English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Gauss: Nation-state cyber-surveillance meets banking Trojan

GReAT
Kaspersky Lab Expert
Posted August 09, 13:00  GMT
Tags: Internet Banking, Targeted Attacks, Stuxnet, Duqu, Flame, Cyber weapon, Cyber espionage, Gauss
0.7
 

Introduction

Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.

It was probably created in mid-2011 and deployed for the first time in August-September 2011.

Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.

In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.

Just like Duqu was based on the “Tilded” platform on which Stuxnet was developed, Gauss is based on the “Flame” platform. It shares some functionalities with Flame, such as the USB infection subroutines.

In this FAQ, we answer some of the main questions about this operation. In addition to this, we are also releasing a full technical paper (HTML version and PDF version) about the malware’s functionalities.

What is Gauss? Where does the name come from?

Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:

  • Intercept browser cookies and passwords.
  • Harvest and send system configuration data to attackers.
  • Infect USB sticks with a data stealing module.
  • List the content of the system drives and folders
  • Steal credentials for various banking systems in the Middle East.
  • Hijack account information for social network, email and IM accounts.

The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange.

The module named “Gauss” is the most important in the malware as it implements the data stealing capabilities and we have therefore named the malware toolkit by this most important component.


Gauss Architecture

In addition, the authors forgot to remove debugging information from some of the Gauss samples, which contain the paths where the project resides. The paths are:

Variant Path to project files
August 2011 d:\projects\gauss
October 2011 d:\projects\gauss_for_macis_2
Dec 2011-Jan 2012 c:\documents and settings\flamer\desktop\gauss_white_1

One immediately notices “projects\gauss”.

In regards to the “white” part - we believe this is a reference to Lebanon, the country with the most Gauss infections. According to Wikipedia, “The name Lebanon comes from the Semitic root LBN, meaning "white", likely a reference to the snow-capped Mount Lebanon.” http://en.wikipedia.org/wiki/Lebanon#Etymology

How was Gauss discovered? And when?

Gauss was discovered during the course of the ongoing investigation initiated by the International Telecommunication Union (ITU), which is part of a sustained effort to mitigate the risks posed by emerging cyber-threats, and ensure cyber-peace.

As part of the effort we continued to analyze the unknown components of Flame to determine if they revealed any similarities, correlations or clues regarding new malicious programs that were actively operating.

During the course of the analysis, we discovered a separate cyber-espionage module which appeared similar to Flame, but with a different geographical distribution. Originally, we didn’t pay much attention to it because it was already detected by many anti-malware products. However, we later discovered several more modules, including some which were not detected, and upon a closer look, we noticed the glaring similarities to Flame. Following our detailed analysis in June and July 2012, we confirmed the origin of the code and the authors as being the same as Flame.

When was Gauss created and how long has it been operational? Is it still active?

Based on our analysis and the timestamps from the collected malware modules, we believe the Gauss operation started sometime around August-September 2011. This is particularly interesting because around September 2011, the CrySyS Lab in Hungary announced the discovery of Duqu. We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.

Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands.

The Gauss command-and-control (C&C) infrastructure was shutdown in July 2012. At the moment, the malware is in a dormant state, waiting for its C&C servers to become active again.

What is the infection mechanism for this malware? Does it have self-replicating (worm) capabilities?

Just like in the case of Flame, we still do not know how victims get infected with Gauss. It is possible the mechanism is the same as Flame and we haven’t found it yet; or it may be using a different method. We have not seen any self-spreading (worm) capabilities in Gauss, but the higher number of victims than Flame might indicate a slow spreading feature. This might be implemented by a plugin we have not yet seen.

It’s important to mention that Gauss infects USB sticks with a data stealing component that takes advantage of the same .LNK (CVE-2010-2568) vulnerability exploited by Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent and efficient. Gauss is capable of “disinfecting” the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. The ability to collect information in a hidden file on USB drives exists in Flame as well. Another interesting component of Gauss is the installation of a custom font called Palida Narrow. The purpose of this font installation is currently unknown.

Are there any zero-day (or known) vulnerabilities included?

We have not (yet) found any zero-days or “God mode” Flame-style exploits in Gauss. However, because the infection mechanism is not yet known, there is the distinct possibility that an unknown exploit is being used.
It should be noted that the vast majority of Gauss victims run Windows 7, which should be prone to the .LNK exploit used by Stuxnet. Therefore, we cannot confirm for sure that there are no zero-days in Gauss.

Is there any special payload or time bomb inside Gauss?

Yes, there is. Gauss’ USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties. These sections are encrypted with an RC4 key derived from a MD5 hash performed 10000 times on a combination of a “%PATH%” environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known - so we do not know the purpose of this hidden payload.

We are still analyzing the contents of these mysterious encrypted blocks and trying to break the encryption scheme. If you are world class cryptographer interested in this challenge, please drop us an e-mail at theflame@kaspersky.com

How is this different from the typical backdoor Trojan? Does it do specific things that are new or interesting?

After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same “factory” or “factories.” All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of “sophisticated malware.”

Gauss’ highly modular architecture reminds us of Duqu -- it uses an encrypted registry setting to store information on which plugins to load; is designed to stay under the radar, avoid security and monitoring programs and performs highly detailed system monitoring functions. In addition, Gauss contains a 64-bit payload, together with Firefox-compatible browser plugins designed to steal and monitor data from the clients of several Lebanese banks: Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.

This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component. It is not known whether the operators are actually transferring funds from the victim’s bank accounts or whether they are simply monitoring finance/funding sources for specific targets.

How sophisticated is Gauss? Does it have any notable characteristics, functions or behaviors that separate it from common spyware or info-stealing Trojans?

Compared to Flame, Gauss is less sophisticated. It lacks the modular LUA-based architecture but it is nevertheless quite flexible. Compared to other banking Trojans, it appears to have been fine-tuned, in the sense that it doesn’t target hundreds of financial institutions, but a select list of online banking institutions.

What is unique about Gauss, either technically or operationally, that differentiates it from Flame, Duqu and Stuxnet?

The key characteristic of Gauss is the online banking Trojan functionality. The ability to steal online banking credentials is something we haven’t previously seen in nation-state sponsored malware attacks.

How many infected computers are there? How many victims have you seen? The cloud-based Kaspersky Security Network (KSN) has recorded more than 2,500 infected machines. This is lower than Stuxnet but significantly higher than in the Flame and Duqu cases.

The overall number of infections that we’ve detected could in reality just be a small portion of tens of thousands of infections, since our statistics only cover users of Kaspersky Lab products.

Geographical Comparison of Infected Machines for Duqu, Flame and Gauss

Where are the victims located (geographic distribution)?

The vast majority of Gauss victims are located in Lebanon. There are also victims in Israel and Palestine. In addition to these, there are a few victims in the U.S., UAE, Qatar, Jordan, Germany and Egypt.

Top Three Countries Infected with Gauss

Is Gauss targeting any specific type of industry?

Gauss doesn’t target businesses or a specific industry. It can best be described as a high-end cyber-surveillance operation against specific/targeted individuals.

Is this a nation-state sponsored attack?

Yes, there is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same “factory” (or factories) that produced Stuxnet, Duqu and Flame.

By looking at Flame, Gauss, Stuxnet and Duqu, we can draw the following “big picture” of the relationship between them:

How many command and control servers are there? Did you do forensic analysis of these servers?

In the process of analyzing Gauss, we identified several command-and-control domains and 5 different servers being used to retrieve data harvested from infected machines.

This is also the first time we observe the use of “Round-robin DNS” in these malware families, possibly indicating the much higher volume of data were being processed. Round-robin DNS or DNS Balancing is a technique used to distribute high workloads between different web servers.

We are currently still investigating the Gauss C2 infrastructure. More details are available in the full technical paper.

Did you sinkhole the command and control servers?

We have not. We are now in the process of working with several organizations to investigate the C2 servers.

What is the size of Gauss? How many modules does it have?

The Gauss “mother-ship” module is a little over 200K. It has the ability to load other plugins which altogether count for about 2MB of code. This is about one-third of the main Flame module mssecmgr.ocx.Of course, there may be modules which we haven’t discovered yet - used in other geographical regions or in other specific cases.

Does Kaspersky Lab detect this malware? How do I know if my machine is infected?

Yes, Kaspersky Lab detects this malware as Trojan.Win32.Gauss

Is Kaspersky Lab working with any government organizations or international groups as part of the investigation and disinfection efforts?

Kaspersky Lab is working closely with the International Telecommunication Union (ITU) to notify affected countries and to assist with disinfection.

Did Kaspersky Lab contact the victims infected with Gauss?

We do not have information to identify the victims and the capability to notify them. Instead, we are releasing detection and removal definitions and we are working with law enforcement agencies, CERTs and other international organizations to broadcast warnings about the infections.

Why was it focusing on browsing history, banking credentials, BIOS and network card/interface information? What is the significance or interest?

We do not have a definitive answer for this. The presumption is that the attackers are interested in profiling the victims and their computers. Banking credentials, for instance, can be used to monitor the balance on the victim’s accounts - or, they can be used to directly steal money. We believe the theory that Gauss is used to steal money which are used to finance other projects such as Flame and Stuxnet is not compatible with the idea of nation-state sponsored attacks.

Why were the attackers targeting banking credentials? Were they using it to steal money or to monitor transactions inside accounts?

This is unknown. However, it is hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.

What kinds of data was being exfiltrated?

The Gauss infrastructure was shut down before we had the chance to analyze a live infection and to see exactly how much and what kind of data was stolen. So, our observations are purely based on analyzing the code.

Detailed data on the infected machine is also sent to the attackers, including specifics of network interfaces, computer’s drives and even information about BIOS. The Gauss module is also capable of stealing access credentials for various online banking systems and payment methods.

It’s important to point out that the Gauss C2 infrastructure is using Round Robin DNS - meaning, they were ready to handle large amounts of traffic from possibly tens of thousands of victims. This can offer an idea on the amount of data stolen by Gauss’ plugins.

Is there a built in Time-to-Live (TTL) component like Flame and Duqu had?

When Gauss infects an USB memory stick, it sets a certain flag to “30”. This TTL (time to live) flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick. This makes sure that sticks with Gauss infections do not survive ItW for long enough to results in detection.

What programming language was used? LUA? OOC?

Just like Flame, Gauss is programmed in C++. They share a fair deal of code, probably low level libraries which are used in both projects. These common libraries deal with strings and other data manipulation tasks. We did not find any LUA code in Gauss.

What is the difference in the propagation between Gauss and Flame inside networks?

One of the known spreading mechanisms of Flame was by impersonating Windows Update and performing a man-in-the-middle attack against the victims. We haven’t found any such code in Gauss yet, neither we have identified a local network spreading mechanism. We are still investigating the situation and will update the FAQ with further findings.

Did the command and control servers connect to any of Flame’s or does Gauss have its own C2 infrastructure?

Gauss used a separate C2 infrastructure from Flame. For instance, Flame used about 100 domains for its C2s, while Gauss uses only half a dozen. Here’s a comparison and Gauss and Flame’s C2 infrastructures:

  Flame Gauss
Hosting VPS running Debian Linux VPS running Debian Linux
Services available SSH, HTTP, HTTPS SSH, HTTP, HTTPS
SSL certificate 'localhost.localdomain' - self signed 'localhost.localdomain' - self signed
Registrant info Fake names Fake names
Address of registrants Hotels, shops Hotels, shops
C2 traffic protocol HTTPS HTTPS
C2 traffic encryption None XOR 0xACDC
C2 script names cgi-bin/counter.cgi, common/index.php userhome.php
Number of C2 domains ~100 6
Number of fake identities used to register domains ~20 3

What should I do if I find an infection and am willing to contribute to your research by providing malware samples?

Please contact us at the address “theflame@kaspersky.com” which we have previously setup for victims of these cyber attacks.

   You can download PDF version of full technical paper here.


5 comments

Oldest first
Threaded view
 

MeanWhile

2012 Aug 10, 16:23
0
 

Great artice again!

The Palida Narrow font might indicate the infection to an unknown word processor exploit.

Reply    

Andy Chow

2012 Aug 15, 02:01
0
 

Purpose of the uniquely named “Palida Narrow” font

Here's my theory. A website can detect if a computer has a specified font or not (using JavaScript for example).

Only infected computers would have "Palida Narrow". Therefore, when communicating with command and control servers, this can be used to validate if said computer is really infected or if it is an uninfected computer seeking the site, and change it's behavior accordingly.

That would be a way to monitor if someone was hitting your website but was not an infected computer.

Reply    

nlskipper

2012 Aug 16, 17:07
0
 

Font-file as "registry"?

I'm pretty sure you thought about this yourself, but I was just wondering: are all the "Palida Narrow" font files you found identical?

Apart from being a reliable proof-of-infection to web-servers (and local applications!), any information about the infected system could be passed to a webserver by using the properties (especially those that influence the width and height) of each individual Palida character as "datafields", in combination with the web-server measuring resulting text-widths and -heights in javascript (as you do yourself in your on-line detection tool). This, of course, could be done by any webserver (including those that are government operated or -infected) or man-in-the-middle that knows about the secrets Palida protects.

The question is: how can the attackers be sure that such a website will be contacted by the infected system?

Although spelled with double "l", the plant Tradescantia Pallida is also called "wandering Jew".

Edited by nlskipper, 2012 Aug 16, 18:08

Reply    

vignus

2012 Aug 17, 13:44
0
 

Is Gauss using the same C2 as Flame?

Thank you for sharing this very interesting information.

Did you get an image of a C2? Is Gauss using the same C2 (scripts) as Flame?

Reply    

qidong

2014 Apr 01, 11:29
0
 

the relation between Stuxnet, Duqu, Flame,and gauss.

I want to know more about how the flame work? thanks.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog