Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Gauss Espionage Malware: 7 Key Facts

From targeting Lebanese banking customers to installing a font, security researchers seem to be unearthing as many questions as answers in their teardown of the surveillance malware.

What secrets does the newly discovered Gauss malware hide?

At a high level, Moscow-based Kaspersky Lab, which Thursday announced its discovery of Gauss, believes it "is a nation state sponsored banking Trojan," built using a code base that's related to Flame, and by extension Duqu and Stuxnet.

But the ongoing analysis of Gauss has yet to uncover the answers to numerous questions. For starters, as noted by Symantec, banking credentials are "not a typical target for cyber espionage malware of this complexity."

With that in mind, here are seven oddities and unanswered questions surrounding Gauss:

1. Malware Eavesdropped On Lebanon
Whoever heard of malware that came gunning for residents of Lebanon? Kaspersky said that by July 31, 2012, it had counted 2,500 unique PCs as being infected by Gauss since May, and traced 1,600 of those infections to PCs in Lebanon. The next most-infected countries were Israel (483 PCs infected), the Palestinian Territory (261), the United States (43), the United Arab Emirates (11), and Germany (5).

2. Espionage Malware Targeted Banks
According to Kaspersky's teardown of Gauss, the malware didn't just target Lebanon, but specific bank customers. "The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks--including the Bank of Beirut, Byblos Bank, and Fransabank," it said. But the malware also targeted users of Credit Libanais. Citibank, and eBay's PayPal online payment system.

In other words, Gauss may be the first known malware to have been commissioned by a nation state to spy on online banking customers. Then again, Jeffrey Carr, CEO of cyber risk management firm Taia Global, told Reuters that Lebanese banks have long been watched by U.S. intelligence agencies for their role in facilitating payments to drug cartels and extremist groups. "You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said.

3. Malware Module May Hide Stuxnet Warhead
Another curiosity: Kaspersky researcher Roel Schouwenberg said the "Godel" module found in Gauss may also include a Stuxnet-like "warhead" able to damage industrial control systems, reported Reuters.

4. But Gauss Avoided Stuxnet Mistakes
Gauss managed to avoid detection for over a year, by not infecting enough PCs to have been spotted by security firms. For comparison purposes, Gauss is known to have infected 2,500 PCs, compared with 700 for Flame, and just 20 for Duqu. Stuxnet, meanwhile, infected over 100,000 PCs, although security experts suspect that its creators--believed to be the United States, working with Israel--lost control of the malware due to a programming error, which let the malware spread outside of the single Iranian nuclear facility that it was meant to infect.

5. Banking Malware Prolific--For Targeted Attack
But the 1,600 Gauss infections--80 times the number seen for Duqu--place the malware in curious territory. "This is an uncharacteristically high number for targeted attacks similar to Duqu--it's possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still don't know about," according to Kaspersky Lab. "However, the infections have been predominantly within the boundaries of a rather small geographical region," meaning that the malware is apparently only being used for targeted attacks, and carefully controlled.

6. USB Key Attack Code Copies Targeted Data
On a related note, Kaspersky said that Gauss is compatible with 32-bit Windows systems, although "there is a separate spy module that operates on USB drives ... and is designed to collect information from 64-bit systems." Interestingly, the malware installs a compressed, encrypted attack application onto USB drives, which only activates when it finds a targeted system.

"The spy module that works on USB drives uses an .LNK exploit ... [that is] similar to the one used in the Stuxnet worm, but it is more effective," according to Kaspersky Lab. "The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive."

According to Symantec, the USB attack code would be quite difficult to spot. "Some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers," it said, referencing the RC4 software stream cipher. "The underlying data has yet to be decrypted in these payloads."

7. Attack Code Installs Font
A substantial amount of Gauss analysis remains, before the design of its modules--or even how it goes about infecting systems--can be fully understood. In particular, "the infection vector is currently unknown," according to Symantec.

Another mystery is the Gauss module dubbed "Lagrange," which--as Symantec put it--"curiously installs a font called Palida Narrow." The custom TrueType font "appears to contain valid Western, Baltic, and Turkish symbols," according to Kaspersky. Why create custom fonts for malware? So far, that's just one more outstanding and unusual Gauss question that remains unanswered.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
8/12/2012 | 11:49:56 PM
re: Gauss Espionage Malware: 7 Key Facts
I'd like to take a better look at point 3 here... Warhead that would damage industrial control systems. I have to wonder if this was a possible "finishing move" embedded in this little gem and left there, just in case it came into contact with a system that handled bank checks going through an OCR system or maybe even getting it's code around a building's control systems - HVAC systems, camera/security systems...

Unleashing something like that could make for a really bad day for a whole lot of people.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
8/10/2012 | 6:38:12 PM
re: Gauss Espionage Malware: 7 Key Facts
How many incidents of cyber fraud and theft of credentials have to happen before the public finally realizes that no operating system configured for general purpose use can protect one's bank assets? Bank industry experts just testified before Congress saying malware contamination of the client's Windows PC is the single greatest cause of "Account Takeover" by cybercriminals. Gauss equips cybercriminals with even stronger tools to launch their attacks.

The best strategy bank clients can use to protect their bank accounts is to use a purpose-built One-Time OS that operates completely independent from Windows and is freshly created for each bank session. The concept applies the principle and strengths of One-Time Passwords to operating system images. Malware contamination is virtually impossible and it's free. Check it out.

Google "cybershield-os" or see http://www.cybershieldsolution...

[email protected],
User Rank: Apprentice
8/10/2012 | 5:21:34 PM
re: Gauss Espionage Malware: 7 Key Facts
My theory about the font is that it is being used to identify systems that have been compromised.

There is something known as a browser fingerprint that currently exists. It is based on a number of factors like the HTTP headers that your browser uses, installed plugins, and, yes, installed system fonts.

Imagine some innocuous site that scans people's installed fonts. When it picks up on "Palida Narrow" it says that this system is infected, or has been at one point.

If you have never heard of browser fingerprinting, I urge you to check out http://panopticlick.eff.net
User Rank: Apprentice
8/10/2012 | 5:09:19 PM
re: Gauss Espionage Malware: 7 Key Facts
high level ? kaspersky ? :D:D:D

you are funny ?

We more than 4 years partnership with kaspersky .

they only have sell at iran and Few countries .

more their news is advertisment targets and lie or issue news about old viruses and threats , other companies discovery old .

Thank you
Regards ,
danny117 aka dws400
danny117 aka dws400,
User Rank: Apprentice
8/10/2012 | 5:01:47 PM
re: Gauss Espionage Malware: 7 Key Facts
What one man can do another can do...

Perhaps the font was the attack vector.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...