By Gil Ronen
According to a post from KasperskyLab, the “Trojan” type malware known as Gauss is closely related to other well known viruses including Flame, initially reported on by the same security company in May.
Kaspersky Lab‘s Securelist blog said that “Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins.”
According to Ping!Zine, the virus itself was discovered through efforts from the International Telecommunications Union. “Like others including Flame and Stuxnet, it primarily targets middle-eastern countries,” the hi-tech industry magazine reported, naming Lebanon, Israel and the Palestinian Authority as locations that have been affected. “Also like Flame and Stuxnet, it originated from a nation state,” the report added.
Five different servers are reportedly used to control the operation via “command-and control domains.” Gauss succeeds in performing tasks such as intercepting passwords and cookies, infecting USB sticks, hijacking account information, accessing system configuration data and more.
Kaspersky said that the virus likely began operating sometime between August and September of 2011. However, a key finding signaled Gauss isn’t completely active. “The Gauss command-and-control (C&C) infrastructure was shutdown in July 2012. At the moment, the malware is in a dormant state, waiting for its C&C servers to become active again,” commented the report.
“Gauss” malware has resembles the Stuxnet and Flame programmes and is thought to have been developed by a “nation state”.
By Katie Stallard, Media & Technology Correspondent
The “Gauss” malware has a striking resemblance to the Stuxnet and Flame programmes, and is so complex it could only have been developed in conjunction with a ‘nation-state’, according to cybersecurity firm Kaspersky Lab.
Analysts declined to speculate on who might be behind the virus, but said it shared elements of the same source code and basic architecture as Stuxnet, Flame and Duqu, and had likely originated in the same lab.
Both Israel and the US have been accused, and denied, having connections to Stuxnet, a cybersabotage programme apparently targeting computers in Iran, although also found in high concentrations in India and Indonesia.
The Stuxnet worm, one of the most sophisticated pieces of malware ever detected, was able to take control of industrial machinery by hijacking control systems.
Flame and Duqu were cyber-espionage weapons, stealing sensitive information from infected computers, and in the case of Flame – able to access the target’s keyboard and microphone.
Gauss appears to be in the cyber-espionage vein – but this time targeting financial information, and overwhelmingly focused on users in Lebanon.
Kaspersky says the virus can steal browser passwords and online banking account credentials, although they believe the malware is monitoring transactions, rather than stealing money.
Attacks are overwhelmingly focused on Lebanon, targeting customers of Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, as well as users of Citibank and PayPal, which are popular in the country.
Alexander Gostev, Chief Security Expert at, Kaspersky Lab, said: “Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program.
“Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different than Flame or Duqu.
“Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”
The name “Gauss” was given by the malware creators and appears to reference the German mathematician Johann Carl Friedrich Gauss.
It was first discovered in June 2012, but subsequent analysis suggests it had been active since September 2011.
Kaspersky recorded 2,500 infections from late May 2012, but estimate the total number of victims could be in the tens of thousands.
Five command and control servers behind the attacks shutdown in July 2012, shortly after the virus was discovered, and the malware appears to be dormant at the moment.
Those servers have all been traced to fake domain names, registered to valid physical addresses, all of which appear to be unrelated public places.
The false identities target addresses in the US at first, before migrating to Portugal and India.
Gauss appears to be using a sophisticated method of transmission, with the ability to “disinfect” contaminated USB drives after a set number of executions, effectively covering its tracks.
National Security Agency Director Gen. Keith Alexander (Chip Somodevilla/Getty Images/AFP)
On a scale of one to 10, American readiness to deflect a major cyber-attack on its infrastructure is “around three,” head of the National Security Agency and the US Cyber Command said in a rare speech at a hacker conference.
The general said the US saw a 17-fold increase in computer attacks on its power grids, water utilities and other key facilities between 2009 and 2011. He said criminal gangs, hackers and foreign nations were responsible for the attacks.
The collective blame for the weakness lies with both the government and the IT industry, he said, even though it was the rapid development of technology that put America at cyber risk. He called for the two groups to work better as a team to address the issue.
Alexander advocated the passage of legislation, which would enable the NSA to set security standards for information infrastructure. The general expects “voluntary incentivized [sic] compliance” of those future standards. Earlier some civil rights croups expressed concerns about some of the cyber bills currently under consideration in the Congress over possible adverse effect on privacy they may cause.
As compared to the defensive part, Alexander said the US is “a little bit better” prepared to take military cyber action against possible targets. He said Cyber Command did perform those and that it is up to the president to decide on carrying out such operations.
At the same time he declined to comment on whether the US is behind StuxNet virus, which damaged Iranian uranium-enrichment facilities, and the Flame virus, which was engaged in a major sophisticated spying operation in the Middle East.
By Tzvi Ben Gedalyahu
Seculert, based in Israel, and Russia’s Kaspersky Lab said on Tuesday that they identified more than 800 victims of the operation, Reutersreported. “The targets include critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran,” according to the news service.
The cyber attack malware is believed to have begun approximately eight months ago, and whoever is behind it is “for sure somebody who is fluent in Persian,” said Seculert Chief Technology Officer Aviv Raff.
Scarlet and Kaspersky say the Trojan is called “Madhi,” a word that refers to the ultimate redeemer of Islam, because the cyber attackers used a folder with that name.”In Islamic eschatology, the Mahdi is the prophesied redeemer of Islam who will rule for seven, nine or 19 years before the Day of Judgment and will rid the world of wrongdoing, injustice and tyranny. In Islam Ahmadiyya, the terms ‘Messiah’ and ‘Mahdi,’” according to Wikipedia.
“The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails and instant messages,” according to Reuters, which quoted the two companies. “It can also record audio, log keystrokes and take screen shots of activity on those computers.”
It is not certain whether individuals or countries are behind the malicious software, while the Flame virus discovered last year was attributed to a country or countries. Israel and/or the United States frequently has been considered the source.
Seculert said that is was able to track variants of malware last December. “The malware communicated with the same domain name, but the server was located in Tehran,” the firm stated on its website.
After Kapersky announced in May it had discovered the Flame virus, Seculert contacted the Russian company.
“We collaborated in the weeks that followed [and] we were able to identify over 800 victims,” the Israeli security firm added. “While we couldn’t find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.”
Kaspersky explained in a blog post that one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system….
“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.”
Defense Secretary Leon Panetta speaks with a congressional subcommittee on budget cuts Wednesday. (Photo: DOD/Glenn Fawcett)
In pleading with Congress Wednesday against automatic defense budget cuts, Defense Secretary Leon Panetta also warned of another crippling situation like Pearl Harbor. It won’t come in the form of bombers and torpedo planes though but as hackers and worms of the cyber variety with the ability to cripple U.S. infrastructure.
“You said something that just kind of went over everybody’s head, I think, that there’s a Pearl Harbor in the making here. You’re talking about shutting down financial systems, releasing chemicals from chemical plants, releasing water from dams, shutting down power systems that can affect the very survival of the nation. What’s the likelihood in the next five years that one of these major events will occur?”
To this Panetta responded simply by saying that the “technological capability” to send our country into a mode like that of Pearl Harbor in a surprise attack is already available now. Panetta’s references to “the next Pearl Harbor” echo sentiments he shared last year with regard to cyberattacks, according to CNS news.
In June 2011, while being confirmed as Defense Secretary, Panetta said to the panel, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”
Continuing to probe on Wednesday, Graham asked about the risk level, which Panetta said was high, especially as the technology develops and the “will” to use it becomes more apparent.
“I’m very concerned that the potential in cyber to be able to cripple our power grid, to be able to cripple our government systems, to be able to cripple our financial system would virtually paralyze this country,” Panetta said. “And, as far as I’m concerned, that represents the potential for another Pearl Harbor as far as the kind of attack that we could be the target of using cyber.”
Those in the United States — both the government and private industry — are already the targets of thousands of attacks per day, according to Panetta. With that, he notes the importance of improving safety of systems in not only the defense sector but the private sector as well.
Earlier this year, the Cyber Intelligence Sharing Protection Act (CISPA) was introduced as proposed legislation that would put in place the infrastructure for private companies to share information with the federal government on the Internet to help prevent electronic attacks from cybercriminals, foreign governments and terrorists. The Cybersecurity Act of 2012, sponsored by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) was mentioned as well. At this point, CISPA has been passed with bipartisan support in the House and still awaits a Senate vote. The Cybersecurity Act of 2012 has not yet been voted upon.
CISPA has been met with some backlash with those against the proposed legislation saying the language is overly broad and they fear violations of the anti-trust law by the government.
Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey weighed in his support of CISPA during Wednesday’s hearing but also said the military is looking to develop “rules of engagement” to respond to cyberattacks and threats, according to CNS News.
Watch CNS’ footage of the dialogue here:
The Pentagon faces cuts of about $500 billion in projected spending over 10 years on top of the $492 billion that President Barack Obama and congressional Republicans already agreed to in last summer’s deficit-cutting budget.
Dempsey said the cuts would mean fewer troops, the possible cancellation of major weapons and the disruption of operations around the world.
The Associated Press contributed to this report.
Israeli officials who were placed at risk by the Obama administration’s leaks about the Stuxnet virus are disputing American claims that the cyber-weapon was jointly developed by the U.S. and Israel. Rather, they say, Israeli intelligence first started developing cyberspace warfare against Iran, only convincing the U.S.–with some difficulty–to join in. The Israelis allege that President Barack Obama claimed credit for Stuxnet to boost his re-election campaign.
The Israeli officials actually told me a different version. They said that it was Israeli intelligence that began, a few years earlier, a cyberspace campaign to damage and slow down Iran’s nuclear intentions. And only later they managed to convince the USA to consider a joint operation — which, at the time, was unheard of. Even friendly nations are hesitant to share their technological and intelligence resources against a common enemy…
Yet my Israeli sources understand the sensitivity and the timing of the issue and are not going to be dragged into a battle over taking credit. “We know that it is the presidential election season,” one Israeli added, ”and don’t want to spoil the party for President Obama and his officials, who shared in a twisted and manipulated way some of the behind-the-scenes secrets of the success of cyberwar.”
The Obama administration’s pattern of leaks to mainstream media outlets–of which the Stuxnet virus is only one example–prompted bipartisan outrage from Congress and the appointment of two special prosecutors. While the leaks jeopardized U.S. national security–allegedly for the political purpose of burnishing President Obama’s image as commander-in-chief–they may also have been exaggerated, if the new reports from Israel are accurate.
Posted by truther
Alexander Gostev, an expert at Kaspersky Labs, said in an email that the Russian cyber security software company discovered a similarity between a subset of the code used in Flame and code used in the Stuxnet virus.
Stuxnet was developed collaboratively between Israel and the United States for the explicit purpose of disabling computer networks in Iran, although Israeli intelligence denies this, according to Mossad agentswho say they created the malware and Obama is taking credit for unleashing it against Iran’s fledgling nuclear program as propaganda in his re-election bid.
Flame is described as the most sophisticated malware to date. After it infecting a Microsoft Windows computer, it can record audio and keyboard activity, take screenshots and monitor network traffic. Flame can record Skype conversations and grab data via Bluetooth from nearby devices like cellphones.
Like Stuxnet, Flame was specifically deployed on computer systems in the Middle East. Kaspersky’s research reveals that “a huge majority of targets” were within Iran.
“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states,” Kaspersky’s chief malware expert Vitaly Kamluk told the BBC in late May.
“Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group… The geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it.”
Over the last few years, the U.S. government has hyped an emerging cyber threat in near apocalyptic terms and the establishment media has echoed the supposed threat incessantly. The so-called defense industry – the military-industrial complex president Eisenhower warned about as he left office – has exploited the cyber threat and turned it into a multi-billion dollar industry.
Lockheed Martin, Boeing, Northrop Grumman and related defense and tech companies have vigorously lobbied the federal government about “growing cyberthreats to national security and corporate America, but they also make millions of dollars each year selling a variety of cybersecurity programs, tools and solutions to government and business,” Politico reported on May 30.
Israel and the United States – the CIA and Mossad – represent the vanguard of the emerging cyber securitythreat. Considering the history of government and its array of clandestine and self-serving false flag attacks, this reality is hardly surprising. It demonstrates that like al-Qaeda, the cyber threat is designed to create a crisis that can only be addressed by government and the military industrial complex.
By Elad Benari
U.S. computer security researchers said on Sunday that the Flame computer virus, which struck at least 600 specific computer systems in Iran, Syria, Lebanon, Egypt, Sudan,Saudi Arabia and the Palestinian Authority, has gotten orders to vanish, leaving no trace.
AFP reported that anti-virus company Symantec said in a blog post that late last week that some Flame “command-and-control servers sent an updated command to several compromised computers.”
“This command was designed to completely remove (Flame) from the compromised computers,” said the statement.
The discovery of the Flame virus immediately sparked speculation that it had been created by U.S. and Israeli security services to steal information about Iran’s controversial nuclear program.
Kaspersky Lab, one of the world’s biggest producers of anti-virus software, said the Flame virus was “about 20 times larger than Stuxnet,” the worm which was discovered in June 2010 and used against the Iranian nuclear program.
Kaspersky called the virus a “cyber-espionage worm” designed to collect and delete sensitive information, primarily in Middle Eastern countries. Experts said it was aimedat stealing Iranian-Russian blueprints, presumably of nuclear facilities.
Iran later admitted that its oil industry was briefly affected by Flame, but claimed that Iranian experts had detected and defeated the virus.
Computers infected with malware are typically programmed to reach out on the Internet to get updated orders from command servers controlled by hackers.
In this case, AFP reported, it appeared that Flame masters gave an order for the malware to vanish, leaving behind no trail that investigators might be able to follow or clues to its origin.
The self-destruct command was evidently sent after Flame was exposed and investigations commenced.
Infected computers that got the command went on to delete an array of files and then cram disks with random characters to thwart recovery of original code, according to security researchers cited by AFP. It was unknown how many infected computers received the self-destruct command.