Stuxnet's cousin, Gauss, targets Lebanon's banks

Kaspersky Labs has revealed details about another cyber-surveillance operation which it believes is closely tied to the Stuxnet, Duqu, and Flame family – thought to have been developed by either the US or Israel – but this flavour, Gauss, targets banking.

According to Kaspersky, Gauss was first spotted thanks to an effort from the International Telecommunications Union (ITU) after it noticed Flame. This weapon, the company says, is a nation-state sponsored banking trojan. It has been snuffling data from infected Windows machines, but it also has an unknown and encrypted payload that is activated on specific configurations. Gauss appears to be based on the Flame platform, sharing similar functionalities, such as USB drive infection.

So far, Kaspersky has identified that Gauss is designed to intecept cookies and passwords, harvest and send system configuration data to attackers, infect USB sticks with a data stealing module, list the content of the system drives and folders, as well as stealing Middle Eastern banking system credentials and stealing information for social networking, email, and instant messaging accounts.

Gauss’ authors either forgot – or intentionally left in – some debugging information. Kaspersky notes that some of the debugging information is listed as gauss_white_1, which the company believes is a reference to Lebanon, where the most Gauss infections have been found, because, quoting Wikipedia, “the name Lebanon comes from the Semitic root LBN, meaning “white”, likely a reference to the snow-cappd Mount Lebanon”.

The Gauss operation began between August and September 2011, coinciding with the discovery of the Duqu worm. Kaspersky believes they are related because Gauss is related to Flame, while Flame is related to Stuxnet, Stuxnet is related to Duqu, so it would be fair to consider Gauss a part of the family. From May 2012, over 2,500 infections were recorded by Kaspersky, and it predicts that the total number of victims is in the tens of thousands. Its control infrastructure was shut down in July this year, so at the moment, the malware is lying dormant.

In contrast with Duqu, Flame, and Stuxnet, the majority of infections were found in Lebanon, at 1,660, followed by Israel at 483 and Palestine at 261, although there have been some infections caught in the US, United Arab Emirates, Qatar, Jordan, Germany, and Egypt. Of course, Kaspersky is using data from its own services, so there is a possibility that there are far more infections out there.