Researchers have uncovered yet another state-sponsored computer espionage operation that uses state-of-the-art software to extract a wealth of sensitive data from thousands of machines located mostly in the Middle East.

"Gauss," as Kaspersky Lab researchers have dubbed the malware, was devised by the same "factory" or "factories" responsible for the Stuxnet worm used to disrupt Iran's nuclear program, as well as the Flame and Duqu Trojans. Some researchers say the latter two malware titles may have provided the reconnaissance needed for operations such as Stuxnet. Gauss is known to have infected 2,500 computers connected to Kaspersky's cloud-based security system, and researchers with the firm say tens of thousands of additional machines may also be affected. The highest concentration of attacks are found in Lebanon, followed by Israel and the Palestinian territories.

"The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation," Kaspersky researchers wrote in a 48-page report published Thursday morning (a condensed blog post is here). "The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns."

Like Duqu and Flame, Gauss is highly modular, and it shares a "fair deal of code" with Flame. Its developers failed to remove debugging information before unleashing the malware, however, allowing researchers to uncover details about the computers used to develop the malware. A version developed in December and January, for instance, resided in the Windows directory c:\documents and settings\flamer\desktop\gauss_white_1, providing another clue it has close ties to Flame, which is also known as Flamer and didn't come to light until May. Gauss and Flame also share a similar command and control infrastructure, code references, and encryption subroutines. Gauss, which appears to be an homage to the German mathematician and scientist Johann Carl Friedrich Gauss, comes from the name one of the developers gave to the main module. Developers appear to have named other modules after famous mathematicians and philosophers Kurt Godel and Joseph-Louis Lagrange.

A Gauss component that infects USB drives exploits the same Microsoft Windows vulnerability used to spread Stuxnet and Flame from computer to computer even when they're not connected to the Internet. Microsoft patched the bug affecting files with .LNK extensions two years ago, but because so many "air-gapped" computers don't regularly receive software updates, it's likely many of the victims remained vulnerable, Roel Schouwenberg, a senior Kaspersky researcher, told Ars.

Mystery payload

Adding to the intrigue, Gauss contains an encrypted payload that Kaspersky researchers so far have been unable to unlock. It's loaded onto USB sticks that are inserted into Gauss-infected machines and executed when they're plugged into uninfected computers later, but only under unknown conditions. A mysterious subroutine searches for detailed system configurations and rifles through hundreds of directories and uses a cryptographically hashed result of that data as the secret key. Kaspersky has appealed for help from "world-class cryptographers" in decrypting the contents so they can learn exactly what the module is doing. Kaspersky researchers can be e-mailed at theflame@kaspersky.com.

The encryption has the benefit of keeping researchers and victims in the dark, but it might also be designed to prevent the code from being circulated widely and repurposed by "copycat" attackers, assuming its encryption is ever cracked. "The chances of this decrypted code getting onto the Internet are very, very low," Schouwenberg said. Gauss also installs a custom font known as Palida Narrow whose purpose remains unknown. Researchers with the Laboratory of Cryptography and System Security, the outfit that was instrumental in discovering Stuxnet and Flame wrote in a blog post the font may be used by remote webservers to detect infected systems.

Another curious discovery is Gauss' ability to steal and monitor data from the clients of Citibank and PayPal, as well as several Lebanese banks.

"This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component," Kaspersky researchers wrote. "It is not known whether the operators are actually transferring funds from the victim’s bank accounts or whether they are simply monitoring finance/funding sources for specific targets."

The targeting of a narrow set of banks suggests the developers didn't include the capability for financial gain. Later in the report, the researchers wrote: "We believe the theory that Gauss is used to steal money which [is] used to finance other projects such as Flame and Stuxnet is not compatible with the idea of nation-state sponsored attacks."

Gauss comes with plenty of other tantalizing unknowns. It's programmed to collect technical details about an infected computer's network connections, processes and folders, BIOS, CMOS, RAM, and local and removable drives. It's configured to upload that data to five command-and-control servers that were shut down last month before Kaspersky could infiltrate them. That means Gauss is in a dormant state at the moment as infected machines wait for the servers to become active again.

The servers implemented a Round-robin DNS architecture that allows engineers to distribute high workloads between different Web servers. Its use suggests that the network may have been designed to process large amounts of traffic from tens of thousands of victims.

Like Flame, it's still unclear how victims initially become infected by Gauss. "It is possible the mechanism is the same as Flame and we haven’t found it yet," the report states. "Or it may be using a different method. We have not seen any self-spreading (worm) capabilities in Gauss, but the higher number of victims than Flame might indicate a slow spreading feature. This might be implemented by a plugin we have not yet seen."

There's no evidence yet that Gauss is able to impersonate Microsoft's Windows update mechanism. That was one of the ways Flame was able to spread from machine to machine inside a local network. That technique was made possible by Microsoft's use of the cryptographically weak MD5 algorithm, combined with a world-class cryptographic attack that scientists had never seen before.

Kaspersky researchers discovered Gauss in July in the course of participating in a separate investigation initiated by the International Telecommunication Union intended to "mitigate the risks posed by emerging cyber-threats, and ensure cyber-peace," Thursday's blog post said. The researchers initially mistook Gauss as a module of Flame that attacked slightly different geographies. After discovering addition Gauss components, the researchers eventually realized Gauss was a distinct piece of malware but was shared the same origin as Flame.

With an infection count from 2,500 to tens of thousands of computers, Gauss' reach is roughly in the mid-range of its state-sponsored peers. Stuxnet infected more than 100,000 machines, mostly in Iran, while DuQu is estimated to have infected just 50 computers in a variety of countries. Flame is believed to have infected some 1,000 systems in Iran and elsewhere in the Middle East.

Story updated to include additional details contained in the report.