Gauss: Stuxnet-like cyber-espionage toolkit targets Middle East banks

By Lee Kaelin on August 10, 2012, 1:00 PM

Kaspersky security analysts have identified another cyber-threat (PDF) targeting the Middle East as part of ongoing research into Flame. Named Gauss, it displays all the hallmarks of being part of the same family as Flame (Stuxnet, Duqu) and is compromising financial account and log in information from computer users accessing Lebanese banks, as well as reporting hardware configurations to its creators.

"Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations," said Kaspersky.

Kaspersky added that Gauss was likely created mid-2011 and deployed last September. Although it appears the command and control servers went silent in June, the worm sits dormant awaiting contact from them in the meantime.

Its infection mechanism is not yet fully known (the same is true of Flame), though analysts think both worms could potentially use the same methods of infection. Research so far suggests there is no self-spreading aspect to Gauss.

The new worm uses the same Windows shortcut (CVE-2010-2568) vulnerability exploited by Flame and Stuxnet, and infects USB memory sticks. Further investigation reveals the worm will run 30 times on the USB stick before completely removing all traces of itself.

Analysis shows it has infected thousands of Lebanese computers and targets the country's financial institutions, specifically the Bank of Beirut, EBLF, BlomBank, BybiosBank, FransaBank, Credit Libanais, PayPal and Citibank. Other Middle Eastern countries and Israel also appear to have a limited number of infections.

Kaspersky say it's also capable of intercepting cookies and browsing activity, stealing account credentials for email and chat accounts and harvesting hardware configurations including BIOS details, which is reported back to command servers. It is unconfirmed whether the worm has been used to steal money from infected accounts.

More alarmingly however, it also appears to have a secret payload, which due to heavy encryption has eluded researchers. Kaspersky is even calling for world-class cryptographers to help break it, asking anyone interested in the challenge to contact them by email: theflame@kaspersky.com.

"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same factory or factories. All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations," Kaspersky said.




User Comments: 7

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

I have a feeling that Israel is going to demolish Iran without the use of a single soldier or plane.

Pretty soon we're going to see an actual cyber war.

Sphynx Sphynx said:

I have a feeling that Israel is going to demolish Iran without the use of a single soldier or plane.

Pretty soon we're going to see an actual cyber war.

You are living in cloud cuckoo land If you think Israel is going to demolish Iran with cyber-warfare.

Pulling off a cyber-attack of that magnitude on Iran is actually more difficult (and less practical) than you realize.

TJGeezer said:

If the targeted banks have publicly traded stocks, look for an unexplained short-selling peak just before the encrypted payloads activate. (At least, that's what happened before a physical attack destroyed the WTC in New York.) We may already have an actual cyber war under way. When a nation state attacks another nation state's financial institutions, it ain't exactly friendly. Hard to say how practical or effective it is, since it's uncharted territory.

Tygerstrike said:

I like that they dont know who created this program. Who is using it. Who will benifit from this. I personally think the idea of being able to subvert a possible physical war is a great idea. Yes its the banks getting hit, but we can guarentee that its not some criminal or money would be flying out of those banks.

Leeky Leeky said:

@Tygerstrike,

Researchers have pointed the fingers in the general direction of both Israel and the United States, summarising that the two are the most likely to have had the resources to construct them. Either way, it isn't a Chinese hacker in his back garden workshop, its a massively funded, government level project and the USA is in high probability behind it.

According to a book recently published; [link] the US built the Stuxnet worm with the aim of crippling nuclear facilities used by Libya's Qadaffi regime -- despite apparently not knowing it would even be required at the time!

Initially the earlier portions of the US-written code (that later became Stuxnet) infiltrated the closed Natanz network and gave the government an entire map of its hardware and network infrastructure.

Then "somehow" the worm leaked and ended up in the Israeli's hands. They adapted it and then (most likely) using double agents once again infiltrated the closed network of the Iranian Natanz refining facility and locally uploaded the modified code via USB memory sticks, resulting in the plants centrifuge's being shaken til they literally fell apart.

Then fate stepped in. Somehow, on a workers computer the worm left the private Natanz network and ended up on the internet. It was then found by security researchers and subsequently reverse-engineered to the state we're at today. Both Stuxnet, Duqu, Flame and Gauss were in high probability written by the same people, in the same "factory" and are very closely related in many ways.

I doubt this is the end of it either, the next threat could potentially already be in the wild and doing damage.

Tygerstrike said:

lol thanks for the info Leeky. I was trying to state how there is no definative proof. Its all supposition. Of course no one is going to step forward and claim ownership of the program. That individual is either a govt employee or dead. Its just that we dont know who is really using the program. It may be Isriel or the US, but it could also be the Saudi's. It could be Syria. I guess untill someone gets caught or the creator of the program steps forward, we wont know.

Guest said:

The cyber attack has a purpose: Trace the money going into Hezbullah and Hamas.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.