Gauss Espionage Malware Stealing Banking Data in Middle East - Security - News & Reviews - eWeek.com | eWeek

Gauss Espionage Malware Stealing Banking Data in Middle East

Écrit par
Brian Prince
Brian Prince
Aug 9, 2012
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A cyber-espionage tool security pros say is linked to Flame has been spotted stealing banking information in a spate of attacks in the Middle East.

Researchers at Kaspersky Lab said the malware, known as Gauss, was launched back in August or September of 2011–roughly the same time as the Duqu malware was discovered. In the case of Gauss, researchers discovered it as part of ongoing effort by the International Telecommunication Union (ITU) following the discovery of the Flame malware earlier this year.

“Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program,” said Alexander Gostev, chief security expert at Kaspersky. “Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different [from] Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

Just as Duqu was based on the “Tilded” platform Stuxnet was developed on, Gauss is based on the Flame platform, according to Kaspersky. Multiple modules of Gauss collect information from browsers, including the history of visited Websites and user passwords. The malware also steals data about the infected machine, such as BIOS information and information about network interfaces.

But it is its ability to steal financial information that has really raised eyebrows. The Gauss module specifically targets data from the clients of several Lebanese banks, including the Bank of Beirut and BlomBank as well as Citibank and PayPal. This feature, Kaspersky researchers said, gives it the distinction of being the first publicly known state-sponsored banking Trojan.

Though the initial infection vector is not known, Gauss has the ability to infect USB thumb drives with a data-stealing component using the same LNK vulnerability exploited by Stuxnet and Flame. However, the process of infecting USB sticks is more intelligent in Gauss, as it is capable of disinfecting the drive under certain circumstances and using the removable media to store collected information in a hidden file.

The USB data-stealing payload contains several encrypted sections that are decrypted with a key derived from certain system properties, the company explained.

“These sections are encrypted with an RC4 key derived from a MD5 hash performed 10,000 times on a combination of a “%PATH%” environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known-so we do not know the purpose of this hidden payload,” according to Kaspersky’s whitepaper on the malware.

The majority of the infections have been found in Lebanon, Palestine and Israel. All totaled, Gauss is known to have infected roughly 2,500 machines, a figure significantly higher than the 700 believed to have been infected by Flame.

Nevertheless, code references, encryption subroutines and the command and control infrastructure for Gauss indicate the malware was manufactured by the authors of Flame, according to Kaspersky–which if true, could point the finger at the United States, which has been accused of creating Flame as part of a cyber-operation against Iran.

“Gauss was built on the same platform that Flame was built on,” said Roel Schoewenberg, senior antivirus researcher for Kaspersky. “There’s absolutely no doubt they come from the same factory. A lot of the same source code was used. Unless someone managed to steal the Flame source code, this is done by the same attackers.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.