies in past — combat with now-obsolete weapons. In the 17th century war aficionados loved mounted knights. In 1938 tanks were boring, cavalry were prestigious. In 2000 fighter jocks were hot, uav’s were boring. Now special ops are dashing, with cyberwar discussed mostly by nerds.”

    “Les armes ne sont pas seulement des outils de destruction, mais aussi de la perception des stimulants qui se font sentir à travers chimiques, neurologiques, des processus dans les organes des sens et du système nerveux central, affectant les réactions humaines.” «La perception de la Logistique», Cahiers du Cinéma

    “Weapons are not just tools of destruction, but also of perception- stimulants that make themselves felt through chemical, neurological, processes in the sense organs and central nervous system, affecting human reactions.”
    War and Cinema: The Logistics of Perception by Paul Virilio

    For more about this see “Notes on Paul Virilio’s War and Cinema“, Michael Stevenson, Masters of Media, 10 March 2008


    Sorry dude. Even before I started reading your stuff since ’07, I was reading tons of leftist material. No idea if the French is accurate though.


  5. If you are interested in cyberweapons, you might like this article interviewing a person who made an Adware Trojan that was impossible to remove: “Interview with an Adware Author“, Philosecurity, 12 January 2009 — “Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)”

    The technical details will give you some idea of what cyberweapons are using in their designs.


Leave a Reply to Gilbert Nash Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s