On August 9, 2012, Kaspersky Lab released a report on a new information-stealing malware they have named “Gauss.”
According to the report, Gauss is designed to collect information and send the data to its command-and-control servers.
Kaspersky has detected Gauss predominantly on systems in Lebanon, the Palestinian Territories, and Israel. Gauss has also been detected on a limited number of networks in the U.S.; however, the impact to these systems is currently unknown. Based on initial reporting and analysis of Gauss, no evidence exists that Gauss targets industrial control systems (ICS) or U.S. government agencies.
According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and downloading additional modules.
Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568), the same vulnerability exploited by Stuxnet.
According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical.
The full ICS-CERT advisory can be found here: