Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    We received inquiries about the Gauss attack, which garnered significant media attention as it drew comparisons to Flame. Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. Researchers also surmised that this is possibly the latest among the strings of state-sponsored attacks, which gathered awareness with the discovery of STUXNET in 2010.

    Similarities with Flame

    As readers may recall, Flame was touted as a cyber espionage tool that executes several information stealing techniques including screen shots capture and audio recording. Similar to Flame, Gauss was discovered to have targeted several countries in the Middle East.

    Aside from its geographic scope, Gauss and Flame share several noteworthy technical commonalities, such as:

    • Both were written on the same programming language (C++)
    • Employed the same .LNK exploit vulnerability (CVE-2010-2568)
    • Used USB as a storage for stolen information/data
    • Designed to steal browser history/cookies
    • Used same encryption method (XOR)
    • Contained similar command and control (C&C) structure

    These shared denominators lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame. Despite these similarities, Gauss was designed to focus on stealing information from Lebanese banks like Bank of Beirut, BlomBank, ByblosBank, FransaBank and Credit Libanais among others. It was also found to target other entities such as Citibank and online payment system PayPal. To some experts, this fixation on Lebanese banks was proof that this attack may be sponsored by a particular state.

    Trend Micro products protect users from this by detecting and deleting the related malware and blocking access to the C&C IP addresses. We will amend this blog entry for further updates.

    Update as of August 13, 2012 2:17 AM PST

    Trend Micro detects the file components of this threat as TSPY_GAUSS.A.

    Update as of August 15, 2012 5:35 PM PST

    Trend Micro detects the related malicious JavaScript of this threat as JS_GAUSS.A. Gauss-related URLs were also blocked via web reputation service.


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice