Meet Gauss: The latest cyber-espionage tool

Meet Gauss: The latest cyber-espionage tool

Summary: Kaspersky Lab finds Gauss, a spying malware that collects financial information, and resembles Flame. Components are named after famous mathematicians.

SHARE:
TOPICS: Security
43

Gauss, a new "cyber-espionage toolkit, has emerged in the Middle East and is capable of stealing sensitive data such as browser passwords, online banking accounts, cookies and system configurations, according to Kaspersky Lab. Gauss appears to have come from the same nation-state factories that produced Stuxnet.

According to Kaspersky, Gauss has unique characteristics relative to other malware. Kaspersky said it found Gauss following the discovery of Flame. The International Telecommunications Union has started an effort to identify emerging cyberthreats and mitigate them before they spread.

In a nutshell, Gauss launched around September 2011 and was discovered in June. Gauss, which resembles Flame, had its command and control infrastructure shut down in July, but the malware is dormant waiting for servers to become active. Kaspersky noted in an FAQ:

There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same "factory" (or factories) that produced Stuxnet, Duqu and Flame.

kaspersky5

Among Gauss' key features:

  • Gauss collects data on machines and sends it to attackers. This data includes network interface information, computer drive details and BIOS characteristics.
  • The malware can infect USB thumb drives using the vulnerabilities found in Stuxnet and Flame.
  • Gauss can disinfect drives under certain circumstances and then uses removable media to store collected data in a hidden file.
  • The malware also installs a special font called Palida Narrow.

Since May 2012, Gauss has infected more than 2,500 machines, mostly in Lebanon. Kaspersky said that the total number of Gauss victims is likely to be in the "tens of thousands." That number is lower than Stuxnet, but higher than Flame and Duqu attacks.

kaspersky2

So far, Gauss has swiped data from the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Citibank and PayPal users are also targeted.

Why Gauss? The malware's main module was named after German mathematician Johann Carl Friedrich Gauss. Other components are also named after well-known mathematicians.

A few key slides from Kaspersky's Gauss report:

kaspersky1
kaspersky3
kaspersky4

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • The Purpose of It?

    http://jeffreycarr.blogspot.com/2012/08/was-flames-gauss-malware-used-to.html

    I think he is on to something.
    f0real
  • gauss

    should not be a problem anymore as internal files are known and ann large antivirus companys can add information to their definition files.or am I missing something...
    ronangel
    • Ron

      Just because they can look for it and/or stop it at the moment, doesn't mean this isn't a big deal. Plus they have also noted that it is just like Flame, being modular so it can change all the time quite easily for many different purposes and targets. Its hard to catch a shape-shifting burglar. Just saying.

      ~K
      KittenKibbles
    • You are missing the pic picture...

      If someone could do it before, they will do it again. No one is safe, especially if using Windows...
      prof123
      • @prof123

        prof123 that's rediculous. The Wondows part anyway considering Karesky also claims that Apple's security is the equivalent of Windows 2002. Here is but one of the articles which quoted the statement. Apperently you missed the memo.

        http://www.theregister.co.uk/2012/05/02/kaspersky_apple_flashback_microsoft/
        kennyrosenyc
        • Yeah, but...

          ... doesn't change the fact that most viruses ONLY target PCs. Macs still don't have a large enough market share for the majority of virus makers to bother.

          So we can still rest in our cribs and feel safe.

          I'm in a computer labs filled with Windoze PCs. How safe do you think I feel being the only mac client on the network? When a student gives me their thumb drive to submit something I put it right in my macbook with impunity (though I do have Sophos scanning these drives so I can tell the student that they have a virus... and remove it w their permission).
          theanimaster
          • Windows version

            >>being the only mac client on the network?
            What version of Windows does your brain run?
            eulampius
          • Wrong again....

            Apple has the second largest database of user info on the planet. Amazon is number one. That info is like gold for a hacker. Marketing firms, advertising agencies, everybody wants your email address and will pay top dollar for a bulk order.
            kennyrosenyc
        • Apple, and Apple, users live in a world of denial

          Yep, the biggest problem with Apple products is the fact that Apple will not admit these machines get infected at all (leaving their customers with a false sense of security). If you connect to the internet, or share files with a computer that connects to the internet, then you will eventually become infected with something. On a related note, with various Apple products being tethered together the way they are, the resulting chimera seems (in theory) more susceptible to STUXNET-like infections.
          neilrieck
          • Apple=Microsoft

            Both Microsoft and Apple have so much in common, because despite the architectural differences, technical decisions are made by incompetent managers, not IT specialists.
            >>resulting chimera seems (in theory) more susceptible to STUXNET-like infections.
            Why, if there is almighty Microsoft RPC?
            eulampius
          • Windows vs. Apple

            The only REAL advantage in choosing Windows over Apple is the simple fact that building your own Windows PC allows you to get BETTER support from Microsoft (assuming you would be buying a full version of Windows and not the OEM version), where, with Apple, if you did this it would be considered a 'Hackintosh' and therefore not be covered. ALL OEMS make cheap products. They use cheap cases, cheap power supplies (Apple's power supplies aren't even rated at 80 plus which is why their computer run hot), and whatever bargain basement parts they can get away with. Honestly, what's the point in having a computer with an exhaust fan but no fan to draw air into the case? But that's what most OEMs sell as desktops. Apple included.
            kennyrosenyc
          • Not true..... bad surfing habits and lack of 'script-blocking'

            Are the biggest things that lead to infections on systems. I personally update my computer on a regular basis with tools that block scripts from 'untrusted' websites, especially ad websites which are known to get infected often.
            Lerianis10
        • Not even close

          The context was that a false sense of security is worse than none. They didn't say the system was equivalent, but that Apple was way behind in terms of wariness and responsiveness. That's not the same thing as the security being equivalent. Equal surfing habits a Windows computer is more likely to get hacked, if you follow the same habits. It's the mindset of too much trust in the "out of the box" system that security experts warn about in Mac users, not that it's a less secure system. UNIX was designed with security and Internet in mind from the ground up, much more than Windows, and the base security model is pretty good. There's a lot of twisting words of how the false sense of security of some Mac users makes them more vulnerable, but that's not the same thing as the system being more vulnerable. With bad habits and a dedicated hacker, they all fall down.
          ossoup
          • Same habits and no AV, I mean

            Take a Windows computer with no anti-virus, and a Mac with no anti virus, surf a couple porn sites, click on every popup and see who gets hacked first. They both will eventually, but I'm betting the Windows PC goes down first. Not that it matters, the point is the mindset that they don't need anti-virus or to watch their habits, the false sense of security, is the issue with many Mac users. The system itself is pretty secure out of the box, much more so than a Windows computer with no AV configured.
            ossoup
          • Only because the Windows computers are the majority

            Enough said.
            Lerianis10
      • No one is safe, especially if using Linux or Apple...

        there, I corrected it to make it even more accurate.

        Get a clue. Anyone that can create a Stuxnet, ect can EASILLY get around anything in Linux or OSX, too.
        William Farrel
        • FUD

          No where is it written that Linux is vulnerable. They'll have to find a vulnerability first. Since Linux has no secrets, cleaning up, locking it down, and keeping it locked down is much easier.
          T1Oracle
  • easy.

    Disable the autorun.inf
    magallanes
    • better, not easy though

      disable those in Redmond who enabled it in the first place
      eulampius
    • @magallanes .. that's not even close to how the autorun.inf infection

      works at all: it's got little to do with Windows actual & legitimate autorun.inf (that's stored in the root directory).

      Autorun.inf (the malign version), typically, does the following: creates a hidden partition shared by the system volume; creates a Autorun menu option in Explorer; disables most applications from running on the infected system - and, obviously, "security software" on the host system also - and Windows Update (in many cases) as well as Security Center.

      Disabling the legit' version of autorun.inf has nothing to do with this issue. But since you don't know what you're talking about, you had better not comment when you're out of your depth and haven't a clue about the subject up for discussion.

      The Low-down: for anyone that's ever had a machine infected by the Autorun.inf virus, they have my utmost sympathy. It's simply one of the most devastating infections a computing system could face. From having fixed systems with autorun.inf infections, i can say that the only viable way to deal with an infected drive is to nuke it: that is, to completely nuke the boot sector and partition table and start again from there. Unfortunately, that leaves the inevitable loss of someones data.

      Recovery of a nuked drive then requires using partition diagnostics & recovery utilities to recover any critical data a person desperately needs to get back. The cost quickly escalates through both time and the price for the recovery utility s/w.

      Glib, brainless and uneducated waffle like yours just sum up the problem. If you haven't got anything of value to add, just put a sock in it and buzz off.
      thx-1138_