August 9, 2012
Middle Eastern Virus Shares Roots With Flame
Michael Harper for redOrbit.com — Your Universe Online
A new virus has been discovered in the Middle East which may share some roots with the US-built Flame malware which infected Iranian machines earlier this year.
Kaspersky first identified this virus, known as Gauss, in June. Now, Gauss has been found to have an aspect to it which can be used to target bank accounts with intent to steal login credentials.
So far, Gauss has been targeting some Lebanese banks, such as Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Some CitiBank and PayPal users have also reported being effected by the Gauss malware.
Though Gauss appears to be an extension of the state-created Flame, the fact that it´s being used to steal banking information is puzzling. Likewise, the fact that it´s being used to perform multiple tasks suggests that there could be many users behind the malware.
“When you look at Stuxnet and DuQu, (two other state-operated spyware tools) they were obviously single-goal operations. But here I think what you see is a broader operation happening all in one,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.
The researchers at Kaspersky labs have yet to determine if Gauss is being used to simply watch the activity of some bank accounts or if it´s being used instead to steal money. They do assume, however, that given the malware´s likely state-based origins, the end goal of this malware isn´t economic gain. Rather, this malware is likely used for reconnaissance and counterintelligence purposes.
Further perplexing the researchers at Kaspersky is the payload this malware carries with it. So far, it appears as if the malware is targeting machines with the ability to generate a key, unlock the encryption and bring the virus to its knees. The team at Kaspersky has been trying to figure out the configuration needed to generate the key and has been asking for help from other cryptographers to solve this problem.
“We do believe that it´s crackable; it will just take us some time,” Schouwenberg told Wired.com.
According to Schouwenberg, this intense encryption suggests the creators of the malware have been very careful to prevent others from getting their hands on it or creating copy cat versions.
Such copy cat versions are what caused similar malware, StuxNet, to spread the way it did.
The team at Kaspersky labs suspect the malware was created sometime in the middle of 2011 and was first deployed around September or October. This was around the time Hungarian researchers had uncovered DuQu, an espionage tool designed to steal data which was found on machines in Iran and Sudan. DuQu and Gauss may have been built using the same framework, says Schouwenberg, using similar techniques. Gauss and Flame also share a similarity, as the same code has been found in both forms of the malware.
According to Wired, the Kaspersky team found Gauss when they were looking for variants of the Flame malware.
So far, it appears as if Gauss is only being used to target specific individuals and machines, though its tight encryption and mysterious payload suggest that this malware could one day be used to inflict some serious damage on its targets.