Financial malware 'related to Stuxnet' uncovered by Kaspersky Labs

By Graeme Burton
09 Aug 2012 View Comments
malware virus security

A new virus potentially from the same group that developed Stuxnet, Duqu and Flame has been uncovered by anti-virus software vendor Kaspersky Labs.

Called 'Gauss', the malware 'spies' on financial transactions, according to the company, and has been found in the wild in the Middle East, including Lebanon, Israel and the Palestinian Territories. Some 2,500 infections have so far been uncovered.

Further reading

Kaspersky links Gauss to Stuxnet, Duqu and Flame - which has been attributed to US intelligence - because it shares many of the same characteristics with them. These previous items of malware were targeted against Iran's burgeoning nuclear research infrastructure.

"Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program," said Alexander Gostev, chief security expert at Kaspersky Lab, in a statement.

He added: "Gauss is a complex cyber-espionage toolkit, with its design emphasising stealth and secrecy; however, its purpose is different to Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information."

Kaspersky claims that Gauss was 'launched' in September 2011, and was uncovered by Kaspersky in June 2012. The command and control infrastructure for the virus was shut down in the following month and, as a result, the malware currently lies in a 'dormant state', according to Kaspersky.

It steals detailed information about infected PCs, including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods.

It appears to be aimed, in particular, at several Lebanese banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.

The revelation will add weight to advice from security experts such as Brian Krebs that organisations ought only deal with financial transactions online using Linux booted up fresh from a Live CD or DVD.

The link with previous malware widely attributed to US intelligence and the focus on Lebanon would imply that its purpose was to uncover the sources of funding of Iran-linked Lebanese political group Hezbollah.

Another key feature of Gauss, claims Kaspersky, is its ability to infect USB memory sticks, using the same LNK vulnerability, previously used in Stuxnet and Flame, as well as 'disinfecting' USB sticks under certain circumstances. It also uses the USB stick to store collected information in a hidden file and, for reasons not yet known, installs a special font called 'Palida Narrow'.

The exact method by which Gauss propagates is not yet known, but is thought to be different from Flame and Duqu. However, it is spread in a controlled fashion, emphasising stealth and secrecy, warns Kaspersky. 

Reader comments
blog comments powered by Disqus
Newsletters
Windows 9 - what do you want?

What would your business require from Windows 9 "Threshold" to make it an attractive proposition?

32 %
4 %
8 %
7 %
49 %