Feeds

Middle Eastern Gauss malware could be state sponsored

Code linked to Flame and Stuxnet attacks

Seven Steps to Software Security

Security firms are investigating what looks to be another piece of state-sponsored malware, which has been targeting banks in the Middle East and distributing an unknown payload.

Dubbed Gauss by Kaspersky Labs, the malware first seemed to be a module of the highly sophisticated Flame virus but has now been recognized as a separate entity. It was first detected in September 2011 and over 2,500 infections have been found on Kaspersky's cloud network.

"Gauss was created by the same 'factory' which produced Flame. This indicates it is most likely a nation-state sponsored operation," Kaspersky's report on the malware states.

Gauss is designed to infect Windows systems and harvests browsing information and payment logins via PayPal, Citibank and a number of Lebanese operations such as the Bank of Beirut and Fransabank.

The infection pattern is curiously localized. The vast majority of infections are in Lebanon, with Israeli and Palestinian computers making up the bulk of other victims, plus a smattering of appearances in other Middle Eastern countries.

curiosity landing site

Gauss infections are curiously localized (click to enlarge)

It also has a separate encrypted payload in the malware which is installed on any USB drives put in a Gauss-infected machine. When the drive is used in an uninfected PC, the malware scans the new system's configuration for data such as its OS, network shares, proxy data, and URL history, and then matches that against a known configuration stored in the malware code. If there is no match then the malware deletes itself to avoid detection.

"The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload," said Kaspersky, after its experts were unable to break the encryption.

In all, the malware installs up to eight separate modules, depending on the machine it infects. These harvest CMOS and BIOS data, network interfaces, domains, and drives, in addition to installing plugins that monitor browser history and collect passwords. Other modules cover malware transmission and control, as well as installing other software whose purpose is, at present, unknown.

Kaspersky don't think that the purpose of Gauss is to steal cash, but rather to record and track individual computers and bank accounts. The theft angle would be incompatible with a nation-state attack, the company suggests, and it looks as though data collection was the motivation of its authors.

The Russian firm identified five command and control servers for Gauss, all running Debian Linux and listening on ports 22, 80, and 443 (as with Flame) but on July 13 they were taken offline. Purloined data was sent to seven domains and the load balancing systems used indicate high levels of traffic.

Kaspersky has now put out a signature file for Gauss and the boffins at Hungarian research lab CrySyS have come up with an online detection tool to find new infections. As part of its payload, Gauss installs a new font, Palida Narrow, and the tool checks to see if this is installed as an indicator of infection.

The nature of the malware, and its choice of targets, will stoke fears that Gauss is another manifestation of Project Olympic Games, the claimed US/Israeli project to militarize code. The use of such software was dubbed a "moral crime" at last month's Black Hat conference and has many in the industry worried about the security ramifications for businesses caught in the crossfire. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.