Sunday, August 12, 2012

GAUSS – Flame's cousin combined with an e-banking credential stealer

Kaspersky Labs announced on finding a new family of malware which they named Gauss.

The discovered code is similar to flame by many means, most importantly by using modular execution scheme which is much uncommon for a standard virus. Furthermore, they pointed out similarities in code and general behaiour such as encryption type.
As its predecessor, it has several functionalities or modules which was named by its creators after famous mathematicians: Guass, Lagrange, Godel and several others. A difference in behavior is the fact that apperantley, its code is not achieving persistence (adding itself to windows startup and do not propogate throughout the network), and as expected – it is configured to contact C&C servers and feeding them with the collected information on the machine and connected network.
A new record for such a malware is the addition of e-banking credential sniffer, directed on several Lebanease banks and some major retail and e-commerce sites. The sniffing is implemented via browser injection and cookie stealing.
Some important portions of its functionality is still uncharted – the first example is a TrueType font file named Palida Narrow which is added to the attacked system without any apparent reason and another is a large chunk of code that is encrypted and Kaspersky Labs have pleaded for external help on cracking it. Those obscurities have already sparked a wide debate in the appropriate circles.