Complex Cyber Espionage Malware Discovered: Meet W32.Gauss

Kaspersky Lab has discovered complex espionage malware named Gauss which steals a broad set of data from compromised computers and sends it to command-and-control servers.

Symantec currently detects this latest threat as W32.Gauss and preliminary reports suggest the highest concentrations of W32.Gauss appear in the Middle East.

Figure. W32.Gauss distribution with concentrations in the Middle East

Gauss is similar in design and function to W32.Flamer:

  • Modular structure
  • Similar code base
  • Similar system for communication to a command-and-control server

Gauss has been in operation for many months now and has many modules—each with a specific task:

  • Collecting specific system information
  • Installing various modules including browser plugins
  • Stealing credentials for banking, email, IM, and social networking accounts
  • Communicating with a command-and-control server
  • Propagating through USB drives to steal from other computers

An interesting feature of the malware is that it may also intercept communication with financial institutions—not a typical target for cyber espionage malware of this complexity.

The infection vector is currently unknown; however one of the modules curiously installs a font called Palida Narrow. Additionally, some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers. The underlying data has yet to be decrypted in these payloads.

Symantec Security Response is actively investigating and monitoring this campaign for developments.

Update [August 13, 2012] - Updated with W32.Gauss distribution map.