Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 13th, 2012




    We received inquiries about the Gauss attack, which garnered significant media attention as it drew comparisons to Flame. Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. Researchers also surmised that this is possibly the latest among the strings of state-sponsored attacks, which gathered awareness with the discovery of STUXNET in 2010.

    Similarities with Flame

    As readers may recall, Flame was touted as a cyber espionage tool that executes several information stealing techniques including screen shots capture and audio recording. Similar to Flame, Gauss was discovered to have targeted several countries in the Middle East.

    Aside from its geographic scope, Gauss and Flame share several noteworthy technical commonalities, such as:

    • Both were written on the same programming language (C++)
    • Employed the same .LNK exploit vulnerability (CVE-2010-2568)
    • Used USB as a storage for stolen information/data
    • Designed to steal browser history/cookies
    • Used same encryption method (XOR)
    • Contained similar command and control (C&C) structure

    These shared denominators lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame. Despite these similarities, Gauss was designed to focus on stealing information from Lebanese banks like Bank of Beirut, BlomBank, ByblosBank, FransaBank and Credit Libanais among others. It was also found to target other entities such as Citibank and online payment system PayPal. To some experts, this fixation on Lebanese banks was proof that this attack may be sponsored by a particular state.

    Trend Micro products protect users from this by detecting and deleting the related malware and blocking access to the C&C IP addresses. We will amend this blog entry for further updates.

    Update as of August 13, 2012 2:17 AM PST

    Trend Micro detects the file components of this threat as TSPY_GAUSS.A.

    Update as of August 15, 2012 5:35 PM PST

    Trend Micro detects the related malicious JavaScript of this threat as JS_GAUSS.A. Gauss-related URLs were also blocked via web reputation service.


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

     
    Posted in Malware, Targeted Attacks, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice