August 09, 2012

Gauss trojan targets Lebanese banks, likely U.S. creation

Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet.

Dubbed Gauss, the malware was discovered by analysts at Russia-based Kaspersky Lab, the same outfit that detected the Flame virus, which used world-class cryptographic functionality to spread and infect hundreds of machines in Iran to gather intelligence. And researchers found that Gauss, whose main module is named after the 19th century German mathematician Carl Friedrich Gauss, was built using the same platform as Flame.

Flame, as well as Stuxnet, are both believed to be collaborative creations of the United States and Israel.

Like Flame, Gauss contains several modules so that it can be customized to attack a victim in a certain way, Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, told SCMagazine.com on Thursday. So far, researchers have only gleaned insight about its password-stealing capabilities.

Experts who studied the trojan, which began spreading sometime late last summer, can confirm at least 2,500 computers, mostly in Lebanon, have been hit with the malware. It is capable of siphoning the usernames and passwords of a half-dozen banks in Lebanon, as well as Citibank and PayPal. The malware also can hijack data related to emails and social networking sites.

"We assume they somehow want to monitor bank accounts and money flow, but we don't know for sure," Schouwenberg said, adding that it does not appear as if any money has been stolen as a result of the operation.

But researchers are still unsure of the capability of Gauss' encrypted payload, which Kaspersky so far has been unable to crack. Schouwenberg said the trojan contains a USB module, which indicates that it is targeting machines that are disconnected from the internet, thus unable to be remotely reached. This is typical of endpoints in "air-gapped" environments, he said.

What researchers do know is that the USB module searches for a specific system configuration -- directories, programs and files -- to ensure it is connecting to the system to which it wants to connect. Then, it runs MD5, a cryptographic hash function, 10,000 times to calculate the decryption key.

Page 1 of 2
Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.