Posted on Leave a comment

Palida Narrow vs. Lucida Bright

It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.

Palida Narrow header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0xC5C64B82
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 21:48:24 2000
modified: Mon Dec 19 05:37:00 2011
xMin: -579
yMin: -804
xMax: 2298
yMax: 2033
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 0
glyphDataFormat: 0

Lucida Bright Regular header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0x8A94C916
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 19:13:11 2000
modified: Tue Mar 13 23:02:32 2001
xMin: -550
yMin: -1530
xMax: 3314
yMax: 2419
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 1
glyphDataFormat: 0

You can see the similarity in creation date.
The interesting thing is that Palida has 457 glyphs:

'maxp' Table - Maximum Profile

Size = 32 bytes (expecting 32 bytes)
'maxp' version: 1.0
numGlyphs: 457

from which some special characters are unusual


Glyf 440 -> PSGlyf Name # 192, name= 'dcaron1'
Glyf 441 -> PSGlyf Name # 193, name= 'Gcedilla1'
Glyf 442 -> PSGlyf Name # 194, name= 'gcedilla1'
Glyf 443 -> PSGlyf Name # 195, name= 'Kcedilla1'
Glyf 444 -> PSGlyf Name # 196, name= 'kcedilla1'
Glyf 445 -> PSGlyf Name # 197, name= 'Lcedilla1'
Glyf 446 -> PSGlyf Name # 198, name= 'lcedilla1'
Glyf 447 -> PSGlyf Name # 199, name= 'Lcaron1'
Glyf 448 -> PSGlyf Name # 200, name= 'lcaron1'
Glyf 449 -> PSGlyf Name # 201, name= 'Ncedilla1'
Glyf 450 -> PSGlyf Name # 202, name= 'ncedilla1'
Glyf 451 -> PSGlyf Name # 203, name= 'Rcedilla1'
Glyf 452 -> PSGlyf Name # 204, name= 'rcedilla1'

Or the fact the physics and math is so important that first glyphs are micro and Ohm.


-------------------------
PSGlyf Name # 1: micro
PSGlyf Name # 2: Ohm
PSGlyf Name # 3: increment
PSGlyf Name # 4: bulletmath
PSGlyf Name # 5: overscore
PSGlyf Name # 6: dmacron

One of the interesting glyphs is U+0104 also called Aogonek. First of all it exists mostly in CE fonts, second, it is a bit different from Lucida samples we checked. Check it yourself, too!

Posted on Leave a comment

On the Palida Narrow mystery of Gauss malware, and possible remote detection

As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.

So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it sKyWIper ) has not stopped here, and as many said, we currently see only the tip of the iceberg.

So the big mystery of Gauss is why Palida Narrow, a modified font with fake copyright notice is installed on victim computers. It seems that no exploit, shellcode or nasty payload are inside. Most likely… Then why? Do they depend on Palida Narrow? Most likely not.

One possibility is that there are other components using Palida for some reasons. E.g., tricking with some characters on web pages to hide alerts, or similar, not really clear operations.

A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.

A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how.

If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system.

Let’s consider the following part of the CSS file:


@font-face {
font-family: "Palida";
src: local("Palida Narrow"),
url("palida.ttf");
}

This definition tells your browser to use Palida Narrow local font if available, if not, call back the webpage to download a copy.

This standard behavior of the browsers makes it possible to enumerate all the fonts that are installed in your system, but particularly to pinpoint if Palida Narrow is installed.

Considering this case, if the Palida is installed, your browser will simply use it for rendering the web page. If not, and only in that case, it will try to download palida.ttf. If there is no palida.ttf download on the web page, then you have Palida installed on the system.

However, there is a problem: what if palida.ttf was not downloaded as you have turned off the look up of remote fonts in your browser, or you use some special browser. Here is a solution: Let’s specify and use a surely non-existing font, like Crysysida:


@font-face {
font-family: "Crysysida";
src:
url("Crysysida.ttf");
}

  • If we have downloads for both Palida and Crysysida, then everything works great, and Palida is not installed
  • If we only see download for Crysysida, then Palida is installed on the system
  • Finally, if we see no downloads, then probably the user uses lynx or telnet to browse our webpage, or there are other circumstances that prevent the download of remote fonts.

What we detailed here is not only a possible reason of Palida having been installed on infected systems, but also a detection method for infected computers. Actually, we created a detection site of the Gauss malware by identifying Palida installations remotely. The small test site is available at http://gauss.crysys.hu

Of course the method is not bullet-proof, but an easy alternative check for those, who cannot find the fonts menu in the windows control panel.

Final note:
CrySyS Lab currently thinks, that Palida is actually a slightly modified Lucida Bright Narrow Demi Bold CE font, most likely from Bigelow and Holmes, made back in 2000, although we do not have such a sample.