In marches Gauss…

Gauss has received significant media attention in the past week. Many have already begun to draw their own comparisons to Flame, as well as attempt to trace the genealogical descent to identify the family ties to Stuxnet and Duqu. Unlike the previous sophisticated attack toolkits, which have been called cyber-espionage toolkits, Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. While researchers have claimed this to be the latest in a series of possible state-sponsored attacks, theft of financial information is the unusual twist in this latest toolkit.

Enough information has been published about Flame and similarities to Stuxnet and Duqu so there is no need to rehash it all in this post. What we will look at are the similarities that Gauss has with Flame and even propose Gauss was written by the same people as Flame just as other researchers have done.

Flame was reported as a cyber espionage toolkit that is modular in design and contains several information stealing techniques including screen shot capture and audio recording targeting a specific region in the Middle East. While Gauss can be considered an information stealer targeting a specific Middle East region, there appears to be several other noteworthy technical commonalities shedding light on the similarities, such as:

• Written using same programming language (C++)
• Use of the .ocx file extensions for the various modules
• Used same encryption method (XOR)
• Used USB as a storage for stolen data
• Designed to steal browser history and cookies
• Leveraged the same .LNK exploit vulnerability (CVE-201-2568)
• Contained similar command and control (C2) structure

Actually, the only major difference was the fact that Gauss did not include the same sophistication as Flame by including the LUA scripting engine to expand its modular capabilities. There are even considerable similarities in the operation of the C2 servers.

The registrants of the CC domains found in Gauss are similar if not identical with information related to Flame to include the fake names and addresses of hotels for registration information. Not just the registrants but also the hosting architecture, service offerings, and protocols are the same. The only notable difference here is that Gauss used an XOR to encrypt its C2 traffic.

These similarities have lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame, and perhaps rightfully so. Again, the only twist is the harvesting of the financial information. So, the discovery and analysis of Gauss leaves us with a couple of unanswered questions. Why is it after banking, browsing, and social media information and why is it specifically targeting information for Lebanese banks? Most likely, this is a part of a much larger cyber operation that we may never get the answer to. Or will we?

So, how relevant is Gauss now? With most common antivirus software detecting Gauss and the release of removal tools by antivirus vendors, your antivirus should have no trouble finding it by now. Gauss specifically targeted users or customers of financial institutions in the Lebanon area but the C2 is no longer active and potentially no longer a threat. But, we shouldn’t be surprised if we see another sophisticated attack toolkit show up in the future.

Solutionary’s Security Engineering Research Team (SERT) is constantly analyzing malware and threats like Gauss, and providing advanced security intelligence to clients and internal engineering teams. For more details on SERT, read here.