Flame Malware Ignites Gauss in Lebanon
Aug 10, 2012 8:50 AM PT
The fallout from the Flame malware that was identified in May continues. Ongoing research into the malware has led antivirus vendor Kaspersky Lab to discover a new malware platform, which it has named "Gauss."
This platform has several similarities to Flame, Kaspersky said.
"There's no doubt Gauss comes from the same factory which produced Flame," Roel Schouwenberg, senior researcher at Kaspersky Lab, told TechNewsWorld. "They're built on the same platform."
Gauss has been distributed in the Middle East for at least 10 months, mainly impacting computers in Lebanon. It was designed to intercept data required to work with banks and to collect information about systems it infects.
The malware has also infected computers in several other countries, with Israel and the Palestinian Territory having the second and third greatest number of incidents, respectively. More than 1,600 incidents were recorded in Lebanon.
The Dirt on Gauss
Gauss consists of several modules which it injects into victims' PCs to intercept user sessions and steal passwords, cookies and browser history. It also collects information about infected computers' network connections, processes and folders, and it installs a spy module on USB drives, among other things.
The first known Gauss infections occurred around September, Kaspersky Lab said. The platform's creators have modified different modules several times and changed command server addresses. The command servers went offline in the middle of July, when Kaspersky Lab scientists were examining Gauss.
So far, more than 2,500 unique PCS have been infected with Gauss modules in 25 countries around the world. These include the United States and Germany. Kaspersky Labs suspects that the infections could be much more widespread.
"We've shared Gauss samples with the security industry and I'm sure that we'll soon see telemetry from other people," Kaspersky' Schouwenberg said.
More on Gauss' Mechanics
Gauss was built as a modular system. This "makes updates and changes much simpler and decreases the size of updates when they're required," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. "Depending on the design, modularity can provide failsafe and failover mechanisms as well."
Gauss is linked to Stuxnet, a computer worm discovered in 2010 that targeted Siemens industrial control systems in Iran' nuclear installations, through Flame.
In addition to collecting information about systems it infects, Gauss steals credentials for various banking systems and social network, email and instant messaging accounts, Kaspersky Lab said.
However, it' not clear whether Gauss was designed to steal money or collect data because "the C and C [command and control] servers were taken offline before we could investigate," Schouwenberg said. However, this "looks like a surveillance operation."
Tinker, Tailor, Soldier, Spy
Gauss' links to Stuxnet and Flame support the possibility that it was created by a nation-state. The other two pieces of malware were reportedly created by Israel and the United States to target Iran and other countries in the Middle East.
However, Flame was said by some experts to look more impressive than it really was. Although it had very heavy security protection, the security routines it used were dated and easily circumvented by modern technology.
Flame is large, with up to 750,000 lines of code, but it was written in Lua, a lightweight multi-paradigm programming language designed as a scripting language for use by non-programmers and was the language used to write the "Angry Birds" game.
These factors suggest that, like Flame, Gauss may not be a particularly strong threat.
Further, "any single Fortune 500 company is likely to have more garden variety malware in their organization alone than there are machines infected with Gauss in the entire world," NSS Labs' Abrams said.
"Vulnerabilities in Java remain a far more serious and imminent threat to governments, companies and individuals than Gauss is to almost anyone in the world," Abrams continued.
"If this weren't created by nation-state sponsored attackers, that would mean the Flame platform source code has been stolen or leaked," Kaspersky' Schouwenberg remarked. "That' a very scary thought."