10 Curious tech facts about Gauss – the malware
If you are Lebanese, you have by now heard about a malware or cyber espionnage tool called Gauss, spreading mostly in Lebanon and discovered by Kaspersky Lab.
There could be more infections, but those are the numbers reported by Kaspersky.
Your must read articles are the ones on Kaspersky (Kaspersky Lab Discovers ‘Gauss’ – A New Complex Cyber-Threat Designed to Monitor Online Banking Accounts) and Wired (Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload)
Also if you happen to know 2 or 3 things about computers – you can check this 48 pages pdf by kaspersky – it contains the Juicy tech details like Infection stats, Operating systems stats, architecture, comparison with Flame, how it installs and operates, Timeline, Filelist and an excellent executive summary and conclusion.
While at it, you can also check the wiki page of Gauss, the math dude, pretty impressive man http://en.wikipedia.org/wiki/Carl_Friedrich_Gauss
Why the buzz
- It is sophisticated, complex, nation-state sponsored cyber-espionage toolkit that is spreading in one specific Geo area – all evidence says that it is written by the same people who wrote stuxnet and flame(complicated tools that can affect nuclear plants and such) … in non fancy words – it seems to be something written by US/Israeli as part of their ongoing cyber espionage operations in middle east.
- The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.
How to quick detect it
Curious tech facts
Away from all the speculations and political analysis, here are some interesting or at least curious tech facts – they will probably go un-noticed by all the upcoming buzz, information and mis-information.
- Infection dates back to September-October 2011 – Discovered in July 2012
- This discovery was made possible due to strong resemblances and correlations between Flame and Gauss
- Gauss has been dormant since July 2012, after its discovery the command and control servers went offline
- It Does not self replicate – in other terms, Infections had to be delivered to the victims – which means a more targeted approach and explains the concentration of infection in Lebanon
- Gauss searches for cookies that contain the following strings: ( paypal, mastercard, eurocard,visa, americanexpress, bankofbeirut, eblf, blombank, byblosbank, citibank, fransabank, yahoo, creditlibanais, amazon, facebook, gmail, hotmail, ebay, maktoob) – what is interesting as Mo pointed, is that it doesn’t look for Bank Audi for example – which is curious, considering that Audi are the elephant in the room when it comes to banking in Lebanon… while it misses Audit, gauss looks for Maktoob cookies
- Command and Control servers registration is not made anonymous by proxy – usually you can very easily opt not to show details information by paying a small additional fee… but the servers were registered for Adolph Dybevek,Peter Kulmann,Gilles Renaud with addresses pointing to hotels – of course it is all fake information, but no information is better then even fake one – so it is interesting why, like flame, there was no anonymity in registration.
- Use of DNS Balancing - For some of the C2’s, the controllers used a technique known as DNS balancing or “Round robin DNS” – probably to even the load. This is a common technique in the case of massive traffic to a website, suggesting that at their peak, the Gauss C2’s were handling quite a lot of data.
- Mysterious payload: a part of the malware has been carefully encrypted by the attackers and so far remains uncracked. The payload appears to be highly targeted against machines that have a specific configuration — a configuration used to generate a key that unlocks the encryption. So far the researchers have been unable to determine what configuration generates the key. They’re asking for assistance from any cryptographers who might be able to help crack the code.
- The mystery of Installing of a custom font named “Palida Narrow” that contains no exploit, no shellcode or no nasty payload are inside. Here is a possible explanation - i like the pretty smart last reason given, which is using a css trick to remotely detect infections. Another possibility that was not mentioned, is to check for completion of installation
- One of the modules from Jan 2012 contains the path “c:\documents and settings\flamer\desktop\gauss_white_1”. The “flamer” in the path above is the Windows username that compiled the project. Given the focus on Lebanon, the “white” version identifier can probably be explained as following: “the name Lebanon comes from the Semitic root LBN, meaning “white”, likely a reference to the snow-capped Mount Lebanon.”
It is less likely that this malware was designed for material gain – aka steal money – even tho as stated by kaspersky “The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.” – experts are guessing that it is more targeted to spy on transactions and mine Info.
So the buzz generated on the “malware for online banking” may not be adequate – here are some other things that are collected as well:
►► Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
►► Collecting information about the computer’s network connections.
►► Collecting information about processes and folders.
►► Collecting information about BIOS, CMOS RAM.
►► Collecting information about local, network and removable drives.
►► Infecting USB drives with a spy module in order to steal information from other computers.
►► Installing the custom Palida Narrow font (purpose unknown).
►► Ensuring the entire toolkit’s loading and operation.
►► Interacting with the command and control server, sending the information collected to it
►► downloading additional modules
I think by now, the average person is having a headache – so all i am adding is some additional self-descriptive images
Similarities between Gauss and flame
If you think you got da Gauss, let me know – i’d love to check it out and hopefully help get a copy ;p