Nation-backed surveillance malware monitors Middle East bank accounts
Encrypted payload may also contain destructive code, a la Stuxnet, says Kaspersky
Computerworld - A sophisticated cyber surveillance tool that monitors financial transactions with Middle Eastern banks was probably built by or under the auspices of a government, security researchers said today.
Early Thursday, Moscow-based Kaspersky Lab revealed its findings about "Gauss," the name it's slapped on the malware it uncovered in June but that went dormant a month later when the command-and-control (C&C) servers shut down.
Gauss shares traits with other advanced malware, notably Flame -- thedigital espionage tool aimed at Iran that scouted out systems ripe for data thievery -- Roel Schouwenberg, a senior researcher at Kaspersky, said in an interview today. Those commonalities prompted the security firm to conclude that Gauss, like Flame, Stuxnet and Duqu, was created by a nation-state or that the project was funded by one or more governments.
"It's very clear that [Gauss] was built on the same platform as Flame," said Schouwenberg . "All these cyber weapons are linked to one another, and Gauss is part of that as well."
Previously, security experts -- including those at Kaspersky, as well as others at Symantec -- have connected Stuxnet with Duqu, and Flame with Stuxnet. Ergo, Gauss is connected to Stuxnet, the malware that sabotaged Iran's nuclear fuel enrichment program
Other experts have speculated that the U.S. and Israeli governments, specifically their intelligence agencies, were the sources of Stuxnet and Flame.
Two things about Gauss stand out, said Schouwenberg: The online banking component and a still-mysterious payload that's so heavily encrypted that Kaspersky has no idea yet what it is or what it does.
Gauss is the first government-backed or -built malware that uses a banking module. Among its other duties, the Trojan steals credentials for several Middle Eastern banks headquartered in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal.
Because the malware's C&C infrastructure was shuttered last month, before Kaspersky could probe the servers or run a tamed copy of the malware to watch it interact with them, it has been unable to root out exactly what Gauss did when it was operational.
But Schouwenberg said Kaspersky has some ideas.
"It appears [Gauss] was used as a surveillance tool," said Schouwenberg. "We currently believe it was used to monitor accounts and money flow. We don't think they were trying to actually take the money."
Tracking funding for terrorist groups has played a major role in counter-terrorism efforts, and the malware's focus on Lebanon, where Hezbollah is especially active, may point to connections to Iran, the target of both Stuxnet and Flame. Many experts believe Hezbollah often acts as a proxy for Iran in that country's sometimes-secret, often public, conflict with Israel.
Kaspersky has identified about 2,500 machines infected with Gauss -- those PCs are monitored by the security company -- with two-thirds of them located in Lebanon. Another 19% are in Israel.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- Accelerating Cloud Deployment and Operations with Managed Services Companies that do not have sufficient in-house expertise to either deploy or maintain an IaaS cloud should turn to Managed Service Providers .
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Cyberwarfare White Papers | Webcasts