Gauss: Nation-state cyber-surveillance meets banking Trojan.

Forums Operating Systems Windows Server 2008 R2 Miscellaneous Gauss: Nation-state cyber-surveillance meets banking Trojan.

Viewing 1 reply thread
  • Author
    Posts
    • #44422
      hackerman1
      Moderator

      Hi !

      “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”

      “Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.
      It was probably created in mid-2011 and deployed for the first time in August-September 2011.
      Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU),
      following the discovery of Flame.

      The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.
      In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”.
      Besides stealing various kinds of data from infected Windows machines, it also includes an unknown,
      encrypted payload which is activated on certain specific system configurations.

      Just like Duqu was based on the “Tilded” platform on which Stuxnet was developed, Gauss is based on the “Flame” platform.
      It shares some functionalities with Flame, such as the USB infection subroutines.”

      read the full story: http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan

      more (technical) info about Gauss and how it works:

      Gauss: Abnormal Distribution

      “The malware has been actively distributed in the Middle East for at least the past 10 months.
      The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
      Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts.
      The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank.

      Curiously, several Gauss modules are named after famous mathematicians.
      The platform includes modules that go by the names ‘Gauss’, ‘Lagrange’, ‘Godel’, ‘Tailor’, ‘Kurt’ (in an apparent reference to Godel).
      The Gauss module is responsible for collecting the most critical information, which is why we decided to name the entire toolkit after it.

      Gauss is a much more widespread threat than Flame.
      However, we have found no self-replication functionality in the modules that we have seen to date, which leaves open the question of its original attack vector.

      Gauss is designed to collect information and send the data collected to its command-and-control servers.
      Information is collected using various modules, each of which has its own unique functionality:

      Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
      Collecting information about the computer’s network connections.
      Collecting information about processes and folders.
      Collecting information about BIOS, CMOS RAM.
      Collecting information about local, network and removable drives.
      Infecting USB drives with a spy module in order to steal information from other computers.
      Installing the custom Palida Narrow font (purpose unknown).
      Ensuring the entire toolkit’s loading and operation.
      Interacting with the command and control server, sending the information collected to it, downloading additional modules.

      read the full story: http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution

      Online detection of Gauss

      “After the publication of our whitepaper about the Gauss cyber-attack, we have been asked if there is an easy way for users to check their system for infection. Of course the most reliable way is to download and install our antivirus solution or use the free Kaspersky Virus Removal Tool.
      If someone needs to double-check or for some reason cannot download full antivirus package, we offer a quick and easy way to check for the presence of Gauss component.

      The idea of checking the system using a webpage comes from the wellknown Hungarian research lab, known as CrySyS.
      They have also introduced a web-based method to check your system for Palida Narrow.
      Their test webpage is currently available here: http://gauss.crysys.huhttp://gauss.crysys.hu

      We used the same idea and tried to improve the detection method.
      Now it works without server interaction.

      Below the current blogpost you will find an iframe window which has the results of a javascript code check to verify whether you have the mysterious Palida Narrow font installed.
      This font was used during the Gauss cyber-attack.
      Although we don’t currently understand exactly why the attackers have installed this font, it could serve as an indicator of Gauss activity on your system.
      More details about the module which installs this font are available in our full article.

      read the full story & check your computer: http://www.securelist.com/en/blog/724/Online_detection_of_Gauss

Viewing 1 reply thread
  • You must be logged in to reply to this topic.