Gauss’s cousin who watches Stuxnet Flame and bank accounts
A new virus was discovered spying in the Middle East, and was apparently created by the same people behind Flame and Stuxnet . Called “Gauss”, the malware steals bank details and information system, and has a mysterious encrypted burden that could result in the destruction of infrastructure. It was discovered in 2,500 machines, most of them in Lebanon, according to information published by kaspersky Lab
It was christened “Gauss” because that name had some of the core files of malware. The virus has a module that can capture the username and password, bank account and was present at several banks in Lebanon, as the Bank of Beirut, EBLF, BlomBank, ByblosBank, Fransabank and Credit Libanais. Also keeping an eye on customers of Citibank and PayPal.
“It is highly modular and supports new features, which can be deployed remotely by operators as plugins”, describes the company.
The malware appears to be part of the arsenal of cyberweapons created by the U.S. and Israel , including Flame, Stuxnet and duqu , although it is the first time you discover a virus of this type to steal banking information – this is usually seen in other groups motivated by the possibility of stealing money.
It is not known whether this function was used to spy accounts or transactions, or to steal money to specific objectives. But since the malware was almost certainly created by a State, its objective is probably the counter – for example, monitor or trace where the money comes from funds to certain individuals or groups, or defeat certain movements to take the money.
Although the banking maneuvers are new, the most intriguing part of Gauss is the encrypted code that has the malware, and has not managed to be deciphered by Kaspersky. This charge seems to point to specialized machines with a specific configuration. When Gauss arrives at one of these machines with this configuration breaks this part of the malware and something happens. Until now, researchers have not figured out what setting is. Kaspersky cryptographers sought help to read the code (interested can contact to email@example.com ).
According to investigators, Gauss was created in mid 2011 and released in September or October last year. Gauss code is similar to that used in Flame, although somewhat less complex. Kaspersky discovered it in June when he was looking for variants of Flame.
The International Telecommunication Union (ITU) UN Kaspersky asked this year to investigate claims that computers of Iran’s oil industry that country had been attacked by malware, which was formatted computers. Kaspersky did not find malware that did that, but ran into Flame, a highly sophisticated spy tool with multiple components, designed to spy on a large scale across multiple systems.
Working on this, they found signs of Gauss, and noticed that while using codes such as Flame, was a separate virus.
More than 2,500 systems in 25 countries are infected with Gauss, 1,600 of them in Lebanon, 482 in Israel, Palestine and 43 261 in U.S. – And this is only detected by Kaspersky. The company said it could be tens of thousands of infected.
For comparison, some 100,000 infected machines Stuxnet, mainly in Iran; DuQu about 50 teams in different places, and Flame around 1,000 machines in Iran and elsewhere in the Middle East.
There seems to be a pattern of organizations that are being attacked by Gauss, but it would be specific people, but Kaspersky has no identities. Most affected are using Windows 7.
As with Flame, Gauss functional modules and their operators can modify to suit the needs they have. So far only some modules have been discovered, allowing steal cookies and passwords, register system configurations – with information from the BIOS and CMOS RAM – infect USB drives, steal banking information, social networking, instant messaging and e-mail, among others.
The malware also installs a font called “Pale Narrow”, you do not know what it does.
The main module weighs about 200k Gauss, and together with the plugins that have been found so far weighs 2 MB, making it considerably smaller than the 20 MB of Flame.
– Flame and Cousin Stuxnet Targets Lebanese Bank Customers, Carries Mysterious Payload (Wired)
– Gauss: Nation-state cyber-surveillance meets banking Trojan
– Flame and Stuxnet Creators cooperated in creating the code
– Flame, a new weapon discovered in Iran cyber-spying