Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Online Banking Monitoring Malware Discovered

Kaspersky Lab UK : 13 August, 2012  (Technical Article)
Kaspersky Lab details the discovery of the Gauss malware and its use in monitoring banking as part of a wider cyber-espionage perspective
Online Banking Monitoring Malware Discovered
Kaspersky Lab has announced the discovery of ‘Gauss,’ a new cyber threat targeting users in the Middle East. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies and specific configurations of infected machines.  The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.

Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risk posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace. The ITU, with the expertise provided by Kaspersky Lab, is taking important steps to strengthen global cyber-security by actively collaborating with all relevant stakeholders, in addition to its key industry partners within the ITU-IMPACT initiative.

Kaspersky Lab’s experts discovered Gauss by identifying the commonalities the malicious program shares with Flame.  These include similar architectural platforms, module structures, code bases and means of communication with command & control servers (C&C).

Quick facts:

* Analysis indicates Gauss started operations in September 2011.

* It was first discovered in June 2012, based on the knowledge gained from the in-depth analysis and research conducted on the Flame malware.

* This discovery was made possible due to the strong resemblances and correlations between Flame and Gauss.

* The Gauss C&C infrastructure was shutdown in July 2012 shortly after its discovery. Currently the malware is in a dormant state, waiting for its C&C servers to become active.

* Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with tens of thousands estimated victims. This number is lower than that of Stuxnet but it’s significantly higher than the number of attacks of Flame and Duqu.

* Gauss steals detailed information about the infected PCs including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods.

* Analysis of Gauss shows it was designed to steal data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal.

The new malware was discovered by Kaspersky Lab’s experts in June 2012. Its main module was named by the unknown creators after German mathematician Johann Carl Friedrich Gauss. Other components bear the names of famous mathematicians as well, including Joseph-Louis Lagrange and Kurt Gödel. The investigation revealed that the first incidents with Gauss date back as early as September 2011. In July 2012 the command & control servers of Gauss stopped functioning.

Multiple modules of Gauss collect information from browsers, including the history of visited websites and passwords. Detailed data on the infected machine is also sent to the attackers, including specifics of network interfaces, computer drives and BIOS information. The Gauss module is also capable of stealing data from the clients of several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal.

Another key feature of Gauss is the ability to infect USB drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame, but with a more intelligent process of infecting USB sticks. Gauss is capable of “disinfecting” the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. Another activity of the Trojan is the installation of a special font called Palida Narrow, but the purpose of this action is still unknown.

While Gauss is similar to Flame by design, the geography of infections is noticeably different. The highest number of computers hit by Flame was recorded in Iran and the majority of Gauss victims were located in Lebanon. The number of infections is also different. Based on telemetry reported from the Kaspersky Security Network (KSN), Gauss infected approximately 2,500 machines. In comparison, Flame was significantly lower, infecting closer to 700 machines.

Although the exact method used to infect the computers is not yet known, it is clear that Gauss propagates in a different manner to Flame or Duqu; however, similar to the two previous cyber-espionage weapons, Gauss’ spreading mechanisms are conducted in a controlled fashion, which emphasise stealth and secrecy for the operation.

Alexander Gostev, Chief Security Expert at Kaspersky Lab, commented: “Gauss bears a striking resemblance to Flame, with its design and code base, which enabled us to discover the malicious program. Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasising stealth and secrecy; however, its purpose was different than Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

At the present time, the Gauss Trojan is successfully detected, blocked and remediated by Kaspersky Lab’s products, classified as Trojan-Spy.Win32.Gauss.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo