Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Gauss Espionage Malware: 7 Key Facts

From targeting Lebanese banking customers to installing a font, security researchers seem to be unearthing as many questions as answers in their teardown of the surveillance malware.

What secrets does the newly discovered Gauss malware hide?

At a high level, Moscow-based Kaspersky Lab, which Thursday announced its discovery of Gauss, believes it "is a nation state sponsored banking Trojan," built using a code base that's related to Flame, and by extension Duqu and Stuxnet.

But the ongoing analysis of Gauss has yet to uncover the answers to numerous questions. For starters, as noted by Symantec, banking credentials are "not a typical target for cyber espionage malware of this complexity."

With that in mind, here are seven oddities and unanswered questions surrounding Gauss:

1. Malware Eavesdropped On Lebanon
Whoever heard of malware that came gunning for residents of Lebanon? Kaspersky said that by July 31, 2012, it had counted 2,500 unique PCs as being infected by Gauss since May, and traced 1,600 of those infections to PCs in Lebanon. The next most-infected countries were Israel (483 PCs infected), the Palestinian Territory (261), the United States (43), the United Arab Emirates (11), and Germany (5).

2. Espionage Malware Targeted Banks
According to Kaspersky's teardown of Gauss, the malware didn't just target Lebanon, but specific bank customers. "The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks--including the Bank of Beirut, Byblos Bank, and Fransabank," it said. But the malware also targeted users of Credit Libanais. Citibank, and eBay's PayPal online payment system.

In other words, Gauss may be the first known malware to have been commissioned by a nation state to spy on online banking customers. Then again, Jeffrey Carr, CEO of cyber risk management firm Taia Global, told Reuters that Lebanese banks have long been watched by U.S. intelligence agencies for their role in facilitating payments to drug cartels and extremist groups. "You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said.

3. Malware Module May Hide Stuxnet Warhead
Another curiosity: Kaspersky researcher Roel Schouwenberg said the "Godel" module found in Gauss may also include a Stuxnet-like "warhead" able to damage industrial control systems, reported Reuters.

4. But Gauss Avoided Stuxnet Mistakes
Gauss managed to avoid detection for over a year, by not infecting enough PCs to have been spotted by security firms. For comparison purposes, Gauss is known to have infected 2,500 PCs, compared with 700 for Flame, and just 20 for Duqu. Stuxnet, meanwhile, infected over 100,000 PCs, although security experts suspect that its creators--believed to be the United States, working with Israel--lost control of the malware due to a programming error, which let the malware spread outside of the single Iranian nuclear facility that it was meant to infect.

5. Banking Malware Prolific--For Targeted Attack
But the 1,600 Gauss infections--80 times the number seen for Duqu--place the malware in curious territory. "This is an uncharacteristically high number for targeted attacks similar to Duqu--it's possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still don't know about," according to Kaspersky Lab. "However, the infections have been predominantly within the boundaries of a rather small geographical region," meaning that the malware is apparently only being used for targeted attacks, and carefully controlled.

6. USB Key Attack Code Copies Targeted Data
On a related note, Kaspersky said that Gauss is compatible with 32-bit Windows systems, although "there is a separate spy module that operates on USB drives ... and is designed to collect information from 64-bit systems." Interestingly, the malware installs a compressed, encrypted attack application onto USB drives, which only activates when it finds a targeted system.

"The spy module that works on USB drives uses an .LNK exploit ... [that is] similar to the one used in the Stuxnet worm, but it is more effective," according to Kaspersky Lab. "The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive."

According to Symantec, the USB attack code would be quite difficult to spot. "Some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers," it said, referencing the RC4 software stream cipher. "The underlying data has yet to be decrypted in these payloads."

7. Attack Code Installs Font
A substantial amount of Gauss analysis remains, before the design of its modules--or even how it goes about infecting systems--can be fully understood. In particular, "the infection vector is currently unknown," according to Symantec.

Another mystery is the Gauss module dubbed "Lagrange," which--as Symantec put it--"curiously installs a font called Palida Narrow." The custom TrueType font "appears to contain valid Western, Baltic, and Turkish symbols," according to Kaspersky. Why create custom fonts for malware? So far, that's just one more outstanding and unusual Gauss question that remains unanswered.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
danny117 aka dws400
danny117 aka dws400,
User Rank: Apprentice
8/10/2012 | 5:01:47 PM
re: Gauss Espionage Malware: 7 Key Facts
What one man can do another can do...

Perhaps the font was the attack vector.
User Rank: Apprentice
8/10/2012 | 5:09:19 PM
re: Gauss Espionage Malware: 7 Key Facts
high level ? kaspersky ? :D:D:D

you are funny ?

We more than 4 years partnership with kaspersky .

they only have sell at iran and Few countries .

more their news is advertisment targets and lie or issue news about old viruses and threats , other companies discovery old .

Thank you
Regards ,
[email protected],
User Rank: Apprentice
8/10/2012 | 5:21:34 PM
re: Gauss Espionage Malware: 7 Key Facts
My theory about the font is that it is being used to identify systems that have been compromised.

There is something known as a browser fingerprint that currently exists. It is based on a number of factors like the HTTP headers that your browser uses, installed plugins, and, yes, installed system fonts.

Imagine some innocuous site that scans people's installed fonts. When it picks up on "Palida Narrow" it says that this system is infected, or has been at one point.

If you have never heard of browser fingerprinting, I urge you to check out http://panopticlick.eff.net
User Rank: Apprentice
8/10/2012 | 6:38:12 PM
re: Gauss Espionage Malware: 7 Key Facts
How many incidents of cyber fraud and theft of credentials have to happen before the public finally realizes that no operating system configured for general purpose use can protect one's bank assets? Bank industry experts just testified before Congress saying malware contamination of the client's Windows PC is the single greatest cause of "Account Takeover" by cybercriminals. Gauss equips cybercriminals with even stronger tools to launch their attacks.

The best strategy bank clients can use to protect their bank accounts is to use a purpose-built One-Time OS that operates completely independent from Windows and is freshly created for each bank session. The concept applies the principle and strengths of One-Time Passwords to operating system images. Malware contamination is virtually impossible and it's free. Check it out.

Google "cybershield-os" or see http://www.cybershieldsolution...

Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
8/12/2012 | 11:49:56 PM
re: Gauss Espionage Malware: 7 Key Facts
I'd like to take a better look at point 3 here... Warhead that would damage industrial control systems. I have to wonder if this was a possible "finishing move" embedded in this little gem and left there, just in case it came into contact with a system that handled bank checks going through an OCR system or maybe even getting it's code around a building's control systems - HVAC systems, camera/security systems...

Unleashing something like that could make for a really bad day for a whole lot of people.

Andrew Hornback
InformationWeek Contributor
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.