Gauss, the Flame malware's 'cousin', targets banks in Lebanon

“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations”, according to a Kaspersky Lab blog.

The name of the malware comes from modules that have internal names paying tribute to famous mathematicians and philosophers, such as Johann Carl Friedrich Gauss, Kurt Godel, and Joseph-Louis Lagrange.

Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands. Of those infections, more than 1,600 of them were discovered in Lebanon and nearly 500 in Israel, the blog noted.

Kaspersky Lab explained that Gauss was first uncovered by the International Telecommunication Union during an investigation into the Flame malware attacks. It is also apparently linked to the Stuxnet and Duqu worms. “After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories’”, the blog post said.

Commenting on the Gauss discovery, Ross Brewer, vice president and managing director for international markets with LogRhythm, commented: “This latest malware discovery clearly shows a developing trend of sophisticated cyber weapons, like the Stuxnet, Duqu and Flame viruses, which aim to take control of critical national systems. While Gauss’ initial purpose appears to be the theft of financial information, its inclusion of the ‘Godel’ module further proves that cyber warfare tactics between nation states can result in significant damage to physical infrastructure.”

What’s Hot on Infosecurity Magazine?