Security

Mysterious Font Left by Malware Befuddles

The most famous -- and mysterious -- font (yes, we're talking typeface) in the information security world right now is Palida Narrow.

Palida Narrow is a new font that the recently discovered Gauss malware installs on machines it infects. And as Dennis Fisher, writing on Kaspersky Lab's Threatpost blog, noted late last week, "Researchers have been unable to figure out yet what the purpose of the font is, but ... its presence on a PC is a good indicator of a Gauss infection."

So far there are only theories about its purpose. The most popular is that it is a brand mark for the command and control servers. But those have been offline since last month.

CrySys Lab, which along with Kaspersky has released a Gauss detection tool, says the theory is that "Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages."

Joel Harding, a retired intelligence officer and information operation expert who has been following the investigation into Gauss, agrees, with the caveat that everything so far is speculation. Noting that the various modules in Gauss are all named for philosophers, he said, "It is the [Joseph-Louis] LaGrange module that is installing the Palida font onto the previously uninfected systems, allowing remote detection of an infected computer without compromising a probe."

[See also: While origin unclear, Gauss indicates malware tool boom]

Kevin McAleavey, cofounder and chief architect of the KNOS project and a veteran malware researcher, said the purpose of Palida Narrow might go beyond tracking visits. "It could be that the custom font may have special value to the character sets within which might not be 'printable characters' but useful nonetheless to whatever intent Gauss has," he said.

"But the missing piece here could very well be that although the current font being installed hasn't been found to be malicious, it could be a 'placeholder' in this code," McAleavey said. "Quite possibly this mysterious font install, which proves to be harmless, might have replaced the original payload in order to avoid disclosure of the original code that accompanied Gauss. That would certainly lead to the current outcome, in which the mysterious font has been found to be inert."

Chris Sanders, a senior security analyst at InGuardians, an information security consultancy, also said the "marker" theory is plausible. "Any time any type of purposeful malware is installed on a system, the attacker has to have a mechanism that allows him to ensure that the malware was installed, and that it was installed with the appropriate level of access to the system," he said, adding that Palida Narrow is "an eloquent solution for a malware author, as it doesn't require the installation of any additional browser components such as a JavaScript interpreter."

But his InGuardians colleague John Sawyer, also a senior security analyst, said it is misleading to say that the Palida Narrow font is a definitive infection marker for all Gauss-infected machines. "Kaspersky's own research paper shows the LaGrange module that installs the font was configured on only three of approximately 1,700 infections that they analyzed," he said.

There is general consensus that it is unusual. "The installation of the Palida font is unique, it's a first," said Harding. "This is a font that did not previously exist, it was customized for this tool. We have never seen a font installed by malware before."

And John Sawyer said that while including a marker of some type in malware is common, "the use of a font is particularly clever as it makes web-based detection incredibly easy."

Still, why would the Gauss creators mark it with a new font? Wouldn't that make it much easier to detect the presence of Gauss on a machine? Not necessarily, experts say.

Roger Thompson, chief emerging threats researcher at ICSA Labs, thinks Palida Narrow may have simply been a careless mistake. "I often joke that programmers, especially good ones, are likely to look for short cuts and time savers," he said.

"What this means is that when they write a program, they rarely start from scratch, but instead think to themselves, 'OK, I know I wrote some code like that once before,' and they copy and paste the old code into the new code. I think that time will show that Palida Narrow was simply accidentally left over from a previous project."

Others believe it was more purposeful than that, but say it won't necessarily make Gauss easier to detect. John Sawyer noted again that the LaGrange module was found on only a small number of infected machines.

And Joel Harding said while the font will definitely be a tipoff that Gauss is present, "the beauty of this technique is that it has never been used before."

"Before 9/11, few in the world considered a commercial airplane as a possible weapon. Now we will start considering a font, and hopefully other items possibly detected by network management tools, as possible indicators of an infection," Harding said.

Harding said he suspects that by the time Gauss is decrypted and fully understood, its creators will be using something else. "Don't forget that Stuxnet used four brand new zero day exploits and Gauss is using techniques that never previously existed," he said. "This design team not only is comfortable operating outside the box, they excel in it. Now the challenge is to continue developing new tools by thinking further outside the box."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Subscribe to the Security Watch Newsletter

Comments