Security experts push free Gauss detection tools
Tools sniff for surveillance malware's custom font, which may hint at a 'zero-day' exploit
Computerworld - Two security organizations have released online tools that let Windows users check for possible infections by Gauss, the newly-revealed cyber surveillance malware thought to have been built by one or more governments.
Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics each published Gauss detection tools today.
Gauss, Kaspersky said yesterday, is a sophisticated threat that monitors financial transactions with Middle Eastern banks, perhaps as part of a wider investigation into the funding of terrorist groups. Kaspersky believes that Gauss was built by or under the auspices of a government, in large part because of coding practices that resemble those used in Flame, an advanced spying and data-stealing toolkit that targeted Iranian computers.
Flame, which was uncovered three months ago but may have been operating since mid-2008, was notable for its ability to fake the Windows Update service, then use that to infect up-to-date Windows PCs.
Kaspersky has rejected the idea that Gauss is a run-of-the-mill money-stealing Trojan.
Both CrySys and Kaspersky sniff out Gauss by looking for a custom-built font, dubbed "Palida Narrow," that the malware adds to infected machines.
CrySys has played a prominent role in analyzing some of the malware that Kaspersky argued is linked to Gauss, including "Duqu," which is believed to have been crafted by the same team that built Stuxnet, the worm used to sabotage Iran's nuclear fuel enrichment program several years ago.
It's not yet clear why Gauss inserts the Palida Narrow font into infected PCs, or what purpose the new font serves. Some have speculated that it may hint at the use of a yet-undiscovered "zero-day" exploit of an unpatched vulnerability in word processing software, such as Microsoft Word.
Yesterday, Kaspersky senior researcher Roel Schouwenberg acknowledged that there are many facets of Gauss that remain mysterious, including whether it, like Stuxnet, relied on one or more unpatched bugs -- "zero days" in security speak -- to compromise personal computers.
Because one payload that Gauss installs is heavily encrypted, Kaspersky and other security firms cannot yet analyze it, and so cannot say whether it exploits unpatched vulnerabilities.
"But I wouldn't be surprised that there is a zero-day [exploit] in that payload," Schouwenberg said in a Thursday interview.
Many antivirus programs, including those from Kaspersky and Symantec, also detect Gauss through their traditional signature-based software.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- New report says cyberspying group linked to China's army
Read more about Cyberwarfare in Computerworld's Cyberwarfare Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cyberwarfare White Papers | Webcasts