.

Thursday, August 09, 2012

New "Gauss" malware grabbing Lebanese bank information

Here are the conclusions of a full analysis of the newly-discovered "Gauss" malware, written by Kaspersky Labs:
Gauss is the most recent development from the pool of cyber-espionage projects that includes Stuxnet, Flame and Duqu. It was most likely created in mid-2011 and deployed for the first time in August-September 2011.

Its geographical distribution is unique; the majority of infections were found in Lebanon, Palestine and Israel. One of the modules from Jan 2012 contains the path “c:\documents and settings\flamer\desktop\gauss_white_1”. The “flamer” in the path above is the Windows username that compiled the project. Given the focus on Lebanon, the “white” version identifier can probably be explained as following: “the name Lebanon comes from the Semitic root LBN, meaning “white”, likely a reference to the snow-capped Mount Lebanon.” (Wikipedia)

Code references and encryption subroutines, together with the Command and Control infrastructure make us believe Gauss was created by the same “factory” which produced Flame. This indicates it is most likely a nation-state sponsored operation.

Between Gauss’ functions, the “Winshell.ocx” module which gives the name to the malware as “Gauss”, steals credentials required to access online banking accounts for several Lebanese banks – including the Bank of Beirut, Byblos Bank and Fransabank. This is the first publicly known nation-state sponsored banking Trojan.

Another feature which makes Gauss unique is its encrypted payload, which we haven’t been able to unlock. The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.
The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation.

The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns.
It isn't too hard to guess that some Lebanese banks are probably a major conduit for Westerners to transfer money illicitly to and from Iran. Following the money is a time honored way for spies to find what they are looking for.

It is worth noting that Eugene Kaspersky, founder of Kaspersky Labs which has been discovering a lot of this nation-state malware, has ties to the KGB and has a view of the Internet that is decidedly anti-freedom. Not that his researchers are not doing a good job, but he is a political animal and he will make sure his company only does what his politics allows - and his politics coincides to a great degree with what Russia wants.