Gauss, evidence of ongoing cyber-war and cyber espionage campaigns

Pierluigi Paganini August 10, 2012

As expected a new malware for purposes of cyber espionage was once again identified by the Team of Kaspersky Lab. After Duqu, Flame and Mahdi a new cyber-espionage toolkit has been detected in the same region, the Middle East, and like its predecessor is capable of stealing sensitive data such as online banking credentials, browser passwords and system configurations.

The new agent has been named Gauss, after German mathematician Johann Carl Friedrich Gauss, and what is interesting is that it appears to linked to Stuxnet, the experts believe that it was produced with the same nation-state factories.

Gauss was discovered during investigation conducted by the International Telecommunication Union (ITU) to mitigate the risks posed by emerging cyber-threats.

Looking in details the structure the malware appear composed by several modules have internal names which maybe pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange. The core module that implements the data stealing capabilities is Gauss one.


Gauss has been detected thanks the investigation made to identify the Flame malware, according the investigations Gauss has been spread on September 2011 and was detected in June 2012 and on July it its command and control infrastructure shut down. What is interesting is that in the same period the CrySyS Lab in Hungary announced the discovery of Duqu. The Kaspersky researchers declared

We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.

Kaspersky experts have found debugging info in some instances detected that provide details on the paths where the project resides and maybe on the real target of attacks that is considered Lebanon, first because the country registered a high rate of infections ( more than 1600 victims) and also because the term “white” in the debugging data.  According to Wikipedia, “The name Lebanon comes from the Semitic root LBN, meaning “white”, likely a reference to the snow-capped Mount Lebanon.”

Variant Path to project files
August 2011 d:\projects\gauss
October 2011 d:\projects\gauss_for_macis_2
Dec 2011-Jan 2012 c:\documents and settings\flamer\desktop\gauss_white_1


The shutting down of the C&C doesn’t mean that the cyber threat has been definitively decapitated because is appears to be dormant waiting for server to become active.

What is Gauss and which are its main targets?

Gauss is a cyber threat designed primary to monitor online banking accounts and as said major users affected are in the Middle East, the method of spreading is not yet determined, according to Kaspersky Gauss is a complex agent, surely nation-state sponsored cyber-espionage toolkit, that has a strong resemblances with Flame.

The ‘Winshell.ocx’ module which gives the name to the malware as ‘Gauss’, steals credentials required to access online banking accounts for several Lebanese banks such as Bank of Beirut, Byblos Bank and Fransabank. This is the first publicly known nation-state sponsored banking Trojan.

Kaspersky Lab’s cloud-based security system has detected since late May 2012, more than 2,500 infections, that induce to think that probably being in tens of thousands the number of its victims, inferior to Stuxnet diffusion but higher than the number of attacks in Flame and Duqu.

Name Incidents (KL stats) Incidents (approx.)
Stuxnet More than 100 000 More than 300 000
Gauss ~ 2500 ?
Flame ~ 700 ~5000-6000
Duqu ~20 ~50-60

Gauss collects data on victims with the intent to send it to attackers, those data con also include network interface information, BIOS characteristics  and computer drive details. It’s infects USB sticks with a data stealing component that exploit the LNK (CVE-2010-2568) vulnerability, the same used by Stuxnet and Flame.

At the same time, the process of infecting USB sticks is more intelligent and efficient. Gauss is capable of “disinfecting” the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. The ability to collect information in a hidden file on USB drives exists in Flame as well

The malware also installs a special font called Palida Narrow … this circumstance is curious because last days I noted several tweets, apparently without meanings exchanged between members of Kaspersky team regarding a Palida Narrow theme.

At the moment experts ignore if the agent exploit also a zero-day vulnerability but are sure that Gauss’ USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties.What contains the encrypted payload? The researchers are still analyzing the contents of these mysterious encrypted blocks and trying to break the encryption scheme.

The discovery of Gauss let the experts believe that many other related cyber-espionage malware are actually in operation and many other will be developed in the next future.

That’s is a way to make war, stealing sensible information to the enemies, in silence during long period, despite many experts doesn’t consider it a cyber weapon in the strict sense, are in effect employed in military and government spying operation representing an irreplaceable and effective means of attack.

Many ignore the aspect of modularity of this agents in the future may also receive supplementary modules, developed using also the  info acquired directly on the territories, to conduct attacks against critical infrastructures and centers of vital information.

As declared by the team of Kaspersky, “The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns.”

Pierluigi Paganini


you might also like

leave a comment