Gauss: A Government Cyber Espionage Tool With Mysterious ‘Warhead’

A fresh piece of government-created malware has been spotted and it has a hidden payload that could cause carnage, security researchers have warned.

Known as Gauss, it is believed to be the work of the nation state or states who created the Flame cyber espionage tool, meaning it is also related to the Stuxnet and Duqu malware. Stuxnet and Flame are both believed to have been created by the US and Israel, meaning those two countries have again been implicated in another cyber espionage campaign.

The secret “warhead” contains an “unknown, encrypted payload which is activated on certain specific system configurations”, Kaspersky said. It has called for world class cryptographers to help figure out what the “special payload or time bomb” is in Gauss’ USB data-stealing payload.

Government wants to steal your money too?

Discovered as part of an ongoing investigation involving Kaspersky and the International Telecommunication Union (ITU), Gauss is the first known example of a government-created cyber tool that looks to steal banking information.

Lebanon has the most infections with 1660, where Gauss has tried to steal and monitor data from the clients of several Lebanese banks. In addition, it was seen targeting users of Citibank and PayPal.

Outside of pilfering banking data, Gauss is able to hijack account information for social network, email and IM accounts, intercept browser cookies and passwords, harvest and send system configuration data to attackers and infect USB sticks with an information-stealing module. That means it can move across machines, if users are foolish enough to share data sticks. It can collect data on a system’s BIOS too.

Since late May 2012, Kaspersky has spotted more than 2,500 infections., meaning the total number of victims of Gauss is probably in the tens of thousands. Outside of Lebanon there were over 40 victims in the US, as well as a small number in UAE, Qatar, Jordan, Germany and Egypt.

Kaspersky said it was fairly certain Gauss was related to Flame and Stuxnet, although it bore a stronger resemblance to Duqu.

“Gauss’ highly modular architecture reminds us of Duqu – it uses an encrypted registry setting to store information on which plugins load, is designed to stay under the radar, avoid security and monitoring programs, and performs highly detailed system monitoring functions,” the Russian security company said in a blog post.

“We are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.”

Yet Gauss does not currently appear to be as smart as its relations. Kaspersky has not seen it take advantage of any zero day vulnerabilities, nor had the attackers got their hands on the holy grail of hacking and created fake certificates for malicious Windows updates as Flame’s overlords did to spread the malware.

It is not as heavy as Flame either, with the “mother-ship” module a little over 200K. It has the ability to load other plugins which altogether count for about 2MB of code, but that is still no way near Flame’s 20MB. Gauss was also programmed in C++ – the standard code used in most malware, whereas its cousins used more esoteric languages such as LUA.

The tool was most likely created in mid-2011 and deployed for the first time in either August or September last year. However Gauss’ command-and-control (C&C) infrastructure was shut down in July 2012 and at the moment, the malware is in a dormant state.

Are you a security guru? Try our quiz!