Gauss Espionage Malware: 7 Key Facts

From targeting Lebanese banking customers to installing a font, security researchers seem to be unearthing as many questions as answers in their teardown of the surveillance malware.

What secrets does the newly discovered Gauss malware hide?

At a high level, Moscow-based Kaspersky Lab, which Thursday announced its discovery of Gauss, believes it "is a nation state sponsored banking Trojan," built using a code base that's related to Flame, and by extension Duqu and Stuxnet.

But the ongoing analysis of Gauss has yet to uncover the answers to numerous questions. For starters, as noted by Symantec, banking credentials are "not a typical target for cyber espionage malware of this complexity."

With that in mind, here are seven oddities and unanswered questions surrounding Gauss:

1. Malware Eavesdropped On Lebanon

Whoever heard of malware that came gunning for residents of Lebanon? Kaspersky said that by July 31, 2012, it had counted 2,500 unique PCs as being infected by Gauss since May, and traced 1,600 of those infections to PCs in Lebanon. The next most-infected countries were Israel (483 PCs infected), the Palestinian Territory (261), the United States (43), the United Arab Emirates (11), and Germany (5).

2. Espionage Malware Targeted Banks

According to Kaspersky's teardown of Gauss, the malware didn't just target Lebanon, but specific bank customers. "The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks--including the Bank of Beirut, Byblos Bank, and Fransabank," it said. But the malware also targeted users of Credit Libanais. Citibank, and eBay's PayPal online payment system.

In other words, Gauss may be the first known malware to have been commissioned by a nation state to spy on online banking customers. Then again, Jeffrey Carr, CEO of cyber risk management firm Taia Global, told Reuters that Lebanese banks have long been watched by U.S. intelligence agencies for their role in facilitating payments to drug cartels and extremist groups. "You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said.

3. Malware Module May Hide Stuxnet Warhead

Another curiosity: Kaspersky researcher Roel Schouwenberg said the "Godel" module found in Gauss may also include a Stuxnet-like "warhead" able to damage industrial control systems, reported Reuters.

4. But Gauss Avoided Stuxnet Mistakes

Gauss managed to avoid detection for over a year, by not infecting enough PCs to have been spotted by security firms. For comparison purposes, Gauss is known to have infected 2,500 PCs, compared with 700 for Flame, and just 20 for Duqu. Stuxnet, meanwhile, infected over 100,000 PCs, although security experts suspect that its creators--believed to be the United States, working with Israel--lost control of the malware due to a programming error, which let the malware spread outside of the single Iranian nuclear facility that it was meant to infect.

5. Banking Malware Prolific--For Targeted Attack

But the 1,600 Gauss infections--80 times the number seen for Duqu--place the malware in curious territory. "This is an uncharacteristically high number for targeted attacks similar to Duqu--it's possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still don't know about," according to Kaspersky Lab. "However, the infections have been predominantly within the boundaries of a rather small geographical region," meaning that the malware is apparently only being used for targeted attacks, and carefully controlled.

6. USB Key Attack Code Copies Targeted Data

On a related note, Kaspersky said that Gauss is compatible with 32-bit Windows systems, although "there is a separate spy module that operates on USB drives ... and is designed to collect information from 64-bit systems." Interestingly, the malware installs a compressed, encrypted attack application onto USB drives, which only activates when it finds a targeted system.

"The spy module that works on USB drives uses an .LNK exploit ... [that is] similar to the one used in the Stuxnet worm, but it is more effective," according to Kaspersky Lab. "The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive."

According to Symantec, the USB attack code would be quite difficult to spot. "Some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers," it said, referencing the RC4 software stream cipher. "The underlying data has yet to be decrypted in these payloads."

7. Attack Code Installs Font

A substantial amount of Gauss analysis remains, before the design of its modules--or even how it goes about infecting systems--can be fully understood. In particular, "the infection vector is currently unknown," according to Symantec.

Another mystery is the Gauss module dubbed "Lagrange," which--as Symantec put it--"curiously installs a font called Palida Narrow." The custom TrueType font "appears to contain valid Western, Baltic, and Turkish symbols," according to Kaspersky. Why create custom fonts for malware? So far, that's just one more outstanding and unusual Gauss question that remains unanswered.