Friday, August 10, 2012

With Gauss tool, cyberspying moves beyond Stuxnet, Flame

There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same "factory" (or factories) that produced Stuxnet, Duqu and Flame.

CNET - Kaspersky Lab finds Gauss, a spying malware that collects financial information and resembles Flame. Components are named after famous mathematicians.

Gauss, a new "cyber-espionage toolkit," has emerged in the Middle East and is capable of stealing sensitive data such as browser passwords, online banking accounts, cookies, and system configurations, according to Kaspersky Lab. Gauss appears to have come from the same nation-state factories that produced Stuxnet.

According to Kaspersky, Gauss has unique characteristics relative to other malware. Kaspersky said it found Gauss following the discovery of Flame. The International Telecommunications Union has started an effort to identify emerging cyberthreats and mitigate them before they spread.

In a nutshell, Gauss launched around September 2011 and was discovered in June. Gauss, which resembles Flame, had its command and control infrastructure shut down in July, but the malware is dormant waiting for servers to become active. Kaspersky noted in an FAQ:

Among Gauss' key features:
  • Gauss collects data on machines and sends it to attackers. This data includes network interface information, computer drive details and BIOS characteristics.
  • The malware can infect USB thumb drives using the vulnerabilities found in Stuxnet and Flame.
  • Gauss can disinfect drives under certain circumstances and then uses removable media to store collected data in a hidden file.
  • The malware also installs a special font called Palida Narrow.