11th August 2012, 10:16 #1
Gauss: Nation-state cyber-surveillance meets banking Trojan.
"Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation"
"Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.
It was probably created in mid-2011 and deployed for the first time in August-September 2011.
Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU),
following the discovery of Flame.
The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.
In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”.
Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.
Just like Duqu was based on the “Tilded” platform on which Stuxnet was developed, Gauss is based on the “Flame” platform.
It shares some functionalities with Flame, such as the USB infection subroutines."
read the full story: Gauss: Nation-state cyber-surveillance meets banking Trojan - Securelist
more (technical) info about Gauss and how it works:
Gauss: Abnormal Distribution
"The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks - for instance, Bank of Beirut, Byblos Bank, and Fransabank.
Curiously, several Gauss modules are named after famous mathematicians. The platform includes modules that go by the names 'Gauss', 'Lagrange', 'Godel', 'Tailor', 'Kurt' (in an apparent reference to Godel). The Gauss module is responsible for collecting the most critical information, which is why we decided to name the entire toolkit after it.
Gauss is a much more widespread threat than Flame. However, we have found no self-replication functionality in the modules that we have seen to date, which leaves open the question of its original attack vector.
Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:
- Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
- Collecting information about the computer's network connections.
- Collecting information about processes and folders.
- Collecting information about BIOS, CMOS RAM.
- Collecting information about local, network and removable drives.
- Infecting USB drives with a spy module in order to steal information from other computers.
- Installing the custom Palida Narrow font (purpose unknown).
- Ensuring the entire toolkit's loading and operation.
- Interacting with the command and control server, sending the information collected to it, downloading additional modules.
full story: Gauss: Abnormal Distribution - Securelist
Last edited by hackerman1; 11th August 2012 at 10:46.