New Flame/Stuxnet Malware Descendent May Be Heavily Weaponized
Known as "Gauss," the new variant has a number of differences, including its ability to steal online banking credentials and a wide assortment of other personal data. But, perhaps the most frightening component in the malware is an encrypted payload that experts are still trying to penetrate that could easily be a weapon to be aimed at national infrastructure or some other important target.
Researchers say that Gauss is almost certainly the work of the same team involved in the Flame malware, and it is very likely to be state-sponsored.
[Related: The Biggest Data Breaches of 2012 (So Far) ]
"At the outset, this looks more like a cybersurveillance operation going after information on social networks, email, financial records and a lot of other sensitive information," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Labs. "This is the first time we've seen nation states going after banking credentials. It makes sense from monitoring point of view in terms of governments doing surveillance and looking at money flows."
"But the other interesting piece is the USB module," Schouwenberg continued. "When you plug the USB stick into the Gauss infected computer, Gauss will copy the USB module onto the USB stick together with an LNK exploit that leverages the same vulnerability that Stuxnet and Flame exploited. Then when you attach that USB stick to a clean machine, it does not try to infect the clean machine or self-replicate. It runs strictly off the USB device. At that point, it collects system information, passwords and other things that it stores on the USB device. When the USB device is installed in an infected machine, Gauss will take that information and send it to the command-and-control server. This kind of behavior leads us to believe that it is expecting to deal with the air gap networks, or machines that are not connected to the Internet. And in most cases, machines that are not connected to the Internet usually control highly sensitive national infrastructure or industrial control systems."
NEXT: Good News/Bad News about the Crypto
So far, the experts have been unable to crack the crypto, but its presence begs the question of what exactly such complex encryption is designed to protect. Therefore, Kaspersky's Schouwenberg and other experts say the evidence points to the potential presence of a highly destructive component, such as something that could shut down a piece of critical infrastructure.
On the positive side of the ledger, the sophisticated cryptography will also make it more difficult for the malware to be used, in the event that it is eventually posted to the Internet. It is likely that only a relative handful of people have the technical knowledge to break through the encryption, according to Schouwenberg.
"The attackers were very smart in the way they did this," said Schouwenberg. "They are clearly going after very specific system configurations, though we don't know which one. We will break the crypto, but it might take us some time to do that. And, if this is not a nation-state sponsored attack, then that would mean that somebody would've had access to the Flame source code, which I think would be very, very scary."
Researchers discovered the Gauss infections earlier this year during the investigation into the Flame attacks and estimate that there are about 2,500 infections so far. Of those, about 1,660 of them are located in Lebanon.
As is the case with Flame, Gauss has a modular architecture and contains a number of pieces that perform separate tasks. It is believed that the Gauss operation began somewhere between August and September of last year. At this point, the malware's infrastructure appears to be dormant and researchers believe that five command-and-control servers were taken off-line sometime in July.
Another mystery involves how the malware spreads and propagates itself. "We still have a lot of work to do in order to figure out the full scope of the threat," summarized Schouwenberg. "This will not be the last time you hear about it."
PUBLISHED AUG. 9, 2012