ICS-CERT: Gauss Information Stealing Malware

Tuesday, August 14, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

On August 9, 2012, Kaspersky Lab released a report on a new information-stealing malware they have named “Gauss.”

According to the report, Gauss is designed to collect information and send the data to its command-and-control servers.

Kaspersky has detected Gauss predominantly on systems in Lebanon, the Palestinian Territories, and Israel. Gauss has also been detected on a limited number of networks in the U.S.; however, the impact to these systems is currently unknown. Based on initial reporting and analysis of Gauss, no evidence exists that Gauss targets industrial control systems (ICS) or U.S. government agencies.

According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:

• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and downloading additional modules.

Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568), the same vulnerability exploited by Stuxnet.

According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.

At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/JSAR-12-222-01.pdf

Possibly Related Articles:
10993
SCADA
Industrial Control Systems
SCADA malware Stuxnet Espionage ICS-CERT Industrial Control Systems DUQU Flame GAUSS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.