Stuxnet, Flame...Gauss: New spy virus found in Middle East

Get short URL

Published time: August 09, 2012 16:17
Edited time: August 09, 2012 20:38

A new virus dubbed Gauss has attacked computers in the Middle East spying on financial transactions, emails and picking passwords to all kind of pages. The virus resembles Stuxnet and Flame malware which was used to target Iran, Kaspersky Lab says.

­Gauss has infected hundreds of personal computers across the Middle East – most of them in Lebanon, but also in Israel and Palestinian territories. Kaspersky Lab has classified the virus, named after one of its major components, as “a cyber-espionage toolkit”.

The malicious malware spies on transactions in banking systems and steals passwords and credentials to social networks, emails and instant messaging accounts. It can also collect system configurations.

Though Gauss seems to be specifically designed for several Lebanese online banking systems, it can also go after Citibank and PayPal users.

­

Gauss can spread through USB drives using the same system vulnerability as previously unleashed Flame virus (image from http://www.securelist.com)

­

It is not immediately clear who may be behind the new Trojan virus, but Kaspersky Lab says the “nation-state sponsored” toolkit has features characteristic of Flame, DuQu and Stuxnet malware, which targeted machines in Iran.

"After looking at Stuxnet, DuQu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" Kaspersky Lab said in their report on Thursday. "All these attack toolkits represent the high end of nation-state-sponsored cyber-espionage and cyber war operations."

The researchers cannot say whether Gauss was meant to simply spy on account transactions, or to steal money from targets. But given the high probability of a nation-state actor behind it, the virus may be a counterintelligence tool, which could be used to trace funding of various groups or individuals.

­

Gauss has attacked over 2,500 personal computers in the Middle East. Only one attack has so far been reported in Iran (image from http://www.securelist.com)

­

The virus is yet to be fully exposed, as the Moscow-based internet security company is still trying to crack its payload, a section that sends and receives instructions from an outside source once it has infiltrated a system. The company is asking for assistance from any cryptographers since the payload is highly encrypted and its purposes remain unclear.

The virus was first spotted in June this year while Kaspersky Lab was looking for variants of Flame. Gauss appears to have been most active from May to July 2012, until its control and command infrastructure stopped functioning. Now the virus is in a dormant state.

Still, the malware, apparently created back in 2011, managed to spread much farther than Flame, which attacked around 700 PCs across the Middle East this spring.

Flame and Stuxnet are widely speculated to have been ordered by the US and Israel to hit Iran’s nuclear program. Western officials gave a tentative confirmation the CIA, the National Security Agency and the Israeli military were all involved in developing the Flame spying toolkit.

As for the Stuxnet attack, which in 2010 damaged uranium enrichment centrifuges in Iran, Washington has so far declined to comment on if it was behind the sabotage.

Now Gauss, which shares parts of its code with Flame, appears to add to the US and Israel’s presumed cyber arsenals.

­

Modules in the Gauss virus have internal names that Kaspersky Lab researchers believe were chosen to pay homage to famous mathematicians and philosophers, including Johann Carl Friedrich Gauss, Kurt Godel and Joseph-Louis Lagrange (image from http://www.securelist.com)