Posted on Leave a comment

On the Palida Narrow mystery of Gauss malware, and possible remote detection

As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.

So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it sKyWIper ) has not stopped here, and as many said, we currently see only the tip of the iceberg.

So the big mystery of Gauss is why Palida Narrow, a modified font with fake copyright notice is installed on victim computers. It seems that no exploit, shellcode or nasty payload are inside. Most likely… Then why? Do they depend on Palida Narrow? Most likely not.

One possibility is that there are other components using Palida for some reasons. E.g., tricking with some characters on web pages to hide alerts, or similar, not really clear operations.

A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.

A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how.

If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system.

Let’s consider the following part of the CSS file:


@font-face {
font-family: "Palida";
src: local("Palida Narrow"),
url("palida.ttf");
}

This definition tells your browser to use Palida Narrow local font if available, if not, call back the webpage to download a copy.

This standard behavior of the browsers makes it possible to enumerate all the fonts that are installed in your system, but particularly to pinpoint if Palida Narrow is installed.

Considering this case, if the Palida is installed, your browser will simply use it for rendering the web page. If not, and only in that case, it will try to download palida.ttf. If there is no palida.ttf download on the web page, then you have Palida installed on the system.

However, there is a problem: what if palida.ttf was not downloaded as you have turned off the look up of remote fonts in your browser, or you use some special browser. Here is a solution: Let’s specify and use a surely non-existing font, like Crysysida:


@font-face {
font-family: "Crysysida";
src:
url("Crysysida.ttf");
}

  • If we have downloads for both Palida and Crysysida, then everything works great, and Palida is not installed
  • If we only see download for Crysysida, then Palida is installed on the system
  • Finally, if we see no downloads, then probably the user uses lynx or telnet to browse our webpage, or there are other circumstances that prevent the download of remote fonts.

What we detailed here is not only a possible reason of Palida having been installed on infected systems, but also a detection method for infected computers. Actually, we created a detection site of the Gauss malware by identifying Palida installations remotely. The small test site is available at http://gauss.crysys.hu

Of course the method is not bullet-proof, but an easy alternative check for those, who cannot find the fonts menu in the windows control panel.

Final note:
CrySyS Lab currently thinks, that Palida is actually a slightly modified Lucida Bright Narrow Demi Bold CE font, most likely from Bigelow and Holmes, made back in 2000, although we do not have such a sample.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

What is 8 + 7 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)