Gauss cyber espionage virus targets Lebanese banks

Security researchers report the existence of yet another state-sponsored espionage virus likely from the same source as the Flame, Stuxnet and Duqu worms.

Moscow-based Kaspersky Lab announced discovery of the newest virus Aug. 9 in a blog post in which company officials dubbed it Gauss, after a module within that collects the most sensitive information. Gauss specifically looks for hard drive-stored user credentials for Lebanese banks--including the Bank of Beirut, Byblos Bank and Fransabank--along with Citibank and PayPal, online email and social media accounts.

The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Carl Friedrich Gauss and Joseph-Louis Lagrange, the anti-virus company says.

The virus also contains an encrypted payload that Kaspersky researchers say they've not managed to unlock, leading them to "only speculate on the purpose of this mysterious payload."

"Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation," Kaspersky says in its blog post. Most detected infections are located in Lebanon, making Gauss a relative oddity since infections have predominantly stayed within the boundaries of a small geographical region.

Kaspersky researchers estimate the virus was created in mid-2011 and deployed in August or September of 2011. Gauss doesn't appear to be a self-spreading worm, "but the higher number of victims than Flame might indicate a slow spreading feature," they say.

Gauss infects USB drives with a data-stealing component that takes advantage of the same vulnerability exploited by Stuxnet and Flame, they add.

"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories.'"

The New York Times reported in June that Stuxnet was developed by the governments of the United States and Israel.




Published by:

siavash's picture