Unable to Crack Computer Virus, Security Firm Seeks Help

Five days after a computer security firm disclosed the discovery of Gauss, a computer virus targeting computers in Lebanon, they issued a cry for help.

Among Gauss’s most puzzling components is an encrypted “warhead” that watches for a specific computer system with no Internet connection and installs itself only if it finds that configuration. The warhead has baffled security researchers at Kaspersky Lab, who first discovered the virus in June and have been unsuccessfully trying to crack its encryption code since.

“Despite our best efforts, we were unable to break the encryption,” Kaspersky researchers wrote in a blog post Tuesday. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology, numerology and mathematics to join us in solving the mystery and extracting the hidden payload.”

Until they crack the encryption, it is difficult to say precisely what Gauss is after. Clues point to a sophisticated computer virus that may have been developed by the same nation state, or group of nation states, that developed Flame, the computer virus that was spying on computers in Iran as recently as last May, and possibly Stuxnet, the virus that disrupted uranium enrichment work in Iran in 2010.

To date, Kaspersky’s researchers have detected Gauss on 2,500 computers, most in Lebanon. Its purpose appears to be to acquire log-ins for e-mail and instant messaging accounts, social networks and, notably, accounts at some of Lebanon’s largest banks — the Bank of Beirut, Blom Bank, Byblos Bank and Credit Libanais — along with Citibank and the online payment system PayPal.

But the warhead, which has been wrapped in several layers of encryption, suggests the attackers may be after something larger. “All the precautions used by the authors indicate that the target is indeed high-profile,” the researchers wrote in their blog post.

The researchers say Gauss’s warhead is large enough to contain a “Stuxnet-like” function. The New York Times reported in June that Stuxnet was jointly designed by the United States and Israel to search for the industrial control system that powered Iran’s uranium enrichment project, and was ultimately used to spin Iran’s centrifuges out of control.

If researchers are correct in assuming that Gauss is state-sponsored, it would be the first time such a virus had been found to include financial targets. Stuxnet, Flame and Doqu, another computer virus discovered in Iran, all appear to have been designed to spy on that country’s nuclear program.

Lebanon experts said previously that an American espionage campaign directed at Lebanese banks would make sense given United States concerns that Lebanon’s banks have been used to back the Syrian government and Hezbollah, the Lebanese militant group and political party. Last year, the United States Treasury identified a Lebanese bank, Beirut-based Lebanese Canadian Bank SAL, as a primary money-laundering facility for Hezbollah and Lebanese drug traffickers.