Gauss, the latest addition to the Stuxnet virus family, has been found in Lebanon, Israel and Palestine.
Kaspersky Labs – the Moscow-based anti-virus company – have identified another member of the Stuxnet virus family. Dubbed Gauss, after mathematician Johann Carl Friedrich Gauss, this virus has been identified in banks across the Middle East, mostly in Lebanon, but also in Israel and Palestine. It also targets users of Citibank and PayPal. Approximately 2,500 machines have been confirmed infected with Gauss; a significant increase over its predecessor Flame, which only hit 700 machines in Iran. Kaspersky suspects that this is the tip of the iceberg, and that Gauss probably hit tens of thousands of machines that it doesn’t yet know about. Gauss has been designed as a data-collector, but may also have been intended to attack – even destroy – financial networks.
Kaspersky is confident that Gauss is from the Stuxnet family. Kaspersky alleges that Gauss shares significant commonalities with Flame, including “similar architectural platforms, module structures, code bases and means of communication with command & control (C&C) servers.” However where Flame went for government and educational machines, Gauss is purely a financial shark that, Kaspersky estimates, has been in operation since September 2011. “The Gauss C&C infrastructure was shutdown in July 2012 shortly after its discovery,” said Kaspersky in its official statement. “Currently the malware is in a dormant state, waiting for its C&C servers to become active.”
It’s impossible to be sure what Gauss is intended to do, but the likelihood is Gauss was built to monitor financial transactions. Alexander Gostev of Kaspersky called it a “complex cyber-espionage toolkit,” and added that “Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.” It’s also capable of collecting access credentials for various online banking systems and payment methods, which suggests that Gauss was built to steal as well as to monitor cash flow. It may have been intended as an attack weapon, as well as an intelligence gathering device.
Its initial infection point is unknown but it spreads stealthily and in a controlled manner, making it difficult to detect. Like previous versions Gauss can also infect via USB devices, but according to Kaspersky it does so in a more “intelligent” manner than its previous iterations. “Gauss is capable of “disinfecting” the drive under certain circumstances,” says Kaspersky’s official statement, “and uses the removable media to store collected information in a hidden file. Another activity of the Trojan is the installation of a special font called Palida Narrow, and the purpose of this action is still unknown.”
Of course, the really fun fact about Flame was that it got off the reservation. Though initially reported in Iran, it later was found in North America and Europe. Kaspersky still don’t know exactly how many machines are infected with Gauss but, though their provisional estimate suggests that the Middle East was the primary target zone, if PayPal and Citibank were targeted then Gauss could end up … pretty much anywhere.