Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mysterious font left by malware befuddles

Taylor Armerding | Aug. 15, 2012
One thing's for sure, says expert: 'We have never seen a font installed by malware before.'

The most famous -- and mysterious -- font (yes, we're talking typeface) in the information security world right now is Palida Narrow.

Palida Narrow is a new font that the recently discovered Gauss malware installs on machines it infects. And as Dennis Fisher, writing on Kaspersky Lab's Threatpost blog, noted late last week, "Researchers have been unable to figure out yet what the purpose of the font is, but ... its presence on a PC is a good indicator of a Gauss infection."

So far there are only theories about its purpose. The most popular is that it is a brand mark for the command and control servers. But those have been offline since last month.

CrySys Lab, which along with Kaspersky has released a Gauss detection tool, says the theory is that "Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages."

Joel Harding, a retired intelligence officer and information operation expert who has been following the investigation into Gauss, agrees, with the caveat that everything so far is speculation. Noting that the various modules in Gauss are all named for philosophers, he said, "It is the [Joseph-Louis] LaGrange module that is installing the Palida font onto the previously uninfected systems, allowing remote detection of an infected computer without compromising a probe."

Kevin McAleavey, cofounder and chief architect of the KNOS project and a veteran malware researcher, said the purpose of Palida Narrow might go beyond tracking visits. "It could be that the custom font may have special value to the character sets within which might not be 'printable characters' but useful nonetheless to whatever intent Gauss has," he said.

"But the missing piece here could very well be that although the current font being installed hasn't been found to be malicious, it could be a 'placeholder' in this code," McAleavey said. "Quite possibly this mysterious font install, which proves to be harmless, might have replaced the original payload in order to avoid disclosure of the original code that accompanied Gauss. That would certainly lead to the current outcome, in which the mysterious font has been found to be inert."

Chris Sanders, a senior security analyst at InGuardians, an information security consultancy, also said the "marker" theory is plausible. "Any time any type of purposeful malware is installed on a system, the attacker has to have a mechanism that allows him to ensure that the malware was installed, and that it was installed with the appropriate level of access to the system," he said, adding that Palida Narrow is "an eloquent solution for a malware author, as it doesn't require the installation of any additional browser components such as a JavaScript interpreter."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.