Gauss Discovery Indicates Malware Tool Boom

Taylor Armerding August 13, 2012
Detection tools for Stuxnet-relative, released Friday, will not be effective for long, say experts.

The computer security firm Kaspersky Lab announced this week that it had found a new cyber surveillance virus in the Middle East that is a descendent of the Stuxnet, Flame and Duqu malware.

But they are not calling it "Son of Stuxnet." Stuxnet is the computer worm widely believed to have been used by the U.S. and Israel to attack Iran's nuclear centrifuges.

Dennis Fisher, writing on the Kaspersky blog Threatpost, said the new malware, discovered in June, had been named Gauss, after the German mathematician Carl Friedrich Gauss.

"Gauss contains some of the same code as Flame," Fisher wrote. "But is markedly different in a number of respects, specifically in its ability to steal online banking credentials and has an encrypted payload that experts haven't yet been able to crack."

"[Gauss is] capable of stealing browser cookies and passwords, steal account information for social networks and IM applications, intercept online banking credentials for a handful of Middle Eastern banks as well as PayPal and Citibank and infect USB drives with a data-stealing module," Threatpost reported.

By Friday, both Kaspersky and the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics had published Gauss detection tools. But those may soon be of limited value. 

Anup Ghosh, founder and CEO of Invincea, a security software vendor, said the detection tool "will be distributed among all the anti-virus vendors." He added: "But that's only good for this version. As soon as they make a change -- and they will -- it will no longer detect it."

Kaspersky said Gauss had infected about 2,500 machines in Lebanon, Israel and the Palestinian territories, with the majority -- 1,660 -- in Lebanon.

This, say a number of analysts, suggests that while it may also have destructive capabilities, the purpose of the financial component is not to steal but to spy on transactions.

But at least some of them suspect that the U.S. sponsored it. "The code base can be traced back to Stuxnet, Flame and Duqu," said Ghosh. "But let's not jump to conclusions based on code. The U.S. doesn't really engage in this kind of thing -- which is not to say that Israel would not."

"There are other, less risky, ways of getting financial transactions than going through someone's desktop," Ghosh said, "and this is just not the MO of traditional intelligence."

He said that Gauss could be from a nation-state, "since that's the kind of espionage they do in the Middle East."