Hackers, Part 5: Gauss

You are going to love this. The era of state-supported cyber-espionage using highly modular virus platforms is here.

There is a highly modular virus out there! This virus platform (which by the way is the new way of thinking about viruses) can install new modules on demand. It is descended from Stuxnet, Flame, and Duqu. As you might have read, Flame is able to access local networks, fit itself into a thumb drive to move from computer to computer, list and extract interesting data, and communicate that data back to the host. It can categorize and store within sequestered networks, waiting for a moment when it gets carried out by hand aboard a thumb drive, and when the command-in-control (CIC) host is once again available. When the CIC hosts get shut down (as they always are) then it can wait for the new CIC host to handshake, and resume working just as it would always do.

Oh, and it is resident on quite a few computers in the middle east that run Windows 7, XP, Vista, and other 32-bit versions of Windows. It has several known MD5 certificates as well.

The new virus is called Gauss, named after Karl Friedrich Gauss, a prodigy mathematician and progenitor of so many new ideas I can't even list them. It has modules named after other mathematicians, such as Godel and Lagrange.

I am a math nerd from way back, and this strikes an interesting chord with me.

Endless Speculation

The Gauss virus is intended, it seems, to extract information from those using Lebanese banks. My bet is that it is simply used in intelligence gathering. They want to harvest the information off somebody's computer from afar. This is because of the nature of the modules that the virus has in it, so it probably is the right answer.

But what does the creator of this virus need this information?

I can't help but notice that this seems to come at a critical time in the Syrian civil war. The Iranians want to keep Assad in power it and, controlling Hezbollah, they also control Lebanon. Lovely!

Point 1: Lebanon is right next door to Syria, and all those Lebanese politicians were assassinated (remember Hariri?) in secret plots hatched out of Iranian ally and puppet, Syria. Point 2: Lebanese commerce is a great way to get weapons and supplies into Syria. Without making it look like Iran is doing that. Point 3: Iran will need to have people and politicians in place when and if Assad falls. So, follow the money.

Anyway, point made. The authors of this virus, likely either Israel or the US, are interested in the region. Hell, if I were them, I would be too!

Oh, perhaps it is simply aimed at Iranian money men as part of a coordinated attack. Still, timing-wise it might be of interest to some nation-state interested in how supplies and weapons are being continually supplied to Syria. But why not fly them in? Hmm.

So, what kind of new modules does this virus have?

Gauss

This appears to be interested in the browser. So much online banking happens through secure browser interfaces. This module installs browser cookies and special plugins that likely co-opt the security of the browser so information can be intercepted more easily.

It looks for cookies. What cookies is it interested in? The ones associated with banking, of course! It needs to know that the user is also a client of one of several banks. These include Lebanese bank keywords like bankofbeirut, blombank, byblosbank, citibank, fransabank, and creditlibanais. Oh, it is also interested in PayPal, Mastercard, Eurocard, Visa, American Express, Yahoo, Amazon, Facebook, gmail, hotmail, eBay, and maktoob.

It is quite clever, loading the IE browser history and then extracting passwords and text fields from cached pages. Jeez! Does that work? Shame on you Microsoft!

Lagrange

This curious module installs a new Palida Narrow TrueType font, for what purpose is currently unknown! It appears to be a perfectly good font. Hmm.

Godel or Kurt

This module cleverly infects USB drives with the data-stealing module. This is how the virus works its way into sequestered networks. Sequestered networks are separate from the internet by virtue of physical discontinuity. So the virus has a special form that lives there and can migrate its data back through thumb drives to the outside world. Quite ingenious!

To infect the thumb drives, it puts a desktop.ini file in that exploits the LNK vulnerability. This data is in target.lnk, in the same directory.

It also searches for malware-detecting products and exits if they are present. This could be the best way to prevent it from propagating. It also doesn't work on Windows 7 Service Pack 1.

The Most Interesting Part

There is speculation that the Gauss virus contains a "warhead" that only deploys when the virus becomes embedded in a specific computer that is not connected with the internet. They can't tell what it is, because it's encrypted and the analyzers (Kaspersky Labs) don't know the key. This is serious voodoo.

The Tamil Tigers

Humans have the capacity for great good and also for great evil. We have seen that unshakeable beliefs can lead a person to perpetrate acts that to another person are unquestionably evil. But to them, the act is good and righteous. How can this possibly happen?

War, subjugation, conquest, and genocide has happened in the past. So, in a practical sense, there are plenty of motives for the wronged people of the earth to plot revenge. But when a group has been defeated, wronged, or subjugated, and they don't have the resources of their more powerful (and victorious) enemy, this generally leads to asymmetric warfare.

Asymmetric warfare has been around forever. But asymmetric warfare has never advanced so fast as it has in Sri Lanka under the guidance of the terrorist organization the LTTE (Liberation Tigers of Tamil Eelam), or Tamil Tigers. They were the Einsteins of terror, and carried out the most ruthless campaign of suicide attacks in the 20th century. For them, the greater the sacrifice, the higher the honor.

Now, I do believe that the oppression of the Tamil minority was bad. Subjugation and oppression always is. But when the ethnic Tamil minority began to be organized by LTTE founder-leader V. Prabakharan, a master organizer, and started using terrorist tactics under the LTTE banner, my sympathy waned.

The LTTE carried out a pattern of aggression against the controlling Sinhalese majority of Sri Lanka in order to secure a Tamil homeland. This aggression eventually led to attacks not only on the Sri Lankan government and infrastructure, but also to the Indian government, who reportedly trained them between 1983 and 1987 (as well as 5 other Tamil insurgency groups), but subsequently had to stop supporting them. The advances by the LTTE in the techniques of terror are many.

For instance, on May 21, 1991, India's Prime Minister Rajiv Ghandi, was assassinated during his reelection campaign by a female member of the LTTE who posed as a well-wisher carrying a basket of flowers. The explosive device was carried under her robes and it was hidden effectively by making her appear to be pregnant. She knelt before him before blowing herself up. This was the first recorded instance of a female suicide bomber. About a third of the suicide attacks by the LTTE have been carried out by women. This is thought to be because in the conservative Indian society there is reluctance to properly search a woman. Male and female children as young as 10 years old have been known to carry out attacks for the LTTE as well.

Another example: on July 12, 1990, the LTTE used a boat bomb against an Indian naval vessel in the port of Trincomalee. This was the first recorded instance of a boat bomb being used against a naval vessel, more than 10 years before the attack on the USS Cole.

Yet another: in July 1983, the mass exodus of civilians back into India after ethnic riots in Sri Lanka forced the LTTE to recruit children. At one point 60% of their fighting force consisted of male and female children between the ages of 10-16: the Baby Brigades. The units were trained rigorously from 0500 hours with two hours of physical conditioning, followed by weapons training, battle and field craft. Their afternoons were filled with the reading of LTTE literature and more physical training. Their food was controlled to support the conditioning process. They attended lectures on munitions, explosives, and intelligence techniques into the evening. By 1990, they were being used in combat against Indian troops. But first, they were battle tested by using weakly-protected border towns where the Baby Brigades were sent in with automatic weapons to slaughter several hundred people, led on "inoculation brigades" by experienced fighters. This technique is used today by african islamic militias, although perhaps not with as many females.

There is evidence of 200+ suicide bombings by the LTTE. There is also evidence that, as the Sri Lankan civil war against the LTTE in 2009 was being fought, that suicide bombings against civilian targets continued.

There is evidence that both sides in the Sri Lankan Civil War of 2009 committed unspeakable atrocities. In the end, the LTTE were defeated and the most advanced and "creative" terror group was finally stopped.

Why commit acts of terror? Because they have historically been shown to pay off. The attacks in Beirut in October 1983 were two simultaneous truck bombs against the barracks of the US and French peacekeeping forces. This attack resulted in the withdrawal of US and French troops from Lebanon and is often cited by Al Qaeda and other groups as direct evidence that suicide attacks are extremely effective against the west.

The causes for acts of terror are not going to just magically vanish tomorrow if we act nice. Even if we address the root causes of the retribution sought, there will always be extremists. Part of the escalation in terrorist acts comes from the tremendous press that each terrorist act attracts. Each one is a springboard for the next act.

Nowadays the techniques for terror are distributed in documents like The Encyclopedia of Jihad on the internet. With online resources and social media, it's hard to put the genie back into the bottle.