Gauss developers implemented this advanced concept using a surprisingly unsophisticated set of tools. That set includes the relatively archaic RC4 cipher to encrypt three sections of the Gödel module and the cryptographically weak MD5 algorithm to generate the key. Gauss developers likely chose the outdated design because it worked reliably across a broad range of Windows computers thanks to the Microsoft CryptoAPI. Keys unlocking the Gödel payload are generated dynamically based on the settings of one or more computers that were specifically targeted by the attackers. Only the machine or machines containing a specific set of programs and directories will generate the key. To confound people trying to crack the code—and to considerably slow the speed at which they work—Gauss MD5 hashes the configuration data 10,000 times and uses the final output as the key that unlocks the encrypted code.

Specifically, Gauss enumerates the first entry of an infected computer's path environment, which specifies the Windows directories where executable files can be called without specifying their precise location. Gauss then combines that PATH location with the name of the first directory found in the infected computer's Windows Program Files folder. It takes this string and appends a 16-byte hard-coded cryptographic salt value to it and then hashes the new string 10,000 times. It compares the final hash against a hard-coded verification block. If the hash doesn't pass the verification check, Gauss starts the process all over again, this time appending the second entry of the path to the first Program Files folder. The process is repeated until each entry in the path has been appended to each entry in the Program Files.

If a hash value passes the verification check, Gauss has located the mysterious PATH and program file that the Gödel module was programmed to find. It then takes that string, appends a new salt value to it, and hashes it 10,000 times. The resulting hash is the RC4 key used to decrypt one of the three encrypted Gödel sections. If the decrypted block passes an additional verification check, Gauss takes the same path and program files string, then appends a different hard-coded salt to decrypt sections two and three.

Researchers believe the routine was put in place to attack a computer or computers with a specific program installed. One of the checks Gauss performs ensures that the first letter or symbol of the targeted Program Files directory is a special character such as a tilde (~), bracket ({), or comes from Arabic, Hebrew, or another language with an extended character set. Given the detailed logic built into Gödel, it's fair to assume the attackers had cased their intended target for months or years, using another module in Gauss or other espionage trojans altogether.

Literally take forever

The use of real Windows configuration variables poses some unusual challenges for cryptographers trying to crack the payload. While the number of possible inputs, for instance, could theoretically be 21000 or higher, the actual number is almost certainly far lower since real-world path strings are almost always in human-readable form. (While a password may randomly be generated, path strings typically follow conventions such as "C:\Program Files\Common Files\Microsoft Shared\Windows Live.") Then again, the strings still have the ability to incorporate unique names or even randomly generated values few eyes have ever seen before. The likelihood that the sought-after Program Files folder contains characters from a different language could pose its own obstacles and benefits. While it narrows the possible choices, it may also require crackers to incorporate alphabets bigger than those that include standard English characters.

"Password cracking becomes more difficult as the input space grows," Karsten Nohl, a cryptographer with Security Research Labs, told Ars. "The input space for the Gauss unlock password is all names of Windows programs in certain languages, which should be a relatively small space compared to the billions of combinations a password cracker typically tries. However, nobody has a complete list of Windows programs."

He continued: "To find the Gauss unlock password, good heuristics are needed that guess Windows program names. Simply brute-forcing the space from 'אאא...' to 'תתת...' is not an option as it would literally take forever."

So far, Kaspersky researchers have tried millions of combinations to no avail. In December, they redoubled their efforts by recruiting the creator of the Hashcat password recovery program. That resulted in ocl-GaussCrack, an open-source application that streamlines the cracking of the Gödel module and harnesses the speed of graphics cards to accelerate the process. Typically, GPU crackers can try billions of guesses per second against MD5-derived hashes, but thanks to the design of the encryption routine, GaussCrack can achieve just 489,000 candidate passcodes each second. Posing yet another burden on crackers, the Gauss architects were able to hinder crackers by iterating the hash 10,000 times, a technique often referred to as key stretching.

Just as the amassing of hundreds of millions of real-world passwords has fueled recent advances in password cracking, a comprehensive corpus of likely Windows configurations targeted by Gauss is the most likely way to solve the Gödel mystery. Jens Steube, the Hashcat and GaussCrack developer better known as Atom, said he still hasn't settled on the best method for compiling the data. One possibility is to tap into databases already assembled by antivirus companies or other vendors of software that collect the names of programs installed on hundreds of millions of computers. Another possibility, Kaspersky's Raiu said, is to seek help from the National Institute of Standards and Technology or a similar organization.

The encrypted payload in the Gödel module is by no means the only mystery surrounding Gauss. Researchers still don't know how the malware takes hold of target computers in the first place or how it spreads from one machine to another. They're also at a loss to explain why Gauss installs a custom font known as "Palida Narrow" and corresponding registry values on infected machines. Analysts have speculated that the font may be used to steganographically fingerprint the author of certain printed materials. Under alternate theories, Palida Narrow, which appears to contain valid Western, Baltic, and Turkish symbols, may provide a simple means for websites to identify infected machines, or even open a font-based vulnerability to exploit.

Also unexplained is the Round Robin DNS load balancing technique deployed by control servers used to ferry traffic to and from Gauss-infected machines. The setup suggests that the command servers handled massive amounts of traffic, and yet so far, Kaspersky researchers have been able to find just 2,500 computers infected by the malware. The effort Gauss architects expended setting up the load-balancing system indicates that the true number of affected machines could be in the tens of thousands.

Still, the biggest mystery connected to Gauss undoubtedly remains the encrypted payload tucked inside its Gödel module. Given the destruction malware creators brought about with Stuxnet, it wouldn't be a stretch if Gauss targeted additional enemy-operated PLCs or an entirely unseen class of equipment in the fledgling annuls of computer warfare. The choice that Gödel be transmitted using USB drives suggests it was targeting "air-gapped" systems so sensitive they weren't connected to the Internet.

"It's one of the biggest mysteries of our times and this is a very cool challenge for any security researcher out there who cares about security," Raiu told Ars. "What could we find inside the Gauss payload? PLC code? Zero-days? Code to target unknown systems? Nobody knows for sure and it is probably the incertitude which makes it the most captivating mystery."

Thanks to Jeremi Gosney of Stricture Consulting Group, Hashcat developer Jens Steube, and Johns Hopkins University professor Matt Green for their assistance in reporting this story. Story updated to add "reportedly" in first paragraph.