Gauss joins the ranks of Stuxnet, Duqu, and Flame as an apparently state-sponsored tool of cyber espionage. This latest threat appears to be built from the same code foundation as Flame, and specifically targets bank credentials and financial data.
Kaspersky Lab–the largest privately held vendor of antimalware and endpoint security products–announced the new threat. A Kaspersky FAQ about Gauss boils the description of Gauss down to a 140-character tweet: “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”.
Gauss has been flying under the radar and evading detection since the fall of 2011. Ironically, it was discovered during operations initiated by the International Telecommunications Union (ITU) in the wake of Flame in an effort to detect and mitigate any other stealthy cyber threats. Mission accomplished.
Kaspersky was able to detect and identify the threat–dubbed “Gauss” because its main module is named after the German mathematician Johann Carl Friedrich Gauss—because it uses a similar architecture, module structure, code base, and methods of communication with command and control (C&C) servers as its cousin, Flame.
While Flame, Stuxnet, and Duqu seemed to be aimed at Iran, Gauss appears to specifically target Lebanese banks, as well as Citibank and PayPal accounts. Gauss steals browser history, cookies, passwords, and system configurations from compromised systems, and collects usernames and passwords for financial accounts and payment systems.
The initial method of infection is still unknown. Like Flame and Duqu, though, the propagation of Gauss seems to be controlled in order to maintain stealth and avoid detection. Kaspersky has detected 2,500 infected machines so far, and estimates the total number of compromised systems to be in the tens of thousands.
The malware was discovered in June of 2012, and the C&C servers that manage it were effectively shutdown in July of 2012. As a result, Gauss is now in a dormant state.