Kaspersky Lab, the Moscow-based anti-virus firm which co-discovered the Flame state-sponsored spyware, says it's found another cyberweapon: a sophisticated banking Trojan that Kaspersky has dubbed "Gauss."
Gauss is designed to steal credentials for bank accounts at half a dozen Lebanese banks, Kaspersky says, and shares a USB-stick infection method with another state-sponsored bug — the Stuxnet worm that the U.S. and Israel used to attack Iran.
"After looking at Stuxnet, [the Stuxnet relative] Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" Kaspersky said in a FAQ posted on its website. "All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of 'sophisticated malware.'"
Gauss also includes an encrypted "payload" that Kaspersky is asking for help in cracking, and a highly modular form akin to that of Flame. It has infected an estimated 2,500 computers so far, 1,660 of them in Lebanon.
"We believe the Gauss operation started sometime around August-September 2011," Kaspersky said, noting that that was soon after Duqu's discovery. "We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu."
(Other security firms have not gone as far as Kaspersky in linking Flame to Stuxnet, but a Washington Post report from June said both were part of the same American intelligence operation.)
[ FAQ: The Flame/Skywiper Virus and How to Protect Yourself ]
Intelligence services, or just criminals?
It's not entirely clear that Gauss is indeed state-sponsored. The evidence that Kaspersky presents proves that Gauss is fairly sophisticated, yet not out of the reach of the creators of such well-known criminal-controlled banking Trojans such as ZeuS or SpyEye.
"It's too early to tell," Robert Graham, founder and chief executive officer of Errata Security in Atlanta, told SecurityNewsDaily. "'State sponsored' is thrown around too easily without actual evidence.
"There is reason to believe it was more than just your normal malware in that only specific targets can decrypt a payload," Graham added. "But it could just as easily be sponsored by a Russian crime syndicate as a 'state' — or just a couple of guys. So far, it sounds like it's technically within the limits of the average hacker, unlike Stuxnet (multiple 0-days) or Flame (hacked certificates)."
"Kaspersky is obsessed with the term 'nation-sponsored,'" tweeted Amsterdam-based independent security researcher Dancho Danchev this afternoon (Aug. 9). "However, it excludes the very notion of 'government-tolerated' campaigns. "Russia did not sponsor the development of ZeuS, SpyEye or [the banking Trojan] Ice [IX] for economic warfare purposes. Instead, it tolerated their development."
Other experts pointed out that state-sponsored malware writers sometimes take tips from criminals.
"Differences in degree of sophistication are probably not particularly important at this stage," George Smith, a senior fellow with the Alexandria, Va.-based defense-policy research organization GlobalSecurity.org, told SecurityNewsDaily. "[Gauss] looks like it's fitting into the historical pattern. Just because the malware writers are working for a country doesn't make them different than their older brethren."
"We've seen nation-state hackers, the Chinese especially, use criminal methods," said Dmitri Alperovitch, co-founder and chief technology officer of Seattle-based CrowdStrike. "Kaspersky's done solid analysis and proven pretty comprehensively that the malware [Gauss] was connected to Flame."
"I do believe Kaspersky is correct in their estimate," said Mikko Hypponen, chief research officer with Helsinki-based anti-virus firm F-Secure.
The Lebanese banking system would be an attractive target for the creators of Flame and Stuxnet. Iran has close ties to political parties in Lebanon, and Lebanese banks would be a logical place for Iran to store and move money. (Iran is banned from using American banks, which makes it difficult for the country to use U.S. dollars.)
"Maybe it's a criminal tool," Smith said. "However, the national arguments about cyberwar have always talked about opposing nations hitting banking and financial systems. So it is not really a surprise they would be making things to do the same."
In addition to the Lebanese banks, Gauss is also engineered to steal online credentials for Citibank and PayPal. It also installs a custom Windows font called Palida Narrow, but Kaspersky's not sure why.
(Kaspersky and Budapest, Hungary's CrySyS Lab have each posted online tools that check for the presence of Palida Narrow on visiting computers.)
Like Stuxnet, Gauss infects computers via USB flash drives, exploiting a Windows flaw that Microsoft patched in August 2010, soon after the discovery of Stuxnet.
"It may have been built with an air-gapped network in mind," Roel Schouwenberg, a Boston-based researchers with Kaspersky Lab, told Kaspersky's own Threatpost news blog.
Schouwenberg was also intrigued by Gauss's encrypted payload, which for now masks the malware's true intentions.
"Gauss is much more multi-faceted I would say than Stuxnet, which had one particular goal," Schouwenberg told Threatpost. "This is more about surveillance than espionage. We don't necessarily think they're trying to steal any money, but maybe just monitor what's happening in these accounts."
Math and politics
The creators of Gauss named certain components of the malware after renowned mathematicians and scientists, such as the German Johann Carl Friedrich Gauss, the Austro-Czech Kurt Gödel and the Italian-French Joseph-Louis Lagrange.
Kaspersky Lab and its founder Eugene Kaspersky were featured in a recent Wired magazine piece which sought to examine the rumors in the security industry that the Russian firm is doing the bidding of the Russian government. (Similar rumors abound regarding American firms' relations with the Pentagon.)
The Wired story didn't find any solid evidence, but did detail Kaspersky's ties to the International Telecommunications Union (ITU), a United Nations body which is set to revamp the rules of the Internet in a conference this December, as well as Kaspersky's stated interest, shared with the Kremlin and the ITU, of drafting an international treaty banning cyberweapons.
Many American politicians and technology experts have spoken out against what they see as the ITU's plan to take control of the Internet from the U.S. government and hand it to more censorious countries such as Russia and China.
"Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunication Union (ITU), following the discovery of Flame," a Kaspersky press statement reads. "The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace."