What is the Gauss Trojan?
Gauss, is the name of a highly complex Trojan that threatens computer related banking in the Middle East. A Trojan is a concealed program on a computer that is designed to be undetected and can be used to get various personal and private information, in most cases relating to finances and passwords to accounts. It is not known to this date who created the Gauss Trojan. However, its name is derived from a well-known and respected German mathematician by the name of Johann Carl Friedrich Gauss. There are other modules that make up the Trojan itself and they are named after other famous mathematicians including Kurt Gödel and Louis Lagrange. The programs themselves however, are anything but respectable.
Kaspersky Lab is credited as making the first discovery of the threat posed by Gauss to financial centers, in June of 2012. However, analysis of the assembled data points to Gauss operations having been initiated as early as September of 2011. Nine months of undetected damage to finances and other data occurred before it was discovered. The responsibility to ascertain the Trojan was first initiated by ITU, International Telecommunication Union when a malevolent Malware known as Flame was uncovered.
Numerous experts from Kaspersky Lab were called upon to work in collaboration with ITU for the identifying of any of the similarities that might exist between the two cyber-threats. It became clear after inspecting the damage that the two different Trojans both shared not only a similar code base, but also the method that was being employed for communicating with C&C servers as well as their architectural platforms and module structures. The similarities were too great to be denied.
As the Gauss Trojan relies upon the engagement of the C&C or Command & Control servers, the C&C servers were completely shut down. This placed the Gauss Trojan into a mode where it sits in standby waiting for the Command & Control servers to be active again. It is believed that more than 10,000 people have been the victims of the Gauss Trojan. Many of the victims of the Gauss Trojan are localized to Lebanon, which appears to be the desired target. It is documented that around 2,500 systems have been infected in that area, as reported by the KSN, the Kaspersky Security Network. KSN is a cloud-based security system.
Gauss is similar in its blueprint to the Flame Malware. However, the actual location of the infections that shows up are clearly dissimilar. Flame reportedly attacked fewer systems in Iran by comparison to Gauss, at around 700 computers. ByblosBank, BlomBank, Bank of Beirut, FransaBank, EBLF and Credit Libanais are known Lebanese based banks that have been targeted by the Gauss Trojan.
It was through the identification of these design similarities that permitted open talks with the private sector, international organizations as well as governments and civil society at large. Until the discovery of the Gauss Trojan there had never been a Trojan with an online banking feature. This is totally unique to Gauss in the arsenal of cyber-weapons. Gauss, has another key feature that is shared with Flame; Gauss can infect USB drives. The method used to infect is highly clever. The Gauss Trojan will actually use the USB removable media drive to conceal and archive the information that it collects, placing it into a secret file. Much like Flame, Gauss relies upon the spreading of its infection through secrecy and concealment. Curiously, a completely unknown purpose for the Trojan is to install a specific font into the infected systems Operating System named Palida Narrow.
The design of the Gauss Trojan permits it to steal information from a large amount of Lebanese centered banks. These banks have been identified, but the Trojan also targets accounts of Citibank and Paypal users. The data that Gauss targets for theft centers around the browser history, system configuration setup, password and cookies stored on the infected machines. Gauss can obtain the necessary info it needs to access numerous online banking and payment systems. This comprehensive info is then transmitted to the attackers and includes the specifications of the network cards, the machine’s BIOS and any drives that are synced.
Currently Gauss Trojan is completely detectable, can be blocked and is classified by Kaspersky Lab’s as the Trojan-Spy.Win32.Gauss by their Trojan detection products. Through the identification of malicious Trojans and Malware such as Flame and Gauss, it is hoped that the danger which comes from cyber-weapons can be mitigated by the efforts of companies such as Kaspersky Labs.
The upcoming film by Rubidium Wu, Crow Hill, touches on the topic of the cyberwar and viruses similar to Flame Malware and others. To find out more about this film, go here.