Gauss appears to have been made to steal online banking details from users in Lebanon and Israel/Palestine.
Published Thursday, 9 August 2012
By Mark Sutton
Kaspersky Lab is warning of another malware that is targeting systems in the Middle East.
The new malware, dubbed Gauss, appears to be crafted to steal internet banking credentials, and is believed to be linked to the Flame attacks uncovered in June.
Gauss has mainly been found in Windows 32bit systems in Lebanon, Israel Palestine, although some infections have been discovered in the UAE, Saudi Arabia and Qatar. Kasperssky has detected 2,500 infections. The malware first came to light in June, although researchers suspect it has been live September 2011, and infections may number in the tens of thousands.
The malware is unusual in that it does not use typical ‘worm’ behaviour to propagate itself, but rather spreads by infected USB, with a module to infect both 32bit and 64bit USB drives. ON an infected USB drive,
The payload seems to have been capturing log in details for internet banking services, with a particular focus on Lebanese banks. The malware included monitoring of transactions with several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.
The USB attack also shows some unusual behaviour in that the malware is able to temporarily infect a compromised machine, steal some data such as cookies and browser history, then copy the data to the USB drive in an encrypted form, and not even infect that machine. Gauss is capable of ‘disinfecting’ the drive under certain circumstances.
Researchers have also identified an encrypted section of the malware on USB drives, that acts to further infect the machine under certain conditions related to the target system. If the malware detects a certain, unknown program installed on the PC, in the ‘program files’ folder, and certain other, also unknown, conditions are met, these two variables then form a decryption key that decodes part of the encrypted section and installs a further payload on the machine, but researchers have been unable to analyse this part at present.
Details were then transmitted to a command and control network, although there is no evidence yet that any financial crimes have been committed.
Other elements of the malware that have been analysed so far include modules to collect information on the infected systems, including BIOS data, hardware IDs and users domains. All of the modules of Gauss are named after famous mathematicians.
Another unusual aspect of Gauss is that appeared to be geared to send a very large volume of data from each compromised machine, with some of the code indicating a round-robin DNS load balancing technique.
Gauss also installs a custom font, Palida Narrow, on an infected machine, although the font does not seem to have been used.
A command and control network of five
infrastructure servers has been found, that had been migrated from one country
to another, with the latest found in India. Servers had previously been
found in Portugal and the US. The domain
registrations linked to the various servers were all registered under false
names and unrelated addresses such as hotels and restaurants. The C&C network ceased operations in July.
Vitaly Kamluk, chief malware expert of Kaspersky Lab said that it appears likely that Gauss is related to previous attacks that have targeted the region, including Flame and Stuxnet, and that the malware was most likely written by a nation-state supported group. The malware is younger than Flame, Gauss’s first module dates from 1st June 2011, and the first C&C domain was registered in July 2011, but Gauss shares similar encryption with the earlier attacks, and also uses the same LNK vulnerability that was exploited by Stuxnet and Flame. Kamluk also pointed to the similarities in geographic targeting and timeframe.
“We don’t see any worm-like functionality, however they managed to infect thousands of machines, which is strange. They targeted particular countries; traditional cybercriminals don’t target particular countries, they try to infect as many computers as possible, unlike Gauss, which tried to stay within the borders of these three countries,” he said.
Kaspersky says it is still analyzing the malware, and expects further details to come to light.