We received inquiries about the Gauss attack, which garnered significant media attention as it drew comparisons to Flame. Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. Researchers also surmised that this is possibly the latest among the strings of state-sponsored attacks, which gathered awareness with the discovery of STUXNET in 2010.
Similarities with Flame
As readers may recall, Flame was touted as a cyber espionage tool that executes several information stealing techniques including screen shots capture and audio recording. Similar to Flame, Gauss was discovered to have targeted several countries in the Middle East.
Aside from its geographic scope, Gauss and Flame share several noteworthy technical commonalities, such as:
- Both were written on the same programming language (C++)
- Employed the same .LNK exploit vulnerability (CVE-2010-2568)
- Used USB as a storage for stolen information/data
- Designed to steal browser history/cookies
- Used same encryption method (XOR)
- Contained similar command and control (C&C) structure
These shared denominators lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame. Despite these similarities, Gauss was designed to focus on stealing information from Lebanese banks like Bank of Beirut, BlomBank, ByblosBank, FransaBank and Credit Libanais among others. It was also found to target other entities such as Citibank and online payment system PayPal. To some experts, this fixation on Lebanese banks was proof that this attack may be sponsored by a particular state.
Trend Micro products protect users from this by detecting and deleting the related malware and blocking access to the C&C IP addresses. We will amend this blog entry for further updates.
Update as of August 13, 2012 2:17 AM PST
Trend Micro detects the file components of this threat as TSPY_GAUSS.A.
Update as of August 15, 2012 5:35 PM PST