Gauss Online Detection Tools Offered by Kaspersky, CrySys

 
 
By Jeffrey Burt  |  Posted 2012-08-11
 
 
 

Security experts at Kaspersky Lab have discovered another state-sponsored cyber-spying tool, called Gauss, which appears to be related to the Flame malware that targeted computers in Iran.

Now Kaspersky and another security organization, the Laboratory of Cryptography and System Security (CrySys) in Hungary, have come out with free online detection tools designed to help users determine whether their computers are infected with the Gauss virus.

Both tools are predicated on determining whether a font-dubbed Palida Narrow-is found in the PC. The mysterious Palida Narrow font is particular to the Gauss malware, though Kaspersky researchers are unsure whether the font plays any role in the tool's work.

"This font was used during the Gauss cyber-attack," a Kaspersky security expert said in an Aug. 10 post on the company's SecureList blog. "Although we don't currently understand exactly why the attackers have installed this font, it could serve as an indicator of Gauss activity on your system."

CrySys was first to offer an online detection tool to sniff out the Palida Narrow font, which the Gauss malware leaves on infected PCs. Kaspersky took a similar approach, but added an iframe window that uses JavaScript to determine whether the font is on a system. Kaspersky's expert said the iframe approach simplifies the search by not requiring any server interaction.

Kaspersky's tool can be found on its SecureList blog. CrySys' detection tool can be found on its Website.

Kaspersky and other Web security firms have said their antivirus software tools can detect and remove Gauss from systems. In a blog post Aug. 10, security vendor F-Secure noted that Gauss will not install itself onto a system if antivirus software is present, and apparently also will not install if started on Microsoft Windows 7 SP 1.

CrySys was the research organization that discovered Duqu, the data-stealing worm that security experts believe is closely related to Stuxnet, another nation-sponsored exploit apparently designed to attack Iran's nuclear facilities and equipment. In June, Kaspersky experts said they had found direct links between Stuxnet and Flame.

The cyber-espionage tools-Duqu, Flame, Stuxnet and now Gauss-have been aimed at government and business organizations in the Middle East, though there has been a spillover effect to other parts of the world. Given their targets and the sophistication of the malware, speculation has grown that at least some of these computer viruses have been created by Israel or the United States, or both, to slow down Iran's nuclear ambitions and to help keep track of terrorist groups in the region.

Whereas Flame and Stuxnet appeared to be aimed at Iranian agencies, the data-stealing Gauss virus seems to be targeting banks and other financial institutions in the Middle East, with speculation about the possibility that it could be part of a larger effort to track money associated with terrorist groups. Kaspersky estimates that 2,500 computers have been infected by Gauss.

There's little doubt that Gauss is part of a larger state-sponsored cyber-espionage effort, according to a Kaspersky security expert.

"There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state-sponsored attacks," the expert said in an Aug. 9 post on the SecureList blog. "We have evidence that Gauss was created by the same 'factory' (or factories) that produced Stuxnet, Duqu and Flame. By looking at Flame, Gauss, Stuxnet and Duqu, we can draw [a] 'big picture' of the relationship between them."

Kaspersky CEO Eugene Kaspersky has become increasingly outspoken against what he calls a growing trend of state-sponsored "cyber-terrorism," and has called on countries to fight against it. He noted that a growing number of countries are developing the technological capabilities to launch sophisticated cyber-attacks, and an escalation of such attacks could be dangerous to everyone.

"These ideas are spreading too fast," Kaspersky said during a conference in Israel in June. "That cyber-boomerang may get back to you."

Other security experts also expect this trend to continue.

"It is clear that the gloves are off when it comes to nation-state sponsored malware," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, said about Gauss in an email sent to eWEEK. "While this has been ongoing for some time, the activities are now far more public and researchers are actively looking for samples, with the ability to 'follow the breadcrumbs' and tie together samples with a similar origin. We can only expect this activity to escalate with malware such as Stuxnet having succeeded by accomplishing a task that could have put individuals in harm's way, had the mission been carried out with traditional means."

Rocket Fuel