BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story
Tech

Gauss: Yet Another State-Sponsored Virus?

NetApp
Richi Jennings
Brand Contributor
NetApp
BRANDVOICE
Storytelling and expertise from marketers
| Paid Program

Cyberwar! Yes, it's déjà vu all over again, as a security company spots yet another malware sample that appears to have been written by the U.S. or Israel. Possibly both.

  • By Richi Jennings, this is OTOH: curated, fluff-free news and commentary, for people too busy to sift the gold from the sludge

After Stuxnet, Duqu, and Flame, this one seems to mainly spy on computer users in Lebanon. It's been dubbed Gauss (although Germanic-linguistic purists will no doubt be complaining that it should be written Gauß).

On the one hand, could this be another step towards all-out cyber-warfare? Imagine what might happen if those weapons were turned back on us.

On The Other Hand, consider where these reports all eminate: Kaspersky Labs, aka Laboratoriya Kasperskogo ZAO, a Russian security company with alleged Kremlin links.

Carl Friedrich Gauss (danke: German central bank)

The Gray Lady's Nicole Perlroth reports:

Kaspersky...said that the virus appeared to have been written by the [creators of] Flame, the data-mining [malware] found to be spying on computers in Iran [and] linked to Stuxnet, [which] disrupted uranium enrichment work in Iran in 2010.

...
Gauss...has been detected on 2,500 computers, most in Lebanon...[stealing] logins for e-mail and instant messaging accounts, social networks and...the Bank of Beirut, Blom Bank, Byblos Bank...Credit Libanais...Citibank and...PayPal.
...
Lebanon experts said that [such] an American cyber espionage campaign...would seem to be a plausible possibility, given Washington’s concerns that the country’s banks are being used [to aid] the Syrian government and...Hezbollah.

Forbes' Andy Greenberg adds:

[It's] designed to collect banking information, among other functions...the researchers have yet to determine. ... Why would government-created spyware steal access to users’ bank accounts? ... Gauss may have been part of “follow the money” surveillance operation.
...
The program’s modules are named for famous mathematicians...with its main module seemingly named for 18th century German mathematician Carl Friedrich Gauss.
...
Unlike Stuxnet and Flame, Gauss seems to be relatively new. ... They peg its creation at mid-2011...[but] the malware creators move to encrypt a key portion of the code may have been designed to slow reverse engineering of the software until it could carry out its mission.

Kasperky Lab's pseudonymous GReAT spills the beans:

Gauss was discovered during the...effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. ... Besides stealing various kinds of data...it also includes an unknown, encrypted payload which is activated on certain specific system configurations. ... We are still analyzing...and trying to break the encryption scheme.
...
After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same “factory” or “factories.” ... [They are] pretty much defining the meaning of “sophisticated malware.”
...
The presumption is that the attackers are...profiling the victims and their computers...to monitor the balance on the victim’s accounts.

Famous sci-fi author Bruce "cyberpunk" Sterling muses:

It’s like unearthing a lost civilization, except I have no doubt these guys are still at it.
...
[And] when will they go into business for themselves?

But Simon sez:

Kaspersky Labs has long been in bed with Putin. ... Russia to this day supports Iran...Syria, and the Hizbollah...death squads who control much of Lebanon.
...
Caveat emptor.

Meanwhile, David Gewirtz wonders what would happen if such "digital WMD" attacked us:

How would IT organizations respond? Could we, in fact, defend ourselves? ... I recruited an all-star team...[that] explored possible scenarios of how such a dangerous weapon could be repurposed...and aimed at us.
...
The simulation began with three isolated...breakdowns in our transportation system...[an] enemy could disrupt our overall transportation systems...[which] could undermine trust and citizen confidence. ... Next came a distributed denial of service attack against transportation Web sites and banks [and] a coordinated cyberespionage attack [against] our banking clearinghouse systems.
...
[In summary] an economic extinction-level event.

More from NetAppVoice:

Richi Jennings is an independent analyst, writer and editor. You can Google-Plus him at +richij, follow him as @richi on Twitter, pretend to be his friend at Facebook.com/richij or just use boring old email: fs@richij.com

Richi Jennings
Richi Jennings