The Middle East cyber-war continues to unfold in front of our eyes. New names of cyber-weapons and new targeted countries have been added to the watch list. The newest cyber-weapon named Gauss was discovered in June 2012 by experts from the computer security firm Kaspersky Lab. It didn’t take them too long to make the conclusion that Gauss belongs to the Stuxnet-Flame family. Actually Gauss was detected based on similarities in programming codes between Gauss and Flame. Unlike the Flame malware Gauss didn’t attack Iran. According to Kaspersky Lab the top three countries in its target list were Lebanon – 1660 infections, Israel – 483 infections, and Palestine – 261 infections. Symantec came up with comparable numbers for Lebanon – 1179 infections.
Despite the popular opinion that Gauss was after the Lebanese financial institutions, the Kaspersky Lab is convinced that the Gauss malware was spying on selected individuals. The information collected by Gauss from infected computers included user names and passwords for e-mail accounts, social media sites, and financial institutions. The Gauss malware was meticulously recording all information with the following keywords: Yahoo, Gmail, Hotmail, Facebook, Amazon, eBay, Paypal, Visa, Mastercard, Eurocard, and names of Lebanese banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. The total amount of information sent by Gauss to its command-and-control servers was so large that the servers needed to use the special traffic balancing technique to handle it.
All domain names of the command-and-control servers were registered using fake identities with real addresses of hotels and supermarkets around the world. The servers were hosted in India, before that in Portugal, and originally in the USA. The active life span of the Gauss malware was approximately ten months starting in September 2011. All Gauss command-and-control servers were shut down on July 13, 2012, when the creators of Gauss realized that the malware was detected. The Gauss malware doesn’t have a self-destruction mechanism as Flame or Stuxnet had. That is why it was abandoned by its creators. Gauss is in a dormant mode now. It still patiently waits for new commands and new web-addresses to send stolen data.
- 1. Gauss: abnormal distribution. Kaspersky Lab’s Global Research and Analysis Team.
- 2. Gauss: Nation-state cyber-surveillance meets banking Trojan by Kaspersky Lab Expert
- 3. Kaspersky Lab Discovers ‘Gauss’ – A New Complex Cyber-Threat Designed to Monitor Online Banking Accounts Virus News August 9, 2012.
- 4. Complex Cyber Espionage Malware Discovered: Meet W32.Gauss. Symantec Security Response.