Font installed with Gauss trojan raises questions
The banking trojan "Gauss" has been known about for nearly a year and on Thursday, security researchers at Kaspersky lab released detailed information to the public. They had found the malware in a search for close relatives of the 20MB trojan "Flame" and found that Gauss is strongly similar in structure.
Gauss seems to have been much more widespread than Flame, at least until the originators turned off the control server. Researchers know of 700 targeted Flame infections; 2500 Gauss infections have been found on machines that have Kaspersky installed, suggesting that tens of thousands of PCs were infected.
It is still unknown how Gauss got onto the infected computers. It is however known that the trojan can be spread on USB sticks and deletes itself after thirty infections. On infected computers, a previously unknown font "Palida Narrow" was found.
Typographers usually call fonts "Narrow" when they are thin with a reduced width compared to a regular font, but in this case "Palida Narrow" is a serif font with a normal width. The font itself says that it was produced by Microsoft and resembles Microsoft's Lucida Bright; Costin Raiu from Kaspersky labs shows the font properties as his Twitter stream backdrop.
Flame is known to have been used by US and Israel intelligence agencies. Since, according to Kaspersky Lab, Flame and Gauss share code, it seems likely that they also share the same authors. The authors of Flame are also responsible for Duqu, a trojan that entered the computer through a vulnerability in font rendering.
Some speculate that a sequence of characters in Palida Narrow could cause the font kerning to execute malicious charcodes. Kaspersky has checked the font for such malicious code and found nothing: "But of course, anything is possible".
Others assume that the developers of the trojan are using Palida Narrow as a marker for the presence of the malware – a web site can, when correctly programmed, establish whether a particular font is installed. The Cryptography Laboratory at the Technical University of Budapest has created such a page to test for Palida.
A more accurate interpretation of what the purpose of the font really is, is probably only going to come when researchers decipher the real core of Gauss: its payload. Only this can reveal the deeper meanings behind the trojan. It may shed light on why Stuxnet, Flame, Duqu and Gauss were used in very controlled environments – which is why it took a while for them to be detected by anti-virus programs.