New State-Sponsored Malware "Gauss" Making the Rounds

EliSowash writes "A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to Kaspersky researchers. Gauss is a nation-state-sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations. Just like Duqu was based on the 'Tilded' platform on which Stuxnet was developed, Gauss is based on the 'Flame' platform."

Re:Yet another part of the world getting pissed of

[Kenja]

I'M A LEBANESE

Pics or... wait, I misread that.

Re:

[thmsdrew]

I made that mistake verbally in 4th grade when I didn't really know what the word meant. There was a kid in our class from Lebanon. We were talking about how you can tell where a person is from by the shape of their skull or something, so we were all shouting out different nationalities. I shouted "Lesbian!" Haunts me to this day.

Re:

[bazald]

Yeah, the island of Lesbos isn't big enough to be considered a nation. Any 4th grader should know at least that much geography.

Names

[Anonymous Coward]

I want to name the next Malware Browncoat, because that is what Mal wears.

Re:

[CanHasDIY]

*rimshot*

Re:

[MrSenile]

Yes, I believe he was hoping for a picture of that rim... oh shot...

Sorry. misread that.

Re:

[SilentStaid]

C-C-C-C-C-Combo Breaker!

Re:

[CanHasDIY]

Clandestine operation have plenty of use for unofficially raised funds. Remember Iran-Contra?

Here's a refresher [youtube.com] for those who don't.

So stupid it's got to be official.

[MRe_nl]

Governments releasing digital weapons on the internet. Thanks for the R&D!
COPY/PASTE.

Re:

[zlives]

yes but when you use it you are a threat to national security/terrorist....
hmm wonder if copy/paste can be declared a wmd

Re:So stupid it's got to be official.

[CanHasDIY]

yes but when you use it you are a threat to national security/terrorist....

Unless you run a bank like HSBC.

Then you get a slap on the wrist and stern talkin' to. [bdnews24.com]

Gitmo is reserved for the proles; Party members need not concern themselves.

Re:So stupid it's got to be official.

[antonymous]

I know it's bad form to RTFA, but here's the part where they talk about their current inability to properly decrypt the payload:

The malware uses that configuration to generate a key to unlock the payload and unleash it. Once it finds the configuration itâ(TM)s looking for, it uses that configuration data to perform 10,000 iterations of MD5 to generate a 128-bit RC4 key, which is then used to decrypt the payload. âoeUnless you meet these specific requirements, youâ(TM)re not going to generate the right key to decrypt it,â Schoewenberg says.

Re:

[ceoyoyo]

Cool. So it just tries whatever configuration it finds itself on and, if it decrypts, bam. That's probably a useful little trick to remember.

Re:

[Lehk228]

Nifty trick, but overall near useless, except in cases where sucess is much less important than deniability (sp?). Fatal flaw is that the scan of configuration is plaintext and so potential targets can reflash their systems to read back different configs slightly (append Penis" to version strings, etc. And immunize themselves from the secret payload

Re:

[ceoyoyo]

It takes time to develop and test an update and flash a system (not to mention money). Gauss is certainly time-limited, but that might be a feature. If you wanted to shut down Iranian centrifuges, for example, you could just send out a copy specific to those configurations. The Iranian centrifuge operators get attacked, realized they're the target (but nobody believes them), and spend time and money flashing their systems. Next week, Gauss2 comes out, same as last time but with "Penis" appended to the v

Re:

[drkstr1]

But something doesn't add up there... If they can reverse engineer and spoof the configuration, why are they unable to decrypt the payload?

I was under the impression that if a system has the knowledge to decrypt something, and you have access to that system, you will be able to get to the protected data. If what you say is true, what else is preventing them from busting the crypto?

This certainly has my curiosity bone tickled.

Re:

[blacklint]

Guessing they haven't figured out what that configuration is.

Re:

[plover]

They can't decrypt it today because Kaspersky doesn't know who the target is, was, or what their configuration looks like.

Let's think about its predecessor, Stuxnet, for a minute. Stuxnet's authors made several big security mistakes. First they gave away a free copy of "How to attack Iranian nuclear centrifuge systems via SCADA vulnerabilities" to every script kiddy on the planet; plus, they essentially told Iran "it's you." They seriously underestimated the ability of various groups of people to disass

Re:

[drkstr1]

Ahh, so Gauss doesn't carry the key itself, it gets it from the CC server, and only when the configuration matches a specific pattern (known only by the server). Very interesting indeed. Thank you for the detailed explanation!

Re:

[plover]

Close, but not quite.

Some time a while ago, Gauss surveyed every victim's computer, reporting their config data to the CC servers.

The attackers identified a specific victim, and used that victim's config data to generate a key. The payload was then encrypted by the attackers with that particular key, and then delivered to every active Gauss zombie by the CC server.

The Gauss zombies don't ever carry the key, they always generate it locally from their own config data.

All zombies get the same payload, but onl

Re:

[plover]

I'm assuming from the article that the configuration data they're talking about are things like MACs from the victim's NICs, serial numbers off of the memory SPD chips, and serial numbers from the SATA drives. If that's true, it would be easy enough to swap a memory stick out to avoid the problem, rather than trying to re-flash something.

If you've got that much knowledge about your potential for being hacked, you've probably already updated your systems with the latest anti-virus programs that would catch

one step closer to the world of Neal Stephenson

[Doubting Sapien]

In "The Diamond Age", sovereign powers and those with the means engage in (more or less) open conflict using nanomachines colloquially referred to as "mites". Particularly vicious "battles" in these conflicts manifest as smog-like pollution formed by mites of opposing factions destroying each other and leaving inert carcasses hanging in the air and settling over streets, building, etc. like a kind of artificial dust. Those unlucky enough to be caught outside during these times breath them in and have no

I got the solution

[courteaudotbiz]

Just De-Gauss the infected hard drive

Re:

[buchner.johannes]

I think there is a button on the monitor

Re:

[Steve Baker]

Overkill, you just need to use Gaussian elimination.

Re:

[evilviper]

Just De-Gauss the infected hard drive

I know cockroaches and mice can become problematic as they commonly make them homes in nice warm computers with convenient openings, but do people really have a problem with 18th-century mathematician infestations?

Stop making malware

[stevenh2]

We all know who you are... Just STOP.

New State-Sponsored WINDOWS Malware.

[couchslug]

Yes, it matters.

Would an article about a new APPICATION not reference what OS it runs on?

Re:

[Anonymous Coward]

I demand a citation!! Where's your proof? Is it hiding under your tinfoil hat?

Re:

[Shompol]

Microsoft turns over all Win7 and server source code to Russia's new KGB [zdnet.com]

It's a do-it-yourself service: we give you the source code and you find the backdoors yourself.

Re:

[FalconZero]

I see your point, but it's a fair assumption it's Windows - Flavours of Windows account for ~80-85% of PC market, with Flavours of Mac accounting for 10-15% (and nothing industrial runs on a mac). Linux could be the end target, but doesn't make a good vector as it's usually hardened. The upshot of which is, that if you want to do any industrial malware - Windows is the target.

Re:

[cant_get_a_good_nick]

I think we all assume massive malware failures on Microsoft. That's a statement, though you can read that as a troll/joke, which is kind of scary in it's own way - MS is so bad that the joke is you assume its the bad one.

Mac OSX is getting enough inroads to make it commercially viable to produce malware, but in a weird way I think people will skip it and move more quickly to Android/iOS.

Re:

[rwise2112]

Yes, and it does. The diagram the top of page 1 of TFA references files in \Windows\System32\

Re:New State-Sponsored WINDOWS Malware.

[xerxesVII]

Well according the helpful lads at 4chan, that folder is usually just filled with malware. They recommend deleting that folder. Seems like a pretty good idea.

Re:New State-Sponsored WINDOWS Malware.

[Johann Lau]

Actually, it doesn't. Had those plants been running Linux workstations, the malware would target Linux. Likely without breaking a sweat.

What?

[TonyAldo]

How do these researchers determine where the code was written? I never understood that.

Re:What?

[FalconZero]

I think it's a mixed bag of things. Unmangled variables would be a great help - could tell you the native language of the developers. Code style can give hints as well - you can compare the style of code with the style of a known sample to give hints. Machine code structure can tell you which compiler was used (which gives you more hints).

If the developers used pure assembler (which people don't any more *laments*), and scrubbed your code properly you could make it much harder to trace (but doing so in itself gives you clues about the creator.

Re:What?

[X0563511]

While cleaning rootkits off servers and such, you'd be surprised. Half the time they go right out and say who made it and when. Usually with some silly message or statement, too.

Re:

[Pseudonym]

Example silly message or statement: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Since when

[Black Parrot]

is a gaussian distribution news?

Re:

[Gertlex]

Well it's certainly not normal! Oh wait...

(disclaimer: I had to look it up :( )

Re:

[treeves]

well, the news is always skewed, so I guess Gaussian would be a big deal.

Re:

[kelfink]

The author is biased.

Identifying printed documents?

[pathological liar]

If the infections are targeted, perhaps the font is dropped to allow found printed documents to be linked to one of the targets?

Re:

[pathological liar]

I hadn't thought of that, that seems much more likely.

Re:

[plover]

Interesting idea, but I bet the creators are much more cognizant of operational security. I doubt they surf the web from the development machines.

I'm guessing the development boxes are actually VMs inside their workstations. Think about it: would you really want to unit test a malware payload on a machine connected to the rest of your lab, or connected to the entire world?

Topic : Is this the new 'security' paradigm?

[Anonymous Coward]

Is state-sponsored malware and having e-spies in all aspects of everything online...

Is this something that's going to 'solve the problem' or 'become the problem' would you say?

warhead?!

[X0563511]

I believe the word you are searching for is "payload."

Re:

[amicusNYCL]

No way man, "warhead of unknown designation" sounds way more scarycool.

Re:

[X0563511]

Or, one could realize that we only have so much space in our signatures for the HTML.

I would have used preview.tinyurl.com if I could. It got trunctated.

State Sponsored...

[efensive]

It's amusing to see how much the term "State Sponsored" is thrown around regarding these variants. Sooner or later, everything will be labeled as such to the point where truly "state sponsored" won't even matter. Further disturbing is the annoying mechanisms in which companies like Kaspersky wildly and broadly word their articles often allowing for insane inferences to be made. For example, floating around is news that the US did this to follow the money trail for terrorists. Really? Because a national secu

Re:

[jkflying]

You clearly missed the article in the New York Times...

Re:

[cusco]

PROMIS??? A 1980s database management tool? Sure, it was as high-tech as it came at the time, but there are a ton of free and open source tools out there that have capabilities that the authors of PROMIS never dreamed of, and the custom tools that a competent team of developers could write today far outstrip those.

If the US were actually interested in tracking money laundering the Bush Madministration wouldn't have withdrawn from the international anti-money laundering accord in February of 2001. Obam

Cipher Support For Arab Freedom

[Anonymous Coward]

Instead of doing stupid comments here which only waste bandwidth, why don't we write some software to help the cause of Arab Freedom ? There is still no translation into Arabic for GPG !

I did something minor - a strong paper cipher which can secure combat radio messages: http://alkindicipher.wordpress.com

Wouldn't it be easier

[HexaByte]

Wouldn't it be easier to just send them all an e-mail: "Hello, I am Mrs. Kadafi, wife of the late ruler of Lybia. My husband left me with 300 millions USD in a Swiss account..."

When China strikes back

[Anonymous Coward]

When China strikes back it will be a lot more interesting. Is US ready? If Israel with US think it's ok to infect computers in friendly and neutral countries they can't blame China on doing this too.

Re:

[Grave]

What do you mean "when"? China is already engaged in massive cyber-espionage with us.

Why can't they list the OS?

[HangingChad]

On virus announcements, why don't they ever mention vulnerable operating systems? Not all malware can infect all operating systems. It would be nice to know the specifics.

Then again, maybe Microsoft wouldn't like the bad PR.

May inspire a Windows exodus...

[Kazoo the Clown]

If these events cause mass flight from Microsoft products, the NSA or whoever wrote the darn thing might want to think twice before they go to Microsoft asking for any back doors or any other favors, I suspect Ballmer won't take too kindly to the idea of exploiting Windows in the name of national security if it takes a big ding out of their bottom line...

Re:

[Anonymous Coward]

I really doubt the NSA needs a back door adding. They probably have a list of 0days a mile long.

Clearly created by the US

[qemqemqem]

Can't we just say sponsored by the US instead of acting like we don't know who created this?

Re:

[biodata]

It could be the Israelis, they created Trusteer Rapport, so they have previous here.

Re:

[tomhath]

Because there's absolutely no evidence that it's anything more than a crude copy/edit of stuxnet or flame. The author speculates because parts were copied, but admits it's not as sophisticated as either.

Re:

[ledow]

Stupid thing to do. Because if I wanted to discredit another country, the most ingenious way would be to make it LOOK like they had done something, but that left subtle hints that it was them that created it.

Queue years of wrangling to get to the bottom of who exactly created it, while some other (unknown) entity who actually wrote it just walks away without suspicion.

We're talking international cyber-warfare here, aimed at nuclear processing plants. If I was making something like that, item #1 on my list

"Only one infection has been found in Iran" ..hmmm

[Swave An deBwoner]

Aside from 1,660 infections in Lebanon, 482 are in Israel and 261 are in the Palestinain territories, and 43 are in the U.S. Only one infection has been found in Iran.

Perhaps that one infection was the source of the other 2,446 infections?

Iran is a major player in Lebanon after all.

Internet terrorism

[bmo]

Countries that release stuff like this into the wild are criminal rogue states. It's like dumping agent-orange not just on the jungles of Vietnam during war, but on the entire planet as a whole.

There are no borders on the Internet. What you release is not limited to your target and affects everyone.

One can only hope that the governments that released Flame, Stuxnet, and now this, become victims of their own weapons.

Yes, I do know who that likely means. I certainly hope it comes back to bite us like a tor

Re:

[couchslug]

I regard them as healthy, because unless herd resistance to such things is built up by exposure, the herd will be less robust.

"One can only hope that the governments that released Flame, Stuxnet, and now this, become victims of their own weapons."

That would usefully coerce them to adopt better practices.

Re:

[bmo]

I find it interesting that stating facts as they exist on the ground is now "troll" on slashdot.

Re:

[plover]

The behavior of Gauss as described in TFA is made to sound like "socially responsible malware".

By encrypting the payload with a key unique to a specific configuration, they are not providing that payload to anyone else. Not even Kaspersky can decrypt the payload, at least not until the target machine is identified. And by then it's probably too late.

Sure, they're still sending out malware, with USB exploits, root kits, and other bad stuff. It's not that much worse than what is widely available online toda

Re:

[bmo]

>It's not that much worse than what is widely available online today.

As if malware today is benign. It's sent out by criminals, and states that do this are therefore criminal states. Collective punishment is a war crime in real life because it is indiscriminate. This is collective punishment in e-space.

Why is malware being served up by a government any less criminal? Because it's a government? I'm not a teahadist, and I am not affected by this because I use linux, but I do object to people delibera