A sophisticated cyber surveillance tool that monitors financial transactions with Middle Eastern banks was ‘probably’ built by or under the auspices of a government, security researchers have said.
Moscow-based Kaspersky Lab revealed its findings about “Gauss,” the name it’s slapped on the malware it uncovered in June. However, that went dormant a month later when the command-and-control (C&C) servers shut down.
Gauss shares traits with other advanced malware, notably Flame – the digital espionage tool aimed at Iran that scouted out systems ripe for data thievery – Roel Schouwenberg, a senior researcher at Kaspersky, said in an interview today. Those commonalities prompted the security firm to conclude that Gauss, like Flame, Stuxnet and Duqu, was created by a nation-state or that the project was funded by one or more governments.
“It’s very clear that [Gauss] was built on the same platform as Flame,” said Schouwenber . “All these cyber weapons are linked to one another, and Gauss is part of that as well.”
Previously, security experts – including those at Kaspersky, as well as others at Symantec – have connected Stuxnet with Duqu, and Flame with Stuxnet. Ergo, Gauss is connected to Stuxnet, the malware that sabotaged Iran’s nuclear fuel enrichment programme.
Other experts have speculated that the U.S. and Israeli governments, specifically their intelligence agencies, were the sources of Stuxnet and Flame.
Two things about Gauss stand out, said Schouwenberg: The online banking component and a still-mysterious payload that’s so heavily encrypted that Kaspersky has no idea yet what it is or what it does.
Gauss is the first government-backed or -built malware that uses a banking module. Among its other duties, the Trojan steals credentials for several Middle Eastern banks headquartered in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal
Because the malware’s C&C infrastructure was shuttered last month, before Kaspersky could probe the servers or run a tamed copy of the malware to watch it interact with them, it has been unable to root out exactly what Gauss did when it was operational.
But Schouwenberg said Kaspersky has some ideas.
“It appears [Gauss] was used as a surveillance tool,” said Schouwenberg. “We currently believe it was used to monitor accounts and money flow. We don’t think they were trying to actually take the money.”
In Kaspersky’s tally, 66% of the Gauss-infected Windows PCs are located in Lebanon, 19% in Israel and 10% in Palestine.
Tracking funding for terrorist groups has played a major role in counter-terrorism efforts, and the malware’s focus on Lebanon, where Hezbollah is especially active, may point to connections to Iran, the target of both Stuxnet and Flame. Many experts believe Hezbollah often acts as a proxy for Iran in that country’s sometimes-secret, often public, conflict with Israel.
Kaspersky has identified about 2,500 machines infected with Gauss – those PCs are monitored by the security company – with two-thirds of them located in Lebanon. Another 19% are in Israel.
Based on that 2,500, Schouwenberg said Kaspersky estimates that “tens of thousands” of computers have been infected with the Trojan worldwide since the malware kicked off its campaign in September or October 2011.
Gauss’ still-secret payload also intrigued researchers.
Like Stuxnet, Gauss has a module that relies on USB flash drives, said Schouwenberg. When a drive is plugged into a Gauss-infected Windows PC, it secretly transfers code to the drive. If that same drive is later inserted into another, non-infected machine, under specific circumstances – derived from the PC’s system configuration – it executes code that looks through directories and exfiltrates data to the drive.
When the flash drive is plugged back into a Gauss-infected machine, the information it stole from the non-infected system is transferred to the malware’s C&C servers.
“We don’t know what it’s looking for, but with time we’ll be able to do so,” said Schouwenberg. “What is so important that they went to the trouble of hiding this code? We think that they’re using the USB drives to bridge the ‘air gap.'”
“Air gap” refers to the broken link between computers that are connected to the internet and those that are not. The latter must be infected or surveyed through means other than a network or the internet. Experts believe that the computers which controlled Iran’s nuclear fuel enrichment machinery were infected using USB drives, since those PCs would not have been connected to the Internet, and thus not directly accessible from previously-compromised computers.
Kaspersky hypothesised that the unknown payload may, in fact, carry destructive code, ala Stuxnet.
Bolstering that thought was the use of a long-patched vulnerability to install the mysterious payload. That bug, which exploits a flaw in Windows shortcut files, identified by the “.lnk” extension, was used by Stuxnet in its USB drive-based infection vector.
Microsoft patched the .lnk vulnerability with an emergency update – one outside its usual once-a-month schedule – on Aug. 2, 2010.
The fact that Gauss relied on a bug patched two years ago led Schouwenberg to speculate that the targets may have been important systems, perhaps ones that control industrial processes.
“[Industrial controlling PCs] are rarely patched, first because they’re not connected to the Internet – again, the air gap – and also because patching reduces uptime, which is critical for those systems,” said Schouwenberg.