So does this mean that if you're a high profile target, you should immediately add a random folder to all of your computers in the program files directory?
No..it means if you are running a specific program which unlocks the code you are going to have a bad time (I suppose you could rename all of your program directories though... would that defeat this ?)
The full implications of this code are that the attacker already has another channel to access your machine.
It's not much consolation that you now know that you're being targeted by the Program Files entries (they're a major pain to rename). It's likely there are one or more plants inside your operation and they have physical access to the machine, which is considered game over.
Release Gauss into the wild, have your agent in Fordu Nuclear plant be sure he has Gauss on his machine, and then just get him to name the jpgs or text files he wants sent back to the CIA as 'special.jpg' - Gauss nabs them, sends it back through the network of gauss infected machines, and hey presto - deniable, encrypted, distributed Dead Drops.
Clever. The font makes it possible for the agent to verify he is on a Gauss machine by visiting seemingly innocuous websites which have code to detect whether the font exists, and then inform him by outputting special text only he knows about. He could receive messages that way too. Once he knows it's a Gauss machine, he can drop his specially named files and they are delivered.
Is the idea that gauss would act like a secret file katamari, rolling around collecting data while it spreads, and being harvested when it "infects" a creator controlled machine? It would seem like any direct data transmission would be detectable and investigated with extreme prejudice.
1. Its part of a wider eco-system of collecting / infecting / attacking "framework". It seems that attacking uranium enrichment was just a "plug-in".
2. They have designed for multiple infection vectors. Now if it can get in it can also get out. I would not be surprised if the family of malware here is also able to hook into outlook.exe, and even piggy back on IE connections. There is no particular reason why a payload cannot be steganographically put into every photo uploaded to irans' facebook. Which may not be entirely secure of couse :-)
The possibilites when you have the money and time are incredible.
So, no, something as silly as transmitting over UDP from the agents laptop back to www.cia.gov is unlikely, but this things will just keep pushing data around and around till it gets either home, or to a target.
Sadly, much of the code is out in the open. And is surely being pulled apart by other nationstates and the mafia.
Getting a certain filename onto your computer doesn't sound like a hard problem. Just send them a mail with an attachment of "398rgf90rej243rf.htm" that their email client helpfully extracts for them, or have a file with that name in their web cache when they browse the internet.
Why would you need to trick someone into saving a file with a particular name? You already have malware running on their machine!
Seems much more likely that the check is there to confirm that the payload only runs on specific targets. And, perhaps more importantly, to make recovery and dissection of the payload very difficult for someone without access to the target(s).
If you are a virus and you are too obvious, you are quickly found and and eliminated by the "immune" system. So it is import to stay low on hosts where there is no benefit in attacking and only using them for vectors of infection and only go into full blown activation mode when some specific trigger is found.
I was thinking that this program is the bomb, but it's waiting for a trigger. Having a file with a certain name appear on the machine would be that trigger.
I would guess it shouldn't be planted it is expecting it to be there. Chances are that is an Arabic name for some program from Siemmens or something like that. Or the name of the a rich bank client used to connect to a Swiss bank or something of that sort.
The key is of course is to lay low and undetected until that trigger fires, otherwise, anti-virus companies will blow the whistle.
"2. Append the pair with the second hard-coded 16-byte salt and bytes 0x15, 0x00 " and assuming point 2 of my message above:
This gives a finger print of all actual used programs. This finger print should be specific in the range of 1 to 10^(-7).
If so specific, it limits the scope to preconfigured systems, which are NOT run under user control.
Might it be, that those targets are embedded systems like ATM, Mobile base stations and again SCADA-systems?
Supposedly an administrator could send an update that inserts random files in program files to foil the system identification method, but given that the attacker has such detailed information about the target systems, this seems like a temporary measure at best.
Edit: It looks like the code is only looking for a specific filename. In that case, the only way to thwart this is to rename that file (and fix any issues that this would cause).
