Home / malwarePDF  

Gauss


First posted on 11 August 2012.
Source: SecurityHome

Aliases :

Gauss is also known as Trojan.Win32.Gauss.

Explanation :

Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.

It was probably created in mid-2011 and deployed for the first time in August-September 2011.

Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.

In 140 chars or less, "Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation". Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.

Just like Duqu was based on the "Tilded" platform on which Stuxnet was developed, Gauss is based on the "Flame" platform. It shares some functionalities with Flame, such as the USB infection subroutines.

What is Gauss? Where does the name come from?

Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:


  • Intercept browser cookies and passwords.

  • Harvest and send system configuration data to attackers.

  • Infect USB sticks with a data stealing module.

  • List the content of the system drives and folders

  • Steal credentials for various banking systems in the Middle East.

  • Hijack account information for social network, email and IM accounts.



The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange.
The module named "Gauss" is the most important in the malware as it implements the data stealing capabilities and we have therefore named the malware toolkit by this most important component.

Is there any special payload or time bomb inside Gauss?

Yes, there is. Gauss' USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties. These sections are encrypted with an RC4 key derived from a MD5 hash performed 10000 times on a combination of a "%PATH%" environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known - so we do not know the purpose of this hidden payload.

How is this different from the typical backdoor Trojan? Does it do specific things that are new or interesting?

After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same "factory" or "factories". All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of "sophisticated malware".

Gauss' highly modular architecture reminds us of Duqu -- it uses an encrypted registry setting to store information on which plugins to load; is designed to stay under the radar, avoid security and monitoring programs and performs highly detailed system monitoring functions. In addition, Gauss contains a 64-bit payload, together with Firefox-compatible browser plugins designed to steal and monitor data from the clients of several Lebanese banks: Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.

This is actually the first time we've observed a nation-state cyber-espionage campaign with a banking Trojan component. It is not known whether the operators are actually transferring funds from the victim's bank accounts or whether they are simply monitoring finance/funding sources for specific targets.

The Gauss "mother-ship" module is a little over 200K. It has the ability to load other plugins which altogether count for about 2MB of code. This is about one-third of the main Flame module mssecmgr.ocx. Of course, there may be modules which arenÂ’t discovered yet - used in other geographical regions or in other specific cases.

Last update 11 August 2012

 

TOP