Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Complex Cyber Espionage Malware Discovered: Meet W32.Gauss

Created: 10 Aug 2012 00:34:35 GMT • Updated: 23 Jan 2014 18:13:20 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Kaspersky Lab has discovered complex espionage malware named Gauss which steals a broad set of data from compromised computers and sends it to command-and-control servers.

Symantec currently detects this latest threat as W32.Gauss and preliminary reports suggest the highest concentrations of W32.Gauss appear in the Middle East.
 


Figure. W32.Gauss distribution with concentrations in the Middle East
 

Gauss is similar in design and function to W32.Flamer:

  • Modular structure
  • Similar code base
  • Similar system for communication to a command-and-control server

Gauss has been in operation for many months now and has many modules—each with a specific task:

  • Collecting specific system information
  • Installing various modules including browser plugins
  • Stealing credentials for banking, email, IM, and social networking accounts
  • Communicating with a command-and-control server
  • Propagating through USB drives to steal from other computers

An interesting feature of the malware is that it may also intercept communication with financial institutions—not a typical target for cyber espionage malware of this complexity.

The infection vector is currently unknown; however one of the modules curiously installs a font called Palida Narrow. Additionally, some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers. The underlying data has yet to be decrypted in these payloads.

Symantec Security Response is actively investigating and monitoring this campaign for developments.

Update [August 13, 2012] - Updated with W32.Gauss distribution map.