Follow by Email

Sunday, August 12, 2012

Hackers, Part 5: Gauss

You are going to love this. The era of state-supported cyber-espionage using highly modular virus platforms is here.

There is a highly modular virus out there! This virus platform (which by the way is the new way of thinking about viruses) can install new modules on demand. It is descended from Stuxnet, Flame, and Duqu. As you might have read, Flame is able to access local networks, fit itself into a thumb drive to move from computer to computer, list and extract interesting data, and communicate that data back to the host. It can categorize and store within sequestered networks, waiting for a moment when it gets carried out by hand aboard a thumb drive, and when the command-in-control (CIC) host is once again available. When the CIC hosts get shut down (as they always are) then it can wait for the new CIC host to handshake, and resume working just as it would always do.

Oh, and it is resident on quite a few computers in the middle east that run Windows 7, XP, Vista, and other 32-bit versions of Windows. It has several known MD5 certificates as well.

The new virus is called Gauss, named after Karl Friedrich Gauss, a prodigy mathematician and progenitor of so many new ideas I can't even list them. It has modules named after other mathematicians, such as Godel and Lagrange.

I am a math nerd from way back, and this strikes an interesting chord with me.

Endless Speculation

The Gauss virus is intended, it seems, to extract information from those using Lebanese banks. My bet is that it is simply used in intelligence gathering. They want to harvest the information off somebody's computer from afar. This is because of the nature of the modules that the virus has in it, so it probably is the right answer.

But what does the creator of this virus need this information?

I can't help but notice that this seems to come at a critical time in the Syrian civil war. The Iranians want to keep Assad in power it and, controlling Hezbollah, they also control Lebanon. Lovely!

Point 1: Lebanon is right next door to Syria, and all those Lebanese politicians were assassinated (remember Hariri?) in secret plots hatched out of Iranian ally and puppet, Syria. Point 2: Lebanese commerce is a great way to get weapons and supplies into Syria. Without making it look like Iran is doing that. Point 3: Iran will need to have people and politicians in place when and if Assad falls. So, follow the money.

Anyway, point made. The authors of this virus, likely either Israel or the US, are interested in the region. Hell, if I were them, I would be too!

Oh, perhaps it is simply aimed at Iranian money men as part of a coordinated attack. Still, timing-wise it might be of interest to some nation-state interested in how supplies and weapons are being continually supplied to Syria. But why not fly them in? Hmm.

So, what kind of new modules does this virus have?


This appears to be interested in the browser. So much online banking happens through secure browser interfaces. This module installs browser cookies and special plugins that likely co-opt the security of the browser so information can be intercepted more easily.

It looks for cookies. What cookies is it interested in? The ones associated with banking, of course! It needs to know that the user is also a client of one of several banks. These include Lebanese bank keywords like bankofbeirut, blombank, byblosbank, citibank, fransabank, and creditlibanais. Oh, it is also interested in PayPal, Mastercard, Eurocard, Visa, American Express, Yahoo, Amazon, Facebook, gmail, hotmail, eBay, and maktoob.

It is quite clever, loading the IE browser history and then extracting passwords and text fields from cached pages. Jeez! Does that work? Shame on you Microsoft!


This curious module installs a new Palida Narrow TrueType font, for what purpose is currently unknown! It appears to be a perfectly good font. Hmm.

Godel or Kurt

This module cleverly infects USB drives with the data-stealing module. This is how the virus works its way into sequestered networks. Sequestered networks are separate from the internet by virtue of physical discontinuity. So the virus has a special form that lives there and can migrate its data back through thumb drives to the outside world. Quite ingenious!

To infect the thumb drives, it puts a desktop.ini file in that exploits the LNK vulnerability. This data is in target.lnk, in the same directory.

It also searches for malware-detecting products and exits if they are present. This could be the best way to prevent it from propagating. It also doesn't work on Windows 7 Service Pack 1.

The Most Interesting Part

There is speculation that the Gauss virus contains a "warhead" that only deploys when the virus becomes embedded in a specific computer that is not connected with the internet. They can't tell what it is, because it's encrypted and the analyzers (Kaspersky Labs) don't know the key. This is serious voodoo.

No comments:

Post a Comment