Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet.
Dubbed Gauss, the malware was discovered by analysts at Russia-based Kaspersky Lab, the same outfit that detected the Flame virus, which used world-class cryptographic functionality to spread and infect hundreds of machines in Iran to gather intelligence. And researchers found that Gauss, whose main module is named after the 19th century German mathematician Carl Friedrich Gauss, was built using the same platform as Flame.
Flame, as well as Stuxnet, are both believed to be collaborative creations of the United States and Israel.
Like Flame, Gauss contains several modules so that it can be customized to attack a victim in a certain way, Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, told SCMagazine.com on Thursday. So far, researchers have only gleaned insight about its password-stealing capabilities.
Experts who studied the trojan, which began spreading sometime late last summer, can confirm at least 2,500 computers, mostly in Lebanon, have been hit with the malware. It is capable of siphoning the usernames and passwords of a half-dozen banks in Lebanon, as well as Citibank and PayPal. The malware also can hijack data related to emails and social networking sites.
"We assume they somehow want to monitor bank accounts and money flow, but we don't know for sure," Schouwenberg said, adding that it does not appear as if any money has been stolen as a result of the operation.
But researchers are still unsure of the capability of Gauss' encrypted payload, which Kaspersky so far has been unable to crack. Schouwenberg said the trojan contains a USB module, which indicates that it is targeting machines that are disconnected from the internet, thus unable to be remotely reached. This is typical of endpoints in "air-gapped" environments, he said.
What researchers do know is that the USB module searches for a specific system configuration -- directories, programs and files -- to ensure it is connecting to the system to which it wants to connect. Then, it runs MD5, a cryptographic hash function, 10,000 times to calculate the decryption key.