What’s so special about Gauss?
Kaspersky Lab experts have recently notified the world of the existence of another piece of malware that seems to have come from the same workshop(s) that pushed out Stuxnet, Duqu and Flame.
Dubbed Gauss, the malware in question is a banking Trojan that seems to have deployed for the first time a year ago and was discovered after Flame.
“Just like Duqu was based on the ‘Tilded’ platform on which Stuxnet was developed, Gauss is based on the ‘Flame’ platform,” the researchers say. “It shares some functionalities with Flame, such as the USB infection subroutines.”
There are many interesting things about Gauss, but the most interesting so far is the fact that besides stealing information, it is also designed to deliver an encrypted payload that is activated on certain specific system configurations.
Unfortunately, the researchers have yet to break the encryption scheme used to encrypt it, so we still don’t know what it contains.
The Trojan has been dubbed Gauss because its various modules were named after well-known mathematicians and philosophers, and the most important among them is the one named after Johann Carl Friedrich Gauss.
Gauss performs the usual stuff: intercepts browser cookies and passwords, harvests and sends system configuration data to attackers, lists the content of the system drives and folders, hijacks account information for social network, email and IM accounts, and – most important of all – steals credentials for a number of banking systems in the Middle East (mostly Lebanon, some in Israel and Palestine).
“Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands,” the researchers shared. “The Gauss command-and-control (C&C) infrastructure was shutdown in July 2012. At the moment, the malware is in a dormant state, waiting for its C&C servers to become active again.”
Even though the malware is capable of infecting USB sticks with a data stealing component – which, by the way, is set to delete itself once it infects 30 machines – it is still unknown how users get infected with Gauss.
“We have not (yet) found any zero-days or ‘God mode’ Flame-style exploits in Gauss. However, because the infection mechanism is not yet known, there is the distinct possibility that an unknown exploit is being used,” they say. “It should be noted that the vast majority of Gauss victims run Windows 7, which should be prone to the .LNK exploit used by Stuxnet.”
“This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component,” they also point out. “It is not known whether the operators are actually transferring funds from the victim’s bank accounts or whether they are simply monitoring finance/funding sources for specific targets.”
Another interesting thing about Gauss is that when it is installed on a system, a custom font called Palida Narrow is installed along with it.
The researchers still don’t know why that is, but it has been suggested that it functions as a marker for the presence of the malware – meaning that specially crafted web pages such as this one by CrySyS can detect whether the visiting computer is infected with Gauss.
If found, Kaspersky’s Virus Removal Tool can be used to remove it.