Gauss: abnormal distribution
(Publication) Google search: [1]
| Gauss: abnormal distribution | |
|---|---|
| Botnet | Gauss |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-08-09 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/analysis/204792238/Gauss Abnormal Distribution (Archive copy) |
| Author | GReAT |
| Type | Blogpost |
Abstract
“ Introduction
While analyzing the Flame malware that we detected in May 2012, Kaspersky Lab experts identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This indicates that there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.
Based on the results of a detailed analysis of Flame, we continued to actively search for new, unknown components. A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C servers, as well as numerous other similarities to Flame.
In our opinion, all of this clearly indicates that the new platform which we discovered and which we called “Gauss,” is another example of a cyber-espionage toolkit based on the Flame platform.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank. Curiously, several Gauss modules are named after famous mathematicians. The platform includes modules that go by the names “Gauss”, “Lagrange”, “Godel”, “Tailor”, “Kurt” (in an apparent reference to Godel). The Gauss module is responsible for collecting the most critical information, which is why we decided to name the entire toolkit after it.
Gauss is a much more widespread threat than Flame. However, we have found no self-replication functionality in the modules that we have seen to date, which leaves open the question of its original attack vector.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1087,
editor = {Kaspersky lab},
author = {GReAT},
title = {Gauss: abnormal distribution},
date = {09},
month = Aug,
year = {2012},
howpublished = {\url{http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution}},
}