Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mysterious font left by malware befuddles

Taylor Armerding | Aug. 15, 2012
One thing's for sure, says expert: 'We have never seen a font installed by malware before.'

But his InGuardians colleague John Sawyer, also a senior security analyst, said it is misleading to say that the Palida Narrow font is a definitive infection marker for all Gauss-infected machines. "Kaspersky's own research paper shows the LaGrange module that installs the font was configured on only three of approximately 1,700 infections that they analyzed," he said.

There is general consensus that it is unusual. "The installation of the Palida font is unique, it's a first," said Harding. "This is a font that did not previously exist, it was customized for this tool. We have never seen a font installed by malware before."

And John Sawyer said that while including a marker of some type in malware is common, "the use of a font is particularly clever as it makes web-based detection incredibly easy."

Still, why would the Gauss creators mark it with a new font? Wouldn't that make it much easier to detect the presence of Gauss on a machine? Not necessarily, experts say.

Roger Thompson, chief emerging threats researcher at ICSA Labs, thinks Palida Narrow may have simply been a careless mistake. "I often joke that programmers, especially good ones, are likely to look for short cuts and time savers," he said.

"What this means is that when they write a program, they rarely start from scratch, but instead think to themselves, 'OK, I know I wrote some code like that once before,' and they copy and paste the old code into the new code. I think that time will show that Palida Narrow was simply accidentally left over from a previous project."

Others believe it was more purposeful than that, but say it won't necessarily make Gauss easier to detect. John Sawyer noted again that the LaGrange module was found on only a small number of infected machines.

And Joel Harding said while the font will definitely be a tipoff that Gauss is present, "the beauty of this technique is that it has never been used before."

"Before 9/11, few in the world considered a commercial airplane as a possible weapon. Now we will start considering a font, and hopefully other items possibly detected by network management tools, as possible indicators of an infection," Harding said.

Harding said he suspects that by the time Gauss is decrypted and fully understood, its creators will be using something else. "Don't forget that Stuxnet used four brand new zero day exploits and Gauss is using techniques that never previously existed," he said. "This design team not only is comfortable operating outside the box, they excel in it. Now the challenge is to continue developing new tools by thinking further outside the box."



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.