Malware "Gauss" Aimed at Online Banking in Middle East
Gauss, the name given to a new malware threat designed to monitor online banking accounts, was first reported by Russian computer security company Kaspersky Lab. The majority of users affected are in the Middle East, predominantly in Lebanon. The Gauss command-and-control infrastructure was shut down in July 2012, shortly after its discovery, and is currently dormant.
Gauss was first discovered in June 2012 as part of a joint effort investigating Flame malware by Kaspersky and the International Telecommunication Union, the United Nations’ specialized agency for information and communication technologies.
Since May 2012, more than 2,500 Gauss infections have been recorded by Kaspersky’s cloud-based security system, with the estimated total number of victims in the tens of thousands. Kaspersky Lab believes the malware was first activated in September 2011.
The new malware’s main module was apparently named by its unknown creators after the German mathematician Johann Carl Friedrich Gauss.
Gauss malware possesses online banking Trojan functionality not found in previously known cyberweapons. According to Kaspersky:
Gauss steals detailed information about infected PCs including browser history, cookies, passwords, and system configurations. It is also capable of stealing access credentials for various online banking systems and payment methods. Analysis of Gauss shows it was designed to steal data from several Lebanese banks...In addition, it targets users of Citibank and PayPal.
What’s interesting is that the malware installs a previously unknown font called “Paladi Narrow” on infected computers. To check for the presence of Gauss, users can download the free Kaspersky Virus Removal Tool or detection tools from the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics.
Alexander Gostev, chief security expert at Kaspersky Lab, commented:
Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program. Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy. However, its purpose was different to Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.
Kaspersky and other sources have speculated that because of its financial tracking capabilities, the virus is the work of a nationstate or a country wanting to track financial transactions in the Middle East for counterintelligence purposes.
More About Gauss
- Securelist Analysis: An In-depth Research Analysis of Gauss
- Wired: Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload
- eWeek: Gauss Malware Detected through Unique Palida Narrow Font
- PC Mag: Gauss Malware Hits Middle East, Targets Banking Info
- PC World: Gauss Threatens Malware Tool Boom, Security Experts Warn
- Computerworld: Security experts push free Gauss detection tools
- The Washington Post: Newly Discovered Malware Linked to Stuxnet, Flame
