Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Gauss Espionage Malware: 7 Key Facts

From targeting Lebanese banking customers to installing a font, security researchers seem to be unearthing as many questions as answers in their teardown of the surveillance malware.

What secrets does the newly discovered Gauss malware hide?

At a high level, Moscow-based Kaspersky Lab, which Thursday announced its discovery of Gauss, believes it "is a nation state sponsored banking Trojan," built using a code base that's related to Flame, and by extension Duqu and Stuxnet.

But the ongoing analysis of Gauss has yet to uncover the answers to numerous questions. For starters, as noted by Symantec, banking credentials are "not a typical target for cyber espionage malware of this complexity."

With that in mind, here are seven oddities and unanswered questions surrounding Gauss:

1. Malware Eavesdropped On Lebanon
Whoever heard of malware that came gunning for residents of Lebanon? Kaspersky said that by July 31, 2012, it had counted 2,500 unique PCs as being infected by Gauss since May, and traced 1,600 of those infections to PCs in Lebanon. The next most-infected countries were Israel (483 PCs infected), the Palestinian Territory (261), the United States (43), the United Arab Emirates (11), and Germany (5).

2. Espionage Malware Targeted Banks
According to Kaspersky's teardown of Gauss, the malware didn't just target Lebanon, but specific bank customers. "The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks--including the Bank of Beirut, Byblos Bank, and Fransabank," it said. But the malware also targeted users of Credit Libanais. Citibank, and eBay's PayPal online payment system.

In other words, Gauss may be the first known malware to have been commissioned by a nation state to spy on online banking customers. Then again, Jeffrey Carr, CEO of cyber risk management firm Taia Global, told Reuters that Lebanese banks have long been watched by U.S. intelligence agencies for their role in facilitating payments to drug cartels and extremist groups. "You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said.

3. Malware Module May Hide Stuxnet Warhead
Another curiosity: Kaspersky researcher Roel Schouwenberg said the "Godel" module found in Gauss may also include a Stuxnet-like "warhead" able to damage industrial control systems, reported Reuters.

4. But Gauss Avoided Stuxnet Mistakes
Gauss managed to avoid detection for over a year, by not infecting enough PCs to have been spotted by security firms. For comparison purposes, Gauss is known to have infected 2,500 PCs, compared with 700 for Flame, and just 20 for Duqu. Stuxnet, meanwhile, infected over 100,000 PCs, although security experts suspect that its creators--believed to be the United States, working with Israel--lost control of the malware due to a programming error, which let the malware spread outside of the single Iranian nuclear facility that it was meant to infect.

5. Banking Malware Prolific--For Targeted Attack
But the 1,600 Gauss infections--80 times the number seen for Duqu--place the malware in curious territory. "This is an uncharacteristically high number for targeted attacks similar to Duqu--it's possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still don't know about," according to Kaspersky Lab. "However, the infections have been predominantly within the boundaries of a rather small geographical region," meaning that the malware is apparently only being used for targeted attacks, and carefully controlled.

6. USB Key Attack Code Copies Targeted Data
On a related note, Kaspersky said that Gauss is compatible with 32-bit Windows systems, although "there is a separate spy module that operates on USB drives ... and is designed to collect information from 64-bit systems." Interestingly, the malware installs a compressed, encrypted attack application onto USB drives, which only activates when it finds a targeted system.

"The spy module that works on USB drives uses an .LNK exploit ... [that is] similar to the one used in the Stuxnet worm, but it is more effective," according to Kaspersky Lab. "The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive."

According to Symantec, the USB attack code would be quite difficult to spot. "Some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers," it said, referencing the RC4 software stream cipher. "The underlying data has yet to be decrypted in these payloads."

7. Attack Code Installs Font
A substantial amount of Gauss analysis remains, before the design of its modules--or even how it goes about infecting systems--can be fully understood. In particular, "the infection vector is currently unknown," according to Symantec.

Another mystery is the Gauss module dubbed "Lagrange," which--as Symantec put it--"curiously installs a font called Palida Narrow." The custom TrueType font "appears to contain valid Western, Baltic, and Turkish symbols," according to Kaspersky. Why create custom fonts for malware? So far, that's just one more outstanding and unusual Gauss question that remains unanswered.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
8/12/2012 | 11:49:56 PM
re: Gauss Espionage Malware: 7 Key Facts
I'd like to take a better look at point 3 here... Warhead that would damage industrial control systems. I have to wonder if this was a possible "finishing move" embedded in this little gem and left there, just in case it came into contact with a system that handled bank checks going through an OCR system or maybe even getting it's code around a building's control systems - HVAC systems, camera/security systems...

Unleashing something like that could make for a really bad day for a whole lot of people.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
8/10/2012 | 6:38:12 PM
re: Gauss Espionage Malware: 7 Key Facts
How many incidents of cyber fraud and theft of credentials have to happen before the public finally realizes that no operating system configured for general purpose use can protect one's bank assets? Bank industry experts just testified before Congress saying malware contamination of the client's Windows PC is the single greatest cause of "Account Takeover" by cybercriminals. Gauss equips cybercriminals with even stronger tools to launch their attacks.

The best strategy bank clients can use to protect their bank accounts is to use a purpose-built One-Time OS that operates completely independent from Windows and is freshly created for each bank session. The concept applies the principle and strengths of One-Time Passwords to operating system images. Malware contamination is virtually impossible and it's free. Check it out.

Google "cybershield-os" or see http://www.cybershieldsolution...

[email protected],
User Rank: Apprentice
8/10/2012 | 5:21:34 PM
re: Gauss Espionage Malware: 7 Key Facts
My theory about the font is that it is being used to identify systems that have been compromised.

There is something known as a browser fingerprint that currently exists. It is based on a number of factors like the HTTP headers that your browser uses, installed plugins, and, yes, installed system fonts.

Imagine some innocuous site that scans people's installed fonts. When it picks up on "Palida Narrow" it says that this system is infected, or has been at one point.

If you have never heard of browser fingerprinting, I urge you to check out http://panopticlick.eff.net
User Rank: Apprentice
8/10/2012 | 5:09:19 PM
re: Gauss Espionage Malware: 7 Key Facts
high level ? kaspersky ? :D:D:D

you are funny ?

We more than 4 years partnership with kaspersky .

they only have sell at iran and Few countries .

more their news is advertisment targets and lie or issue news about old viruses and threats , other companies discovery old .

Thank you
Regards ,
danny117 aka dws400
danny117 aka dws400,
User Rank: Apprentice
8/10/2012 | 5:01:47 PM
re: Gauss Espionage Malware: 7 Key Facts
What one man can do another can do...

Perhaps the font was the attack vector.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software* U...