Nation-backed surveillance malware monitors Middle East bank accounts

Encrypted payload may also contain destructive code, a la Stuxnet, says Kaspersky

1 2 Page 2
Page 2 of 2

Based on that 2,500, Schouwenberg said Kaspersky estimates that "tens of thousands" of computers have been infected with the Trojan worldwide since the malware kicked off its campaign in September or October 2011.

Gauss' still-secret payload also intrigued researchers.

Like Stuxnet, Gauss has a module that relies on USB flash drives, said Schouwenberg. When a drive is plugged into a Gauss-infected Windows PC, it secretly transfers code to the drive. If that same drive is later inserted into another, non-infected machine, under specific circumstances -- derived from the PC's system configuration -- it executes code that looks through directories and exfiltrates data to the drive.

When the flash drive is plugged back into a Gauss-infected machine, the information it stole from the non-infected system is transferred to the malware's C&C servers.

"We don't know what it's looking for, but with time we'll be able to do so," said Schouwenberg. "What is so important that they went to the trouble of hiding this code? We think that they're using the USB drives to bridge the 'air gap.'"

"Air gap" refers to the broken link between computers that are connected to the Internet and those that are not. The latter must be infected or surveyed through means other than a network or the Internet. Experts believe that the computers which controlled Iran's nuclear fuel enrichment machinery were infected using USB drives, since those PCs would not have been connected to the Internet, and thus not directly accessible from previously-compromised computers.

Kaspersky hypothesized that the unknown payload may, in fact, carry destructive code, ala Stuxnet.

Bolstering that thought was the use of a long-patched vulnerability to install the mysterious payload. That bug, which exploits a flaw in Windows shortcut files, identified by the ".lnk" extension, was used by Stuxnet in its USB drive-based infection vector.

Microsoft patched the .lnk vulnerability with an emergency update -- one outside its usual once-a-month schedule -- on Aug. 2, 2010.

The fact that Gauss relied on a bug patched two years ago led Schouwenberg to speculate that the targets may have been important systems, perhaps ones that control industrial processes.

"[Industrial controlling PCs] are rarely patched, first because they're not connected to the Internet -- again, the air gap -- and also because patching reduces uptime, which is critical for those systems," said Schouwenberg.

Kaspersky has published an FAQ on Gauss, as well as a 48-page analysis of the malware (download PDF).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon