While origin unclear, Gauss indicates malware tool boom

The computer security firm Kaspersky Lab announced this week that it had found a new cyber surveillance virus in the Middle East that is a descendent of the Stuxnet, Flame and Duqu malware.

But they are not calling it "Son of Stuxnet." Stuxnet is the computer worm widely believed to have been used by the U.S. and Israel to attack Iran's nuclear centrifuges.

Dennis Fisher, writing on the Kaspersky blog Threatpost, said the new malware, discovered in June, had been named Gauss, after the German mathematician Carl Friedrich Gauss.

"Gauss contains some of the same code as Flame," Fisher wrote. "But is markedly different in a number of respects, specifically in its ability to steal online banking credentials and has an encrypted payload that experts haven't yet been able to crack."

"[Gauss is] capable of stealing browser cookies and passwords, steal account information for social networks and IM applications, intercept online banking credentials for a handful of Middle Eastern banks as well as PayPal and Citibank and infect USB drives with a data-stealing module," Threatpost reported.

By Friday, both Kaspersky and the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics had published Gauss detection tools. But those may soon be of limited value.

Anup Ghosh, founder and CEO of Invincea, a security software vendor, said the detection tool "will be distributed among all the anti-virus vendors." He added: "But that's only good for this version. As soon as they make a change -- and they will -- it will no longer detect it."

Kaspersky said Gauss had infected about 2,500 machines in Lebanon, Israel and the Palestinian territories, with the majority -- 1,660 -- in Lebanon.

This, say a number of analysts, suggests that while it may also have destructive capabilities, the purpose of the financial component is not to steal but to spy on transactions.

[See also: Network Security -- The Basics]

But at least some of them suspect that the U.S. sponsored it. "The code base can be traced back to Stuxnet, Flame and Duqu," said Ghosh. "But let's not jump to conclusions based on code. The U.S. doesn't really engage in this kind of thing -- which is not to say that Israel would not."

"There are other, less risky, ways of getting financial transactions than going through someone's desktop," Ghosh said, "and this is just not the MO of traditional intelligence."

He said that Gauss could be from a nation-state, "since that's the kind of espionage they do in the Middle East."

But what does that matter once malware like Stuxnet, Flame and Duqu are in the wild, Ghosh said. "It ends up in people's hands. It will get repurposed. I don't think it is beyond the pale to suggest that it has been captured and repurposed for cybercrime and industrial or national security espionage."

Ben Knieff, a fraud expert and director of product marketing at NICE Actimize, said he would not speculate on what the motive of Gauss's creators is. "But I can say that malware like this may be looking at financial information for a variety of reasons," he said.

"It can be for espionage. They want to understand the transactions that a company or individual is making. That can be very valuable information. Money is power, but information is also power," Knieff said.

He said he believes a larger danger is that Gauss, while very well encrypted, will still become available for purchase in the malware marketplace. Like Ghosh, he believes that highly sophisticated malware like this is going to become commercialized. "These days, anyone can buy a kit for a few thousand dollars," he said.

Gauss may have hidden capabilities not yet discovered, said Roel Schouwenberg, a senior malware researcher at Kaspersky.

He told Dennis Fisher that its infrastructure is currently dormant, since the command-and-control system went offline last month, before they could be investigated. And Kaspersky said it might not be able to decrypt Gauss's code for months.

Joel Harding, a retired intelligence officer and information operation expert, said he knows some experts believe that Gauss was written by a sophisticated hacker group outside the U.S.

"But I couldn't get past the complexity and the organizational requirements it would take to get a hacker group to do this," Harding said. "It's such a time-intensive operation, stealing bank information and then siphoning off the money. I don't see the monetary payoff. The return on investment is just wrong."

He thinks too that its is more likely that a nation-state is behind it. "There is a list of banks in Lebanon and throughout the Middle East that have dealings with people and organizations we might consider shady," he said. "If one can follow the flow of money in and out of these institutions, the intelligence organizations will better understand who works for whom, who is doing what, and perhaps why."

Whoever created Gauss, Harding is impressed. "It is elegant and has gathered so much information. Whoever did the Intelligence Gain Loss (IGL) for using this system should receive a medal," he said. "Sure, the system is compromised. Sure, the Command and Control servers for this have gone dark. Sure, the world is aware of Gauss and is actively looking for it, but this is bleeding edge use of tools in cyberspace."

In fact, he said, he believes Gauss indicates that even better malware tools are being developed that will be even more difficult to discover and neutralize. "My take on this is that we now have a proof of concept, a working model, and the challenge now is to refine the code," Harding said. "Make it smaller, faster and quieter."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)