Stuxnet, Flame, Duqu ... these are the weapons of cyberwarfare that Israel and the USA developed, mainly to target Iran to both gather information and disrupt their nuclear program. They were successful in both (Stuxnet alone destroyed over 1000 of Iran's nuclear centrifuges at the Natanz reactor by tampering with their spin speeds - a true malware masterstroke). These programs have all been analysed to bits by hundreds of malware analysts around the world, and there's not much that we don't know about them - at least from a disassembly/debugging analysis point-of-view.
But there is another associated cyberweapon, named Gauss. Most of it has been analysed, but there is one special module that remains encrypted, despite some of the best cryptanalysts and malware analysts trying to break it. The reason for this is that the decryption can only work on a particular computer - one with a very specific setup that Gauss was looking for ... the decryption key is based on an MD5 hash of certain system settings. Researchers still do not know what exactly this specific type of computer is, and such information doesn't exist within Gauss.
It's quite possible that the system configuration information that Gauss used for the decryption key was gathered by the information-stealing Duqu, which would allow it to zero-in on exactly what computer(s) it wanted the module to be decrypted and executed on.
Until the decryption key can be found researchers cannot analyse the code within this special module, so it remains a frustrating but tantalising mystery.
This is a good article about it just published today ...
http://arstechnica.com/security/201...tentially-destructive-malware-is-not-stuxnet/
But there is another associated cyberweapon, named Gauss. Most of it has been analysed, but there is one special module that remains encrypted, despite some of the best cryptanalysts and malware analysts trying to break it. The reason for this is that the decryption can only work on a particular computer - one with a very specific setup that Gauss was looking for ... the decryption key is based on an MD5 hash of certain system settings. Researchers still do not know what exactly this specific type of computer is, and such information doesn't exist within Gauss.
It's quite possible that the system configuration information that Gauss used for the decryption key was gathered by the information-stealing Duqu, which would allow it to zero-in on exactly what computer(s) it wanted the module to be decrypted and executed on.
Until the decryption key can be found researchers cannot analyse the code within this special module, so it remains a frustrating but tantalising mystery.
This is a good article about it just published today ...
http://arstechnica.com/security/201...tentially-destructive-malware-is-not-stuxnet/
