Researchers are tying the Gauss malware to Flame in what could be an example of a state-sponsored banking Trojan. Researchers say there is no doubt that Gauss came from the same software "factory" as Flame.
A cyber-espionage tool security pros say is linked to Flame
has been spotted stealing banking information in a spate of attacks in the
Researchers at Kaspersky Lab said the malware, known as Gauss, was launched back in August
or September of 2011âroughly the same time as the Duqu malware was
discovered. In the case of Gauss, researchers discovered it as part of ongoing
effort by the International Telecommunication Union (ITU) following
the discovery of the Flame
malware earlier this year.
"Gauss bears striking resemblances to Flame, such as its
design and code base, which enabled us to discover the malicious program,"
said Alexander Gostev, chief security expert at Kaspersky. "Similar to
Flame and Duqu, Gauss
is a complex
cyber-espionage toolkit, with its design emphasizing stealth
and secrecy; however, its purpose was different [from] Flame or Duqu. Gauss
targets multiple users in select countries to steal large amounts of data, with
a specific focus on banking and financial information."
Just as Duqu was based on the "Tilded" platform
Stuxnet was developed on, Gauss is based on the Flame
, according to Kaspersky. Multiple modules of Gauss collect
information from browsers, including the history of visited Websites and user
passwords. The malware also steals data about the infected machine, such as
BIOS information and information about network interfaces.
But it is its ability to steal financial information that
has really raised eyebrows. The Gauss module specifically targets data from the
clients of several Lebanese banks, including the Bank of Beirut and
BlomBank as well as Citibank and PayPal.
This feature, Kaspersky researchers said, gives it the distinction of being the
first publicly known state-sponsored banking Trojan.
Though the initial infection vector is not known, Gauss has
the ability to infect USB thumb drives with a data-stealing
component using the same LNK vulnerability
exploited by Stuxnet and Flame. However, the process of infecting USB sticks is
more intelligent in Gauss, as it is capable of disinfecting the drive under
certain circumstances and using the removable media to store collected
information in a hidden file.
The USB data-stealing payload contains several encrypted
sections that are decrypted with a key derived from certain system properties,
the company explained.
"These sections are encrypted with an RC4 key derived
from a MD5 hash performed 10,000 times on a combination of a "%PATH%"
environment string and the name of the directory in %PROGRAMFILES%. The RC4 key
and the contents of these sections are not yet known-so we do not know the
purpose of this hidden payload," according to Kaspersky's whitepaper on
The majority of the infections have been found in Lebanon,
Palestine and Israel. All totaled, Gauss is known to have infected roughly
2,500 machines, a figure significantly higher than the 700 believed to have
been infected by Flame.
Nevertheless, code references, encryption subroutines and the command and control
infrastructure for Gauss indicate the malware was manufactured by the authors
of Flame, according to Kasperskyâwhich if true, could point the finger at the
United States, which has been accused of creating Flame as part of a
cyber-operation against Iran.
"Gauss was built on the same platform that Flame was
built on," said Roel Schoewenberg, senior antivirus researcher for Kaspersky.
"There's absolutely no doubt they come from the same factory. A lot of the
same source code was used. Unless someone managed to steal the Flame source
code, this is done by the same attackers."