Feeds

Middle Eastern Gauss malware could be state sponsored

Code linked to Flame and Stuxnet attacks

Securing Web Applications Made Simple and Scalable

Security firms are investigating what looks to be another piece of state-sponsored malware, which has been targeting banks in the Middle East and distributing an unknown payload.

Dubbed Gauss by Kaspersky Labs, the malware first seemed to be a module of the highly sophisticated Flame virus but has now been recognized as a separate entity. It was first detected in September 2011 and over 2,500 infections have been found on Kaspersky's cloud network.

"Gauss was created by the same 'factory' which produced Flame. This indicates it is most likely a nation-state sponsored operation," Kaspersky's report on the malware states.

Gauss is designed to infect Windows systems and harvests browsing information and payment logins via PayPal, Citibank and a number of Lebanese operations such as the Bank of Beirut and Fransabank.

The infection pattern is curiously localized. The vast majority of infections are in Lebanon, with Israeli and Palestinian computers making up the bulk of other victims, plus a smattering of appearances in other Middle Eastern countries.

curiosity landing site

Gauss infections are curiously localized (click to enlarge)

It also has a separate encrypted payload in the malware which is installed on any USB drives put in a Gauss-infected machine. When the drive is used in an uninfected PC, the malware scans the new system's configuration for data such as its OS, network shares, proxy data, and URL history, and then matches that against a known configuration stored in the malware code. If there is no match then the malware deletes itself to avoid detection.

"The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload," said Kaspersky, after its experts were unable to break the encryption.

In all, the malware installs up to eight separate modules, depending on the machine it infects. These harvest CMOS and BIOS data, network interfaces, domains, and drives, in addition to installing plugins that monitor browser history and collect passwords. Other modules cover malware transmission and control, as well as installing other software whose purpose is, at present, unknown.

Kaspersky don't think that the purpose of Gauss is to steal cash, but rather to record and track individual computers and bank accounts. The theft angle would be incompatible with a nation-state attack, the company suggests, and it looks as though data collection was the motivation of its authors.

The Russian firm identified five command and control servers for Gauss, all running Debian Linux and listening on ports 22, 80, and 443 (as with Flame) but on July 13 they were taken offline. Purloined data was sent to seven domains and the load balancing systems used indicate high levels of traffic.

Kaspersky has now put out a signature file for Gauss and the boffins at Hungarian research lab CrySyS have come up with an online detection tool to find new infections. As part of its payload, Gauss installs a new font, Palida Narrow, and the tool checks to see if this is installed as an indicator of infection.

The nature of the malware, and its choice of targets, will stoke fears that Gauss is another manifestation of Project Olympic Games, the claimed US/Israeli project to militarize code. The use of such software was dubbed a "moral crime" at last month's Black Hat conference and has many in the industry worried about the security ramifications for businesses caught in the crossfire. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.