The newest strain of the Flame super-virus identified by Kaspersky Labs earlier this year, dubbed Gauss, may be targeting banks in Lebanon, stealing information needed by individuals interacting with their accounts.
Analysts believe the virus may be the work of the United States and/or Israel and be designed to attack assets held by Lebanese terror group Hezbollah.
Arik Hesseldahl, a senior writer for the popular web site All Things Digital, wrote that one can deduce the identities of the trojan virus’s authors by examining its targets. According to Kaspersky, the vast majority of infected computers are in Lebanon, with most others in Israel or Palestinian Authority areas. The trojan, wrote Hesseldahl, is likely aimed at Hezbollah, and seeks to compromise its cyber-defenses.
In revealing the malware’s existence last week, Kaspersky Labs concluded that Gauss was made to hack into banking systems, specifically Lebanese ones.
“Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts,” Kaspersky Labs wrote in a blog post Thursday. “Gauss contains a 64-bit payload, together with Firefox-compatible browser plugins designed to steal and monitor data from the clients of several Lebanese banks: Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.”
Kaspersky, in its blog post, wrote that there were many similarities – in terms of how the Gauss trojan (which embeds itself on a system and activates itself in response to an internal or external prompt) was written and is deployed – to other recently discovered trojans, such as Flame and Duqu. After analyzing the three trojan strains, Kaspersky wrote, “we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’” And it was also clear from the level of sophistication in the Gauss payload, Kaspersky added, that the new trojan and its “cousins” represent “the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of sophisticated malware.’”
Kaspersky does not say which nation-state it believes is behind Gauss, but several experts have speculated that Israel and the U.S. may be the authors. Kaspersky itself points to a line of code which contains the word white, which they believe is a reference to Lebanon. Both words, the Kaspersky analysts points out, share the same root letters of LBN in Semitic lanuages.
Flame, Duqu and the Stuxnet virus were all thought to have targeted Iran, specifically its nuclear program.
Hezbollah, which acts as an Iranian proxy on Israel’s northern border, would thus be a likely candidate to be targeted by whomever is behind the other viruses.
“Naturally, intelligence about the movements of money in [Lebanon] might be useful information,” Hesseldahl wrote. ”It might also be useful to drain certain accounts of funds as a way of slowing down operations. You can’t shoot guns and missiles if you can’t buy them first.”
In a recent article, the Russia Today web site said that it has specific information that Flame had been authored by the US and Israel. Citing “Western officials familiar with classified data on the effort,” the site wrote that “the United States and Israel jointly developed the Flame virus, which collected intelligence for a cyber-attack on Iran’s nuclear program. The CIA, the National Security Agency (NSA) and the Israeli military were all involved in developing malware to sabotage Iran’s nuclear program, the officials confirmed.” As a “descendant” of Flame, its likely that the same parties who authored Flame were behind Gauss, Kaspersky said.
Questions still remain over exactly what the virus does or what it is designed to do, but Kaspersky Labs seems certain the trojan, if it is a government project, was not implanted to just grab cash.
“It is hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation,” the company wrote in its blog post.
In addition, Kaspersky said, Gauss has expanded the field for digital warfare. “This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component. It is not known whether the operators are actually transferring funds from the victim’s bank accounts or whether they are simply monitoring finance/funding sources for specific targets.”
Currently, Gauss appears to have been deactivated, Kaspersky said – but the damage to its intended victims may have been devastating.
The company says it was not able to analyze the virus while it was running, but the existence for the first time of a Round Robin DNS, which can handle a large amount of data from several servers, indicates that the trojan’s masters “were ready to handle large amounts of traffic from possibly tens of thousands of victims. This can offer an idea on the amount of data stolen by Gauss.”