Dubai: Kaspersky Lab and Budapest University of Technology and Economics’ Laboratory of Cryptography and System Security (CrySyS) are offering ways to check if your system is infected by Gauss, the new malware software targeting the Middle East.
The state-sponsored cyber-spying tool which appears to be related to the Flame virus that targeted computers in the Middle East, can steal sensitive data, including browser passwords, online banking accounts, cookies, and system configurations.
Kaspersky Lab — which recently released information about the malware — posted the tools after receiving inquiries about detecting the new malware.
Kaspersky Lab found that Palida Narrow, “a previously unknown font, is installed onto all computers infected by the Gauss malware.”
So the big mystery of Gauss is why Palida Narrow, a modified font with fake copyright notice is installed on victim computers. It seems that no exploit, shellcode or nasty payload are inside.
The majority of the infections have been found in Lebanon, Palestine and Israel.
11 machines were infected in the UAE while four each in Qatar, Jordan and Saudi Arabia.
Gauss is known to have infected 2,500 PCs, compared with 700 for Flame, and just 20 for Dugu and Stuxnet.
“Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information,” said Alexander Gostev, chief security expert at Kaspersky.
Users can download the Kaspersky virus removal tool — Kaspersky Virus Removal Tool 2011 — from its website or use a Web page provided by Hungarian research lab CrySyS — http://gauss.crysys.hu/index.php — to scan for the virus. The CrySys page will check your system for Palida Narrow, a font associated with Gauss.
Jeffrey Carr, CEO of cyber risk management firm Taia Global, said that Lebanese banks have long been watched by US intelligence agencies for their role in facilitating payments to extremist groups. “You’ve got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering?” he said.
“So testing for infection is as simple as finding the font,” Kaspersky said in a statement.
“Although we don’t currently understand exactly why the attackers have installed this font, it could serve as an indicator of Gauss activity on your system.”
A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.
A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages.
