Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Gauss Espionage Malware Stealing Banking Data in Middle East

    By
    Brian Prince
    -
    August 9, 2012
    Share
    Facebook
    Twitter
    Linkedin

      A cyber-espionage tool security pros say is linked to Flame has been spotted stealing banking information in a spate of attacks in the Middle East.

      Researchers at Kaspersky Lab said the malware, known as Gauss, was launched back in August or September of 2011–roughly the same time as the Duqu malware was discovered. In the case of Gauss, researchers discovered it as part of ongoing effort by the International Telecommunication Union (ITU) following the discovery of the Flame malware earlier this year.

      “Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program,” said Alexander Gostev, chief security expert at Kaspersky. “Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different [from] Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

      Just as Duqu was based on the “Tilded” platform Stuxnet was developed on, Gauss is based on the Flame platform, according to Kaspersky. Multiple modules of Gauss collect information from browsers, including the history of visited Websites and user passwords. The malware also steals data about the infected machine, such as BIOS information and information about network interfaces.

      But it is its ability to steal financial information that has really raised eyebrows. The Gauss module specifically targets data from the clients of several Lebanese banks, including the Bank of Beirut and BlomBank as well as Citibank and PayPal. This feature, Kaspersky researchers said, gives it the distinction of being the first publicly known state-sponsored banking Trojan.

      Though the initial infection vector is not known, Gauss has the ability to infect USB thumb drives with a data-stealing component using the same LNK vulnerability exploited by Stuxnet and Flame. However, the process of infecting USB sticks is more intelligent in Gauss, as it is capable of disinfecting the drive under certain circumstances and using the removable media to store collected information in a hidden file.

      The USB data-stealing payload contains several encrypted sections that are decrypted with a key derived from certain system properties, the company explained.

      “These sections are encrypted with an RC4 key derived from a MD5 hash performed 10,000 times on a combination of a “%PATH%” environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known-so we do not know the purpose of this hidden payload,” according to Kaspersky’s whitepaper on the malware.

      The majority of the infections have been found in Lebanon, Palestine and Israel. All totaled, Gauss is known to have infected roughly 2,500 machines, a figure significantly higher than the 700 believed to have been infected by Flame.

      Nevertheless, code references, encryption subroutines and the command and control infrastructure for Gauss indicate the malware was manufactured by the authors of Flame, according to Kaspersky–which if true, could point the finger at the United States, which has been accused of creating Flame as part of a cyber-operation against Iran.

      “Gauss was built on the same platform that Flame was built on,” said Roel Schoewenberg, senior antivirus researcher for Kaspersky. “There’s absolutely no doubt they come from the same factory. A lot of the same source code was used. Unless someone managed to steal the Flame source code, this is done by the same attackers.”

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×