Dubai: A new cyber surveillance virus, named Gauss, has been found in the Middle East that can spy on financial transactions, email and social networking activity, according to Kaspersky Labs.
“The virus is capable of attacking critical infrastructure and has close relations with Flame, the computer worm used to attack Iran,” Vitaly Kamluk, Chief Malware Expert at Kaspersky Labs told Gulf News.
He said it had infected personal computers in Lebanon, Israel and the Palestinian Territories and some infections in the UAE, Saudi Arabia, Qatar, Jordan, Germany and Egypt.
About 1,660 machines impacted in Lebanon, 483 in Isreal and 261 in Palestine.
Kaspersky Labs declined to speculate on who was behind the virus but said it was related to Flame and two other cyber espionage tools, Stuxnet and Duqu.
“After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,’” Kaspersky Lab said.
“All these attack toolkits represent the high end of nation-state-sponsored cyber-espionage and cyber war operations.”
Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.
Modules in the Gauss virus have internal names that Kaspersky Lab researchers believe were chosen to pay homage to famous mathematicians and philosophers, including Johann Carl Friedrich Gauss, Kurt Godel and Joseph-Louis Lagrange.
Kamluk said it called the Gauss because that is the name of the most important module, which implements its data-stealing capabilities.
Stuxnet, discovered in 2010, attacked via USB drives and was designed to attack computers that controlled the centrifuges at a uranium enrichment facility in Natanz, Iran.
Analysis indicate that Gauss began operations in the September 2011 timeframe. It was first discovered in June 2012, resulting from the knowledge gained by the in-depth analysis and research conducted on the Flame malware.
“Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in the tens of thousands. This number is lower compared to the case of Stuxnet but it’s significantly higher than the number of attacks in Flame and Duqu,” Kamluk said.
Analysis of Gauss shows it was designed to steal data from “several Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal,” he said.
Another key feature of Gauss is the ability to infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent. Gauss is capable of “disinfecting” the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. Another activity of the Trojan is the installation of a special font called Palida Narrow, and the purpose of this action is still unknown.
At the present time, the Gauss Trojan is successfully detected, blocked and remediated by Kaspersky Lab’s products, classified as Trojan-Spy.Win32.Gauss.
