While origin unclear, Gauss indicates malware tool boom

The computer security firm Kaspersky Lab announced this week that it had found a new cyber surveillance virus in the Middle East that is a descendent of the Stuxnet, Flame and Duqu malware.

But they are not calling it "Son of Stuxnet." Stuxnet is the computer worm widely believed to have been used by the U.S. and Israel to attack Iran's nuclear centrifuges.

Dennis Fisher, writing on the Kaspersky blog Threatpost, said the new malware, discovered in June, had been named Gauss, after the German mathematician Carl Friedrich Gauss.

"Gauss contains some of the same code as Flame," Fisher wrote. "But is markedly different in a number of respects, specifically in its ability to steal online banking credentials and has an encrypted payload that experts haven't yet been able to crack."

"[Gauss is] capable of stealing browser cookies and passwords, steal account information for social networks and IM applications, intercept online banking credentials for a handful of Middle Eastern banks as well as PayPal and Citibank and infect USB drives with a data-stealing module," Threatpost reported.

By Friday, both Kaspersky and the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics had published Gauss detection tools. But those may soon be of limited value.

Anup Ghosh, founder and CEO of Invincea, a security software vendor, said the detection tool "will be distributed among all the anti-virus vendors." He added: "But that's only good for this version. As soon as they make a change -- and they will -- it will no longer detect it."

Kaspersky said Gauss had infected about 2,500 machines in Lebanon, Israel and the Palestinian territories, with the majority -- 1,660 -- in Lebanon.

This, say a number of analysts, suggests that while it may also have destructive capabilities, the purpose of the financial component is not to steal but to spy on transactions.

[See also: Network Security -- The Basics]

But at least some of them suspect that the U.S. sponsored it. "The code base can be traced back to Stuxnet, Flame and Duqu," said Ghosh. "But let's not jump to conclusions based on code. The U.S. doesn't really engage in this kind of thing -- which is not to say that Israel would not."

"There are other, less risky, ways of getting financial transactions than going through someone's desktop," Ghosh said, "and this is just not the MO of traditional intelligence."

He said that Gauss could be from a nation-state, "since that's the kind of espionage they do in the Middle East."

But what does that matter once malware like Stuxnet, Flame and Duqu are in the wild, Ghosh said. "It ends up in people's hands. It will get repurposed. I don't think it is beyond the pale to suggest that it has been captured and repurposed for cybercrime and industrial or national security espionage."

Ben Knieff, a fraud expert and director of product marketing at NICE Actimize, said he would not speculate on what the motive of Gauss's creators is. "But I can say that malware like this may be looking at financial information for a variety of reasons," he said.

"It can be for espionage. They want to understand the transactions that a company or individual is making. That can be very valuable information. Money is power, but information is also power," Knieff said.

He said he believes a larger danger is that Gauss, while very well encrypted, will still become available for purchase in the malware marketplace. Like Ghosh, he believes that highly sophisticated malware like this is going to become commercialized. "These days, anyone can buy a kit for a few thousand dollars," he said.

Gauss may have hidden capabilities not yet discovered, said Roel Schouwenberg, a senior malware researcher at Kaspersky.

He told Dennis Fisher that its infrastructure is currently dormant, since the command-and-control system went offline last month, before they could be investigated. And Kaspersky said it might not be able to decrypt Gauss's code for months.

Joel Harding, a retired intelligence officer and information operation expert, said he knows some experts believe that Gauss was written by a sophisticated hacker group outside the U.S.

"But I couldn't get past the complexity and the organizational requirements it would take to get a hacker group to do this," Harding said. "It's such a time-intensive operation, stealing bank information and then siphoning off the money. I don't see the monetary payoff. The return on investment is just wrong."

He thinks too that its is more likely that a nation-state is behind it. "There is a list of banks in Lebanon and throughout the Middle East that have dealings with people and organizations we might consider shady," he said. "If one can follow the flow of money in and out of these institutions, the intelligence organizations will better understand who works for whom, who is doing what, and perhaps why."

Whoever created Gauss, Harding is impressed. "It is elegant and has gathered so much information. Whoever did the Intelligence Gain Loss (IGL) for using this system should receive a medal," he said. "Sure, the system is compromised. Sure, the Command and Control servers for this have gone dark. Sure, the world is aware of Gauss and is actively looking for it, but this is bleeding edge use of tools in cyberspace."

In fact, he said, he believes Gauss indicates that even better malware tools are being developed that will be even more difficult to discover and neutralize. "My take on this is that we now have a proof of concept, a working model, and the challenge now is to refine the code," Harding said. "Make it smaller, faster and quieter."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place