While analyzing the Flame malware that we detected in May 2012, Kaspersky Lab experts identified some distinguishing features of Flame's modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This indicates that there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.
Based on the results of a detailed analysis of Flame, we continued to actively search for new, unknown components. A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C [command and control] servers, as well as numerous other similarities to Flame.
In our opinion, all of this clearly indicates that the new platform which we discovered and which we called 'Gauss,' is another example of a cyber-espionage toolkit based on the Flame platform.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks - for instance, Bank of Beirut, Byblos Bank, and Fransabank.
Curiously, several Gauss modules are named after famous mathematicians. The platform includes modules that go by the names 'Gauss', 'Lagrange', 'Godel', 'Tailor', 'Kurt' (in an apparent reference to Godel). The Gauss module is responsible for collecting the most critical information, which is why we decided to name the entire toolkit after it.
Gauss is a much more widespread threat than Flame. However, we have found no self-replication functionality in the modules that we have seen to date, which leaves open the question of its original attack vector.
The first known Gauss infections date back to September-October 2011. During that period, the Gauss authors modified different modules multiple times. They also changed command server addresses. In the middle of July 2012, when we had already discovered Gauss and were studying it, the command servers went offline.
Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:
Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer's network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit's loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules. The spy module that works on USB drives uses an .LNK exploit for the CVE-2010-2568 vulnerability. The exploit is similar to the one used in the Stuxnet worm, but it is more effective. The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive.
We began our investigation into Gauss in early June 2012. Based on data obtained through the Kaspersky Security Network, we noticed right away that the Trojan appeared to be widely distributed in three particular countries in the Middle East.
Further observation later confirmed this three-country concentration. As of 31 July 2012, we've counted around 2500 unique PCs on which files from the Gauss collection have been found.
Gauss is the most recent development from the pool of cyber-espionage projects that includes Stuxnet, Flame and Duqu. It was most likely created in mid-2011 and deployed for the first time in August-September 2011.
Its geographical distribution is unique; the majority of infections were found in Lebanon, Palestine and Israel. One of the modules from Jan 2012 contains the path 'c:\documents and settings\flamer\desktop\gauss_white_1'. The 'flamer' in the path above is the Windows username that compiled the project. Given the focus on Lebanon, the 'white' version identifier can probably be explained as following: 'the name Lebanon comes from the Semitic root LBN, meaning "white", likely a reference to the snow-capped Mount Lebanon.' (Wikipedia)
Code references and encryption subroutines, together with the Command and Control infrastructure make us believe Gauss was created by the same 'factory' which produced Flame. This indicates it is most likely a nation-state sponsored operation.
Between Gauss' functions, the 'Winshell.ocx' module which gives the name to the malware as 'Gauss', steals credentials required to access online banking accounts for several Lebanese banks - including the Bank of Beirut, Byblos Bank and Fransabank. This is the first publicly known nation-state sponsored banking Trojan.
Another feature which makes Gauss unique is its encrypted payload, which we haven't been able to unlock. The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.
The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation. The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns.